EIS is considered as complementary to Decision Support System. ...... Basic Principles: Rapid Application Development (R
CA Clues
Nikhil Gupta CHAPTER 1 INFORMATION SYSTEMS CONCEPTS
◙ System: System means a set of interrelated elements that operate collectively to accomplish some common object. It takes input from its environment and returns output again to the environment. Thus a general system can be shown as: Input →
Process X
→ Output
A system can have multiple input and output as shown below: Input A → Input B → Input C →
Process Y
→ Output P → Output Q
General model of a computer system can also be represented as follows: Storage
Input
Processing
Output
Feedback ◙ General classification of system: Types of system: We can distinguish systems on the basis of following parameters: (i) (ii) (iii) (iv)
Elements Interactive Behavior Degree of Human Intervention Working / Output SYSTEM
Elements
Abstract
Physical
Interactive behavior
Open
Closed
Degree of human intervention
Manual
Automated
Working/Output
Deterministic
Probabilistic
CA Clues
Nikhil Gupta I. Classification of system based on “Elements” Physical system
-
Abstract system
Physical systems are those systems which can be seen and touched Eg: Transport system, computer system, accounting system etc, business system etc Generally the various systems we see around us are all physical systems We use and interact with these systems in day- to-day life to get some benefit from them They can be of any magnitude and serve different purpose.
Abstract systems are those systems which cannot be seen and touched, but can only be visualized by our mind Eg: system of religious beliefs, theology Note: Diagrams and flowcharts of a physical system are also abstract view of that physical system.
II. Classification of system based on “Interactive behavior” Open system -
-
-
-
Closed system
Open systems are those systems which takes input from its environment and returns some output to the environment Open system have the property to change and adapt according to the environment. Thus they can be long lasting system as compared to relatively closed system For example a car manufacturer may change the design of the engine in order to comply with the new emission norms Eg: Business system, Marketing system, communication system etc
-
-
-
Closed systems are those systems which does not interact with the environment and does not change according to the environment Closed systems are rare and even they cannot be 100% closed, they can only be relatively closed as compared to other systems Eg of relatively closed system are production system, computer system A “use and throw” sealed digital watch is also an example of closed system.
No exchange with environment Closed System Known and defined inputs
Controlled exchange from environment Insulated from outside disturbances
Known and defined outputs
Relatively Closed System Known and unknown inputs and threats
Subject to known and unknown inputs and environmental disturbances Open System
Outputs
CA Clues
Nikhil Gupta III. Classification of system based on “Human intervention”
Manual system -
-
Manual systems are those systems where data collection, manipulation, maintenance and final reporting are carried out by human efforts Eg: Manual accounting system
Automated system -
-
Automated systems are those systems where computer system is used to carry out the entire task in a system Human intervention is nil or very less A system may be partially automated also Even in case of automated systems some manual intervention is always there, although it may be very less. As a system becomes more and more sophisticated manual intervention is reduced, but at critical situation the system needs human decision making also. A man-machine interaction is always there E.g. of automated system can be auto-pilot aviation, software controlled processes, business ERP system
IV. Classification of system based on “Working/Output” Deterministic system -
-
-
Deterministic systems provide exact output Deterministic systems are those systems which operate in a predictable manner and the behavior of the system is known with certainty In deterministic system for, a given set of input, the output can be known with certain degree of certainty Eg: accounting information system, communication system, computer system, production system etc.
Probabilistic system -
-
-
Probabilistic systems provide expected output Probabilistic systems are those systems where there is some uncertainty about the outcome and behavior of the system and it cannot be predicted with certainty In probabilistic system, for a given set of input, the output cannot be known with certainty Research scientist work hard to make the probabilistic system move more and more towards deterministic pattern Eg: weather forecasting system, sales forecasting system, pricing system, inventory management system, marketing system etc.
◙ System Concepts:
System environment: The external world which is outside the system boundary is known as System environment.
System boundary: Every system operates within some environment and is influenced by its environment. The system boundary separates the system from its surrounding environment.
Subsystem: A system can have many smaller systems within it. These smaller systems forming part of a bigger system are called subsystem. A subsystem is a logical and somewhat independent component of a larger system. Each subsystem interacts with the system and sometimes with other subsystems also, through interface. For example subsystems of human body can be: • Circulatory system • Digestive system • Nervous system • Skeletal system
CA Clues
Nikhil Gupta
Interface: The interconnections and interactions between the subsystems are termed interfaces.
Supra system: A system immediately above a sub-system is known as supra-system. A system is controlled by its supra-system.
System entropy: Entropy is the quantitative measure of disorder in a system. Systems can run down and decay or can become disordered or disorganized. Offsetting an increase in entropy requires inputs of matter and energy to repair replenish and maintain the system. This maintenance input is termed as Negative Entropy. Open systems require more negative entropy than relatively closed systems for keeping at a steady state.
System Stress and System Change: A stress is a force transmitted by a system’s suprasystem on the sub-system that causes the sub-system to change, so that the supra-system can better achieve its goals. In trying to accommodate the stress, the sub-system may impose stress on its further sub-systems and so on.
Characteristic of sub-system: i.
Decomposition (Factoring): A complex system is difficult to understand. Thus for the purpose of understanding the system it can be divided into smaller units i.e. subsystem. This is called decomposition or factoring of a system. It can be diagrammatically represented as follows: System Subsystem A A1
Subsystem B A2
B1
A2-i
Subsystem C
B2
C1
B3
A2-ii
C1-i
C2 C1-ii
Now let us take an example of decomposition of an ERP system in a business organization. Here you can see that the whole ERP system consist of various modules (subsystem). Each module will have its own sub-modules. For example one of the module is “Personnel and payroll” and it is further divided into seven sub-module. Again one on the sub-module “Hourly payroll processing” is further divided into four smaller components. ERP System of a business
Sales order processing Master payroll record
Inventory
Personnel reports
Production
Payroll entry and validation
Calculation of gross pay / deductions / net pay
Personnel and payroll
Purchasing
Accounting and control
Planning
Hourly payroll processing
Salaried payroll processing
Report for management
Report for government
Preparation of payroll register and audit controls
Cheque printing
Payroll register and control output
Environment intelligence
CA Clues
Nikhil Gupta
ii.
Simplification: Simplification is defined as the process of organizing subsystems so as to reduce the number of interconnections between all the sub-systems for communication among sub-systems. The number of interconnections required, if all the subsystems interact with each other, is n x (n-1) x (1/2), where n is the number of subsystems.
iii.
Decoupling: In information system design, emphasis is place on decoupling of sub-systems, so that each sub-system is as independent as possible. Thus, if the sub-system is more decoupled or loosely coupled then it is easier to modify a sub-system without affecting the rest of the system. If two different subsystems are connected very tightly, very close coordination between them is required. For example, if the raw material is put directly into production the moment it arrives at the factory, the raw materials system can be said to be tightly couple. Under these conditions, raw material delivery must be precisely timed in order to avoid delays in production or to prevent new material from arriving too soon with no place to be stored. Decoupling mechanism: a) Inventories, buffer, or waiting lines: In the example of the raw material subsystem and production subsystem, a raw material inventory allows the two subsystems to operate somewhat independently (in the short run). Data buffers are used in some computer systems and some communications systems to compensate for different rates of input and output of data. b) Slack resources: Slack resources means extra resources then actually required. When the output of one subsystem is the input to another, the existence of slack resources allows subsystems to be some what independent and yet allows each to respond to the demands of the other subsystem. For example, most data processing systems can provide an extra report or extra analysis because they have slack resources. c) Standards: The use of standards can reduce the need for communication between subsystems. If, for example, the production department wishes to design a data processing module involving finished goods and a standard product code is used throughout the organization, then there will be no need to communicate with other departments about the codes to be used. ________________________x________________________________x___________________
◙ Information: Information is data that has been arranged into meaningful and useful context. Thus when data is compiled to give some significant output it becomes information. This information is further used by management for decision making. Thus the quality of decision depends on the quality of information used for taking that decision. Let us take an example to understand relation between data and information. Data regarding sales by various salesmen can be merged to provide information regarding total sales or sales in particular region. This is information which can be used by marketing manager for his decision making. Data processing system processes data to generate information. This can be depicted by the following figure: DATA
DATA PROCESSING
INFORMATION
DECISION MAKING
CA Clues
Nikhil Gupta
◙ Attributes (Characteristics) of information: 1. Availability: Information should be available when it is required. Delay in getting the information can make it useless for decision making. 2. Purpose: Without purpose any information is just data. Thus information is extracted from data when there is a valid reason for its requirement. 3. Mode and format: Information should be in such mode and format that it should be easily understandable by the user. For this purpose various tools like charts, diagram audio/visual clippings, slide etc can be used. The user should not be burdened with huge amount of information since this will create difficulty in locating the relevant part in it. 4. Decay: Information decay refers to the time frame when a particular information becomes obsolete. The decay rate varies from information to information. For example market rate of shares during trading period decay very fast but the EPS or DPS information takes longer time to decay. If decay rate is fast then the information is required to be refreshed at a faster rate. 5. Rate: Rate refers to the speed at which information is generated and transmitted. 6. Frequency: It refers to the rate per unit of time. E.g. a report may be generated twice in a month or quarterly i.e. four times in a year. Various reports are generated with different frequency. 7. Completeness: Information is useful only when it is complete. Partial information is not much useful in decision making. 8. Reliability: The information should not only be correct but it should also lead to correct decision making. Information which is correct and precise but does not lead to correct decision making is not a reliable information. 9. Cost benefit analysis: For generating information management has to incur cost also. The more precise and detailed information you want, the more is the cost involved. This cost of generating information can be easily computed by using cost tracking tools. But the benefit of this information in terms of better decision making is difficult to quantify. Still management should make an effort to see whether the cost involved for getting a piece of information justifies the benefit from that information. Thus the report requirement of management should be classified according to its criticality, like very essential statements, essential statements, routine statements and extra statements. 10. Validity: It refers to the contextual quality of information i.e. suitability of a particular information for a given purpose. For example growth of a company can be measured in different terms according to different perspective, like turnover, production capacity, net profit, number of customers, size of employees, number of locations etc. 11. Quality: Quality refers to the correctness of information. Information is generated by processing data. Thus there can me various reasons which can affect the quality of information. If data is wrong or incomplete or biased or the data collection process is wrong then the final information will be wrong. 12. Transparency: It refers to the clarity of the information for decision making. If the information does not directly help in decision making then it is not transparent. For example in case of receivable management, total debtors cannot give fair idea about the collection efficiency, but if debtor turnover ratio or average collection period is included in the information then it becomes more transparent. 13. Value of information: A decision many be taken with the help of a particular piece of information and then a particular result (let us assume it to be benefit X) is achieved. If decision is taken without that piece of information then also some result (let us assume it to be benefit Y) is achieved. And that information also involves some cost (let us assume the cost of information to be cost C). The value of information = Increase in benefit due to a particular information (benefit X – benefit Y) – Cost of getting that particular information (Cost C)
CA Clues
Nikhil Gupta
◙ Types of Information: I. Internal Information
II. External Information
Internal information is that information which has been generated within the organization by the various departments of the organization. Some examples are: Budgets Production figures Progress reports Sales figure Employees details Accounts Receivables/payables
External information is collected from the external environment of the organization. Some examples are: Government policies Information about competitors Economic trends Technological changes Global business trends Mainly top management uses such information for unstructured decision making
Middle level and lower level management uses more of internal information
◙ Role of Information System in management: Effective use of information system in management results in great competitive edge for any organization. Various case studies have been conducted by researchers in many organizations in which ERP has been installed and after that the organization has been benefited by that ERP in several ways. Some of the important contributions of information system are: 1. 2. 3. 4. 5.
Effective decision making. Competitive advantage. Pooling of resources. Enhanced operational efficiency. Enhanced control environment.
◙ Factors on which information requirements of executives depends: What kind of information is required by which executive depends upon his role in the organization, his decision making pattern and his level in organizational hierarchy Factors affecting information requirement of executives 1. Operational functions
2. Type of decision making
3. Level of management
1. Operational functions: In any organizations there are various operational functions (departments) like i. ii. iii. iv. v.
Production Finance Marketing Purchase Material management etc
Managers in different departments have different information needs. Production manager requires information in terms of physical quantities while finance managers are more concerned with the information in monetary terms.
CA Clues
Nikhil Gupta
2. Type of decision making: vi. Structured (Programmed) vii. Unstructured (Non-programmed) viii. Semi-structured Structured decisions are those decisions which are repetitive in nature and have per-defined rules to be followed. For example issue of purchase order, payment of bills etc. For such decisions routine information is sufficient but it should be accurate. Unstructured decisions are those decisions which are non-repetitive in nature and relate to new situations. For example decisions involving response to competitor’s strategy, change in government policy or setting-up of new plant or launching a completely new product. For such decisions information need can be of varied type, ranging from survey reports to various extrapolations. Semi-structured decisions have features of both structured and unstructured decisions and accordingly the information requirement is both routine and adhoc in nature. 3. Level of management: In broader terms there can be following three levels of management ix. x. xi.
Top level management (Strategic level) Middle level management (Tactical level) Lower level management (Operational level)
Top level management has to take such decisions which have far reaching effects. For example decisions about organizations objectives, policies, mission and strategies. Thus these are unstructured and complex decisions and much analysis and judgment is done for making these decisions. For such decisions information is not readily available and sometimes such decisions are taken with only partial information. Middle level management has to execute and control the strategies framed by the top level management. Such decisions are less complex and relatively structured in nature. For such decisions information is more easily available and has less uncertainty associated with it. Lower level management is responsible for doing the assigned task. Thus decision making is structured here and precise information is used for such decisions. ____________________________x________________________________x_______________
Components of Computer Based Information System: A Computer-based Information System (CBIS) is an information system in which the computer plays a major role. Such a system consists of the following elements: 1) Hardware: The term hardware refers to machinery including the computer itself, which is often referred as Central Processing Unit (CPU) and all of its support equipment. Among the support equipment are input and output devices, storage devices, and communications devices like switches and routers. 2) Software: The term software refers to the computer programs and the manuals (if any) that support them. The software consists of operating system and the application programs. 3) Data: Data are facts that are used by programs to produce useful information. Data are generally stored in machine-readable form on disk or tape until the computer needs them. 4) Procedures: Procedures are the policies that govern the operation of a computer system. For instance, the steps that must be taken to enter a password and log onto computer terminal is a procedure. The actions needed to restore the computer system to its operational state after a major failure is another example of a procedure. Procedures often specify the actions that people should take in a step-by-step manner. 5) People: Every CBIS needs people if it is to be made useful. People are probably the components that influence the success or failure of information systems the most. Users, programmers, system analysts, and database administrators are just some of the people associated with the computer-based information systems.
CA Clues
Nikhil Gupta
Characteristics of Computer Based Information Systems are as follows: 1) All systems work for predetermined objectives and the system is designed and developed accordingly. 2) A system has a number of interrelated and interdependent subsystems or components. No subsystem can function in isolation; it depends on other subsystems for its inputs. 3) If one subsystem or component of a system fails, it may or may not result in whole system failure. It depends on how the subsystems are interrelated 4) The way a subsystem works with another subsystem is called interaction. The different subsystems interact with each other to achieve the goal of the system 5) The work done by individual subsystem is integrated to achieve the central goal of the system. The goal of individual subsystem is of lower priority than the goal of the entire system. Major areas of computer-based applications are: Use of computers in business system has become a necessity due to its cost-performance ratio. The implementation cost of automated system is no doubt high. But this cost is recovered within few years of working in automated system. Many companies who implemented SAP for their ERP solution incurred large cost on its implementation but soon this cost was recovered in the form of savings in their operational cost. The major computer-based business modules are: 1. Finance and accounting: This subsystem is responsible for maintaining the financial viability of the business by using various control measures. The objective here is to use the available resources in systematic manner to maximize the wealth of the organization. Budgets are made and monitored, deviations are noted and corrected. There can be various functions in this subsystem like - Financial accounting - Receivable/payable management - Accounting for assets - Cash/treasury management 2. Marketing and sales: The objective of this subsystem is to maximize sales and ensure customer satisfaction. Marketing function ensures that the product information reaches the target audience and the company is able to create new customer base. While sales function is responsible for processing the sales order. Some aspects like order tracking, customer service, warranties etc are also covered in this function. 3. Production: Here the objective is to optimize man, machine and material in order to maximize production at reasonable cost. For this function various task are required to be done with high precision, like production planning, production control, material handling and logistics. Software tools like CAD and CAM (computer aided designing and computer aided management) are used in this process. 4. Inventory management: This aims at managing inventory and minimizing both carrying cost and ordering cost as well as maintaining a regular supply of raw material to the production department. For this purpose consumption rate of various input materials is studied and matched with the time required to procure them. This gives the various levels at which orders triggered and a judicious flow is maintained instead of storing huge stock of material. Tools like ABC analysis for classification of material and XYZ analysis for fast/slow movement of material is used in this function. 5. Human resource management: It aims at utilization of the most important aspect of an organization i.e. manpower in the best possible way, without any friction in the organization. Now-a-days reduction in attrition rate is also one of the most important objective of this function. This function includes personnel administration, recruitment, salary/perquisites, promotion/motivation and other ancillary activities.
CA Clues
Nikhil Gupta
◙ Types of Information Systems: INFORMATION SYSTEMS
Operations Support Systems TPS: Transaction Processing Systems 2) MIS: Management Information Systems 3) ERP: Enterprise Resource Planning Systems 1)
Management Support Systems 1) DSS: Decision Support Systems 2) EIS: Executive Information System 3) ES: Expert Systems
Office Automation Systems 1) Text Processing Systems 2) Electronic Document Management Systems 3) Electronic Message Communication Systems 4) Teleconferencing and Video-conferencing Systems
◙ Transaction Processing System (TPS): • • • •
•
TPS is implemented at operational level of management to process routine business transactions. It is the most fundamental business processing system. TPS is the base for further higher level information systems. TPS offer the means to rapidly process transactions to ensure the smooth flow of data and the progression of processes throughout the organization. In an organization there can be several types of transactions which are required to be punched in the system, for example sales transactions, purchase transactions, customer billing, inventory status etc. TPS may follow batch processing or on-line processing depending on the suitability for a particular operation.
TPS involves the following activities: i. Punching the transaction at the terminal ii. Processing of transaction by the software iii. Generating reports iv. Answering queries TPS Components: (i) Inputs (ii) Processing (iii) Storage (iv) Output
CA Clues
Nikhil Gupta
Features of TPS: (i) Large volume of data: TPS involves large amount of data and data storage since every transaction has to be is processed and stored in it. (ii) Automation of basic operations: TPS aims at automating the basic operations of an organization and plays a critical role in the day-to-day functioning. (iii) Benefits are easily measurable: TPS reduces the workload of the people associated with the operations and improves their efficiency by automating some of the operations. Most of these benefits of the TPS are tangible and easily measurable. Therefore, cost benefit analysis regarding the desirability of TPS is easy to conduct. (iv) Source of input for other systems: TPS is the basic source of internal information for other information systems. ◙ Management Information System: Definition:• •
•
MIS is an integrated system of man and machine for providing the information to management for decision making and control. MIS is a system designed to provide accurate, relevant and timely information to managers at different levels and in different functional areas throughout the organization for decision making purpose. Management Information Systems (MIS) is the term given to the discipline focused on the integration of computer systems with the aims and objectives of an organization. MIS Management
Information
Systems
Management: Management is the process of planning, organizing, initiating and controlling. Thus it is the set of functions and processes designed to initiate and coordinate group efforts for achieving certain goals. Information: Information is data that has been arranged into meaningful and useful context. This information is further used by management for decision making. Systems: System means a set of interrelated elements that operate collectively to accomplish some common object. It takes input from its environment and returns output again to the environment. Characteristics of an effective MIS: 1. Management oriented: MIS is meant for the use of management so its focus should be to provide satisfaction to all levels of management i.e. it should be management oriented. 2. Management directed: Management should take part in the implementation of MIS and continuous update of MIS. 3. Integrated: MIS should be able to combine the information of each department so that comprehensive information can be generated for better decision making. 4. Common data flow: Wherever possible common input, processing and output should be done to avoid duplication of data collection. 5. Heavy planning element: Long term planning is required to be done before implementing MIS so that future needs can be assessed and accordingly scope can be made for such needs. In this way MIS will not become obsolete soon. 6. Sub-system concept: MIS should be modular so that implementation and maintenance can be done in a smooth manner without disrupting other activities. 7. Common data base: MIS should have common data base so that all modules can access same data in hassle free manner. 8. Computerized: It is possible to establish MIS without computers also but it would be obsolete and ineffective. Thus MIS is effective only when it is integrated with computer systems.
CA Clues
Nikhil Gupta
Misconceptions about MIS: 1. MIS relates to computer only: MIS consists of several things integrated together like computer hardware, software’s, human resources and various policies and procedures. Thus MIS in not confined to study of computers only. 2. More data means more information: Managers don’t want more data for good decision making but they want relevant data and in appropriate mode and format. Thus good reports are those which have concise information with greater transparency. 3. Reports should be highly accurate: Accuracy of information depends on the type of decision making. For operational decisions information should be accurate but for strategic decisions information need not be highly precise. For example estimated cost of new project can be expressed in terms of lacks, since it is not necessary to know that in terms of precise rupees and paisa. Pre-requisites of an effective MIS: 1. Database: MIS requires storing of data in a database from which information is extracted as per requirement. Generally it is preferred to have a common database so that each sub-system uses same database to satisfy its information needs. This way redundancy can be avoided in data storage. 2. Qualified staff: For effective MIS there should be two categories of experts: a. Computer experts who understand management, since MIS is designed by these computer experts for the use of management so these experts can understand management needs only when they have some knowledge about the organization and management b. Management experts who understand computers, since management has to use this MIS which is computer based. 3. Support of top management: Implementation of MIS in any organization is a strategic step which can only be carried out with the support of top management. Middle and lower management will not show willingness for new changes unless top management shows its interest in such activities. 4. Control and maintenance: MIS needs to be controlled from any deviations resulting from short-cuts being used by employees. Without proper control MIS will loose its effectiveness. Similarly MIS requires maintenance in the form of constant updates and patches. 5. Evaluation of MIS: MIS needs continuous evaluation also, since changing business environment creates need for relevant change in MIS also. Moreover evaluating the satisfaction of the end user is also important because it is the end user for whom MIS is implemented. Constraints (Limitations) in operating MIS: 1. Non-availability of experts who can identify the end users need and configure the system accordingly. 2. Problem in selecting the sub-system which should be implemented first in the whole scheme of MIS implementation. 3. Non-standardized approach in the implementation of MIS. 4. Non-cooperation from staff. 5. High turnover of experts in MIS since they are in great demand. 6. Difficulty in quantifying the benefits of MIS to compare with the cost of implementation to justify the expenditure done on MIS.
CA Clues
Nikhil Gupta
Effects of using computers in MIS: Using computers system in MIS gives the following advantage: 1. Fast processing and retrieval: With the use of computers in MIS the speed of data processing and retrieval has increased tremendously. This results in getting timely report generation and quick decision making. 2. Up-to-date information: with the use of computers in MIS the user gets up-to-date information for decision making. 3. In-depth analysis of data: With the use of computers more detailed analysis of business data can be done for better decision making. 4. Handling of more complex business operations: With the use of computers, more complex business operations can now be handled through MIS like logistics, production schedules etc. 5. Integration of sub-systems: With the use of computer in MIS various sub-systems can now be integrated easily and more comprehensive view can be generated for the use of top management. Limitations of MIS: 1. Poor quality of input data in the MIS gives the poor quality results. 2. MIS is not a substitute for effective management but only a helping tool in managing the organization. 3. Lack of flexibility can make the MIS obsolete very soon. 4. MIS cannot provide direct help for unstructured decision making. 5. MIS only takes quantitative factors into consideration and ignores qualitative aspects of business organization like morale and attitude of employees. 6. MIS is highly sensitive and requires constant monitoring 7. MIS implementation can be very expensive. Additionally, new employee hiring or employee training related to the MIS can also add to the implementation costs. 8. MIS becomes less effective if there is frequent change in top and middle management. ◙ ERP (Enterprise Resource Planning): ERP will be discussed in chapter 7 ◙ Decision Support System (DSS): Definition: •
•
DSS is a class of information systems that support semi-structured and unstructured decision making activities and is particularly useful for top and middle level management by giving them various decision alternatives. DSS can be defined as a system which provides tools to the decision making managers to address unstructured/ partially structured problems in their own personalized manner. It empowers the managers in decision making process.
DSS is not meant for making decisions for managers but it acts as a tool for helping them in taking decisions. Although there are some software which can do a particular kind of decision making also. They are called Programmed Decision Systems. For example banks use specific software’s to do credit appraisal of its customers.
CA Clues
Nikhil Gupta
Characteristics of DSS: (i)
(ii)
(iii)
Semi-structured and Unstructured Decisions: Unstructured decisions and semi-structured decisions are made when information obtained from a computer system is only a portion of the total knowledge needed to make the decision. DSS is well adapted to help with semi-structured and unstructured decisions. A well designed DSS helps in decision making process with the depth to which the available data can be tapped for useful information. Ability to adapt to changing needs: Semi-structured and unstructured decisions often do not conform to a predefined set of decision-making rules. DSS provides flexibility to enable users to model their own information needs. Rather than locking the system into rigid information producing requirements, capabilities and tools are provided by DSS to enable users to meet their own output needs. Ease of Learning and Use: DSS software tools employ user-oriented interfaces such as grids, graphics, non-procedural fourth – generation languages (4GL), natural English, and easily read documentation. These interfaces make it easier for users to conceptualize and perform the decision-making process.
Components of DSS: DSS has following four components: i)
ii)
iii)
iv)
User: The user of DSS is usually a manager with an unstructured or semi-structured problem to solve. The user need not be computer expert to use DSS, instead he should have thorough understanding of the problem and the factors to be considered for solving the problem. User interface (planning language): The user communicates with the DSS through a planning language which is also called user interface. The planning language can be general purpose planning language (e.g. simple english like interactive dialogue) or special purpose planning language (e.g. interface using statistical terms). Model base: Model base is the brain of the DSS which actually performs the data manipulation operations like - Mathematical functions - Statistical functions - And financial functions Database: The DSS has one or more database containing both external and internal data. External data may relate to market conditions, economic conditions, competitive positions etc. Internal data relates to various functions within the organization like accounts, production, marketing, material management etc.
Implementation of database: Database is implemented at three levels as shown below: Physical Level Logical Level External Level External level (User level): The external level defines how users understand the organization of the data. A single database can have any number of views at the external level. Logical level: It is designed by professional programmers, who have complete knowledge of DBMS. It deals with the nature of data stored, the scheme of the data storage which is logically divided into various tables having rows and columns and the techniques for defining relationships with indexes. Physical level: It involves the implementation of database on the hard disk i.e. storage of data in the hard disk. The management of storage and access is controlled by operating system.
CA Clues
Nikhil Gupta
Software tools of DSS: Following software tool are used in DSS Database software
Model based software
Statistical software
Oracle Microsoft Access Microsoft SQL server Dbase
MS Excel Lotus 1-2-3 Foresight Omnicalc
SPSS SAS
Display based software Chartmaster SAS Graph
Use of DSS in accounting function: DSS is widely used in various accounting functions: 1. Cost accounting system: DSS is used for problems like pricing decisions, inventory control. 2. Capital budgeting system: DSS is used to see projects financial feasibility. 3. Variance analysis: Using DSS variance analysis can be done cost center-wise and then comprehensive figures can be calculated and analyzed. 4. General financial analysis: Like ratio analysis, working capital management etc. 5. Portfolio management: Now-a-days mutual fund managers use DSS to assist them in achieving a suitable portfolio as per their risk perceptions. Some of the DSS available in market are:
1) Expert Choice 2) AutoMan
◙ Executive Information System (EIS): Definition: An Executive Information System (EIS) is a type of information system intended to facilitate and support the information and decision-making needs of senior executives by providing easy access to both internal and external information relevant to meeting the strategic goals of the organization. Characteristics of EIS: • • • • • • •
EIS is same as Executive Support System (ESS). EIS is considered as complementary to Decision Support System. The emphasis of EIS is on graphical displays and easy-to-use user interfaces. EIS offer strong reporting and drill-down capabilities. EIS help top-level executives to analyze, compare, highlight trends, monitor performance and identify opportunities and problems. EIS has access to both internal and external data. EIS and data mining technologies are converging in the marketplace.
Type of decisions made by executives: Executive decisions relate to the following: 1. Strategic planning: It involves determining the long range directions for the organization. Strategic planning and control involve decisions that change the character or direction of the organization. 2. Tactical planning: It involves execution of strategic plans. Thus tactic decisions are specifics decisions that the organization might undertake in carrying its strategy. 3. Fire fighting measures: It involves damage control measures due to any untoward event like major strike, sharp decline in market, new strategies by competitors etc. 4. Control: The controlling function involves determining when the actual activities deviate from the planned activities. Thus setting up of standards is the first activity in control environment. Standards may relate to methods, performance, documentation, projectcontrol etc. The general guideline of control has to be laid down by senior management.
CA Clues
Nikhil Gupta
Characteristics of information used in executive decision making: For executive decision making following information is required: - Environmental information - Competitive information and - Internal information is required The characteristic of such information is: 1. Lack of structure: Executives generally make unstructured decisions and for such decisions the information requirement does not have a fixed pattern. Any random piece of information can prove to be helpful for such decisions. 2. High degree of uncertainty: Executives have to make decisions in environment of uncertainty and sometimes there is no past experience of a particular problem also since it never occurred in the past. 3. Future orientation: As environmental conditions change, organization must also change. It is the executive’s responsibility to make sure that the organization keeps moving towards the future trends. 4. Informal source: Senior executives rely heavily on informal source for key information. Such informal information can be gathered while having lunch with friends in other companies, tours, chat with employees, social events etc. 5. Low level of detail: Executive decisions are made by observing broader trends. This can only be done by viewing the things in comprehensive manner. Purpose of EIS: 1. Support learning: EIS helps executives to monitor the organization more closely. This way they have better interaction with the various visible and invisible forces acting in the organization. 2. Timely access to information: EIS allow executives to have timely access to latest information. The information is useful only if it not outdated. If in the process of compiling a report much time is taken that by the time it reaches the executive it looses its value. 3. Highlights the problem: one of the key benefits of EIS is that it can highlight any problem in the system on a timely basis. Contents of EIS: Following data/information is generally contained in any EIS: 1. 2. 3. 4. 5. 6.
Anything which is useful for the executives Targets and budgets of the organization in different functional areas. Data about work processes in different departments of the organization. Performance measurement indicators. External information ranging in wide Variety Information contents of EIS can change according to the changing environment.
Example of EIS: Business Dashboards
Expert System: -
-
An Expert System is a highly developed DSS that utilizes the knowledge generally possessed by a human expert to solve a problem. Expert Systems are software systems that imitate the reasoning processes of human experts and provide decision makers with the type of advice they would normally receive from such expert. Expert system uses the concept of artificial intelligence to solve the problems. It is useful for solving structured and semi-structured problems.
CA Clues Knowledge Base (if-then-else rules and facts)
Nikhil Gupta Inference Engine (Forward chain and backward chain)
User Interface
End User
Knowledge Acquisition Sub-system
Knowledge Engineer
(ask questions from the user to get the input)
(analyst and domain expert)
Expert system Components of Expert Systems: (i)
(ii)
(iii)
(iv)
Knowledge Base: The knowledge base stores the rules, data and relationships that are used to solve problems and contains specific facts about the expert area. The rules are in “if-then-else” condition format. The power of an expert system depends on the depth and breadth of the knowledge stored in the knowledge base. Inference Engine: The inference engine is the main processing component of the expert system. It consist of software programs that requests data from the user, manipulates the knowledge base and provides a decision to the user. There are various reasoning techniques which are used by interface engine. These include backward and forward chaining. • A forward-chain mechanism first examines the KB and the problem at hand; then, it attempts to discover a solution. For example, a medical Expert System may be used to examine a patient’s symptoms and provide a diagnosis based on the symptoms, the Expert System might locate several diseases that the patient may have. • With backward chain, the Inference Engine starts with an assumption or goal, which it then checks against the facts and rules in the knowledge base for correctness. Thus the expert system might be given the goal to “find a patient’s disease(s) and would work back from there, asking questions as necessary to confirm or disprove a particular disease”. Knowledge Acquisition Subsystem: The Knowledge Acquisition Subsystem is the software component of an expert system that helps to improve the logic and data of knowledge base. The knowledge engineer together with subject matter expert works with the knowledge acquisition subsystem to model decision logic and update the knowledge base. The knowledge engineer is provided with easy-to-operate menus and templates for entering rules, facts and relationship among facts. Once these are entered the software correctly stores the information in the knowledge base. User Interface: A user interface is the method by which an expert system interacts with a user. The user interface can ask questions from the user to get the required input for the inference engine. The expert system prompts the user to supply information about the problem and the user types in the requested data. The data entered are examined by the inference engine and compared to the facts, rules and relationships in the knowledge base. Some expert systems interact with other computer applications, and do not interact directly with a human.
Expert system can be used in the following areas: 1) Accounting and finance: Investment advice, tax planning, credit appraisal. 2) Marketing: Sales quotes, responding to customers enquires. 3) Help desk function: Troubleshooting. 4) Manufacturing: Process monitoring and control, self diagnosing tools. 5) HR: Employee selecting process.
CA Clues
Nikhil Gupta
Need for Expert Systems: 1. Expert professional employees are expensive and short in supply. Thus expert system can replace need for human expert professional. 2. Human experts can handle only a few factors at a time, but expert system can consider several factors at a time to solve the problem. Benefits of Expert Systems: 1) Expert Systems preserve knowledge that might be lost through retirement, resignation or death of an expert professional of the organization. 2) Expert Systems put information into an active-form so it can be used anytime. 3) Expert Systems help beginners in thinking the way experienced professional do. 4) Expert Systems are not subject to such human fallings as fatigue, being too busy, or being emotional. 5) Expert Systems can be effectively used as a strategic tool is the areas of marketing products, cutting costs and improving products Problems areas for which expert system can be developed: Some of the properties that potential applications should posses to qualify for Expert System development are as follows: 1) Availability: One or more experts are capable of communicating how they go about solving the problems to which the Expert System will be applied. 2) Complexity: Solution of the problems for which the Expert Systems will be used is a complex task that requires logical inference processing, which would not be easily handled by conventional information processing. 3) Domain: The domain, or subject area, of the problem is relatively small and limited to a relatively well-defined problem area. 4) Expertise: Solutions to the problem require the efforts of experts. That is, only a few possess the knowledge, techniques, and intuition needed. 5) Structure: The solution process must be able to cope with ill-structured, uncertain, missing, and conflicting data, and a dynamic problem-solving situation. OFFICE AUTOMATION SYSTEMS (OAS): Office Automation System (OAS) is among the newest and most rapidly expanding computer based information systems. Different office activities can be broadly grouped into the following types of operations: (i) (ii) (iii) (iv) (v) (vi)
Document Capture: Documents originating from outside sources like incoming mails, notes, handouts, charts, graphs etc. need to be preserved. Document Creation: This consists of preparation of documents, dictation, editing of texts etc. and takes up major part of the secretary’s time. Receipts and Distribution: This basically includes distribution of correspondence to designated recipients. Filling, Search, Retrieval and Follow up: This is related to filling, indexing, searching of documents, which takes up significant time. Calculations: These include the usual calculator functions like routine arithmetic, operations for bill passing, interest calculations, working out the percentages and the like. Recording Utilization of Resources: This includes, where necessary, record keeping in respect to specific resources utilized by office personnel.
CA Clues
Nikhil Gupta
Benefits of Office Automation Systems: (i) (ii) (iii) (iv)
Improves communication: Office Automation Systems improve communication within an organization and between organizations. Reduces time: Office Automation Systems reduce the cycle time between preparation of messages and receipt of messages at the recipients’ end. Reduces cost: Office Automation Systems reduce the costs of office communication both in terms of time spent by executives and cost of communication links. Increases accuracy: Office Automation Systems ensure accuracy of communication flows. Computer based office automation system
Text processors and related systems
Electronic document management system
Electronic message communication system
Teleconferencing and video conferencing system
I. Text Processing Systems: -
-
Text processing systems is the most widely used office system since most of the communication takes place in written format. Text processing systems automate the process of development of documents such as letters, reports, memos etc. They permit use of standard stored information to produce personalized documents. The text processor may be simple word processing systems or desktop publishing systems. The desktop publishing systems are often supported with laser printers, inkjet printers, scanners and other such devices for producing good quality documents. Example of text processing system is MS Word.
II. Electronic Document Management Systems: -
-
-
The computer based document management system is used to store, retrieve and manage document files or scanned copy of documents. These systems are linked to the office automation systems such as text processors, electronic message communication systems etc. These systems also provide remote access of documents. For example, a customer may have a complaint concerning delivery of goods not being in accordance with the delivery instructions in the order. The executive can access the document through his notebook computer connected to any telephone line and show it to the customer, his order document in the office. In the case of internal communication document management systems can prove to be very useful. For example, the loan application form filed in a branch of a bank can be accessed by the sanctioning officer for scrutiny at the head office or any office for scrutiny of loan proposals. With computer based document management systems, location of the executive becomes irrelevant for access to documents. Thus, these systems can be very useful in an office environment where traveling executives share work space in the office.
III. Electronic Message Communication Systems: Components of Message Communication Systems: The three basic components based message communication systems are as follows:
CA Clues
Nikhil Gupta
1) Electronic Mail: Various features of electronic mail are stated below: -
-
-
-
Electronic transmission: The transmission of messages with email is electronic and message delivery is very quick, almost instantaneous. The confirmation of transmission is received. Online development and editing: The email message can be developed and edited online before transmission. The online development and editing eliminates the need for use of paper in communication. It also facilitates the storage of messages on magnetic media, thereby reducing the space required to store the messages. Broadcasting and Rerouting: e-mail permits sending a message to a large number of target recipients. Thus it is easy to send a circular to all branches of a bank using e-mail resulting in a lot of saving of paper. The e-mail could be rerouted to many people. Integration with other Information systems: The e-mail has the advantage of being integrated with the other information systems. Such integration helps in ensuring that the message is accurate and the information required for the message is accessed quickly. Portability: e-mail renders the physical location of the recipient and sender irrelevant. The email can be accessed from any personal computer equipped with network. Economical: e-mail is the most economical mode of sending messages. Since the speed of transmission is increasing, the time cost on communication media per page is falling further, adding to the popularity of email.
2) Facsimile (Fax): -
Facsimile (Fax) is electronic communication of images of documents over telephone lines Computer based fax technology automates fax communication and permits sharing of fax facilities It uses special software and fax servers to send and receive fax messages using common communication resources These servers have the ability to receive fax messages and automatically reroute them to the intended recipient after viewing it at the central computer, similarly, the managers in an enterprise can leave the fax messages to the server which will send it to the intended recipient automatically.
3) Voice Mail: -
Voice mail is a variation of the email in which messages are transmitted as digitized voice The recipient of the voice mail has to dial a voice mail service or access the e-mail box using the specified equipment and he can hear the spoken message in the voice of the sender The secured type of voice mail service may require the recipient to enter identification code before the access is granted to the stored information.
IV: Teleconferencing and Video-conferencing Systems: - Teleconferencing can conducted a business meeting involving more than two persons located at two or more different places. - The teleconferencing helps in reducing the time and cost of meeting as the participants do not have to travel to attend the meeting. - Teleconferencing may be audio or video conferencing with or without use of computer systems. The computer based teleconferencing has the advantage of flexibility in terms of pre-recorded presentations and integration with other information systems. - These systems are based on Personal computers featuring a digital camera and run on a visual communication software. The communication links are still quite expensive making the desktop video conferencing useful only for selected applications.
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 14
May 2012 10
Nov 2011 8
May 2011 12
Nov 2010 13
May 2010 10
Nov 2009 5
June 2009 Nil
Nov 2008 10
Nov 2012: (6 Marks): What is meant by EIS? What are its characteristics? Nov 2012: (4 Marks): Explain any four features of Electronic Mail. Nov 2012: (8 Marks): Short Note – Limitation of MIS MAY 2012 (6 Marks) Q: What is Decision Support System? Discuss its characteristics in brief. MAY 2012 (4 Marks) Q: Discuss the constraints in operating a MIS. Nov 2011: (8 Marks): Define the term “Information”. Discuss various important attributes that are required for useful and effective information. May 2011: (4 Marks): What are the characteristics of executive information system? May 2011: (4 Marks): Enumerate the characteristics of computer based information system. May 2011: (4 Marks): Short note on – Business applications of Expert Systems for management support systems. Nov 2010: (5 Marks): (Case Qus) What are the types of operations into which the different office activities can be broadly grouped under office automation system? Nov 2010: (4 Marks): Writ short note on “Benefits of expert system” Nov 2010: (4 Marks): What do you understand by the term ‘database’? How it is implemented in three different levels? May 2010: (5 Marks): Give some important advantages of Information System in business. May 2010: (5 Marks): Brifely describe any three of the characteristics of the types of information used in Executive Decision Making. Nov 2009: (5 Marks): Identify and justify the type of each one of the following systems based on how they perform within an environment and/or certainty/ uncertainty: (i) Marketing system (ii) Communication system (iii) Manufacturing system (iv) Pricing system (v) Hardware-Software system. Ans hint: System (i) Marketing system
(ii) Communication System (iii) Manufacturing System (iv) Pricing System (v) Hardware-Software System
System Type Open system and probabilistic
Open system & deterministic Relatively closed system and deterministic Open System and probabilistic Relatively closed system and deterministic
Justification The objective of the system is to maximize customer satisfaction by providing a free interactive environment. It takes input/feedbacks and facilitates the outcomes as products of the company and to create new customers. The system interacts freely with its environment by taking input and returning output. This system neither interacts with the environment nor changes with the change in the environment. A manufacturing unit is completely isolated from its environment for its operation. The system has a probable behavior and interacts freely with its environment by taking inputs and returning outputs. The interaction among the various parts of the system is known with certainty and it does not immediately change with the environment. The operational state of these systems is predictable.
Nov 2008: (5 Marks): What is DSS? Briefly explain three characteristics of DSS. Nov 2008: (5 Marks): Explain Executive Information System. What purpose does it serve?
CA Clues
Nikhil Gupta
CHAPTER 2 SYSTEMS DEVELOPMENT LIFE CYCLE METHODOLOGY ◙ Systems development process: Systems development refers to the process of examining a business situation with the objective of improving it through better procedures and methods. System development can generally be thought of as having two major components: System Analysis and System Design. I. II.
System Analysis is the process of gathering and interpreting facts, analyzing problems, and using this information to recommend improvements to the system. System Design is the process of planning a new business system or one to replace or complement an existing system.
Obstacles in achieving System Development Objectives: There are many reasons why organizations fail to achieve their systems development objectives. Some of them are as follows: (i)
(ii)
(iii)
(iv)
(v)
(vi)
(vii) (viii)
(ix)
Lack of senior management support and involvement: Only when senior management shows its commitment for a particular systems development project then only the project can be developed in a successful manner. The senior management can see that adequate resources, as well as budgetary control over use of those resources, are dedicated to the project. Shifting user needs: User requirements for information technology are changing at a very fast rate. Thus, by the time a system is ready for its implementation, the user requirements can change and then the new system will also become obsolete very soon. Difficulty in development of strategic systems: Because strategic decision making is unstructured, the requirements, specifications, and objectives for such development projects are difficult to define. Unfamiliarity with new technologies: When an organization tries to create a competitive advantage by applying advance Information technology, it generally finds that attaining system development objectives is more difficult because personnel are not as familiar with the technology. Lack of standard project management and systems development methodologies: Some organizations do not formalize their project management and system development methodologies, thereby making it very difficult to consistently complete projects on time or within budget. Overworked or under-trained development staff: In many cases, systems developers often lack sufficient education background and the companies also don’t provide sufficient training to them. Also, to meet the time deadline the development team works overtime which reduces their efficiency and finally the quality of project suffers. Resistance to change: People have a natural tendency to resist change, and information systems development projects results in radical changes in the workplace. Lack of user participation: Users must participate in the development effort to define their requirements, feel ownership for project success, and work to resolve development problems. User participation also helps reduce user resistance to change. Inadequate testing and user training: New systems must be tested before installation to determine that they operate correctly. Users must be trained to effectively utilize the new system.
CA Clues
Nikhil Gupta
System Development Team: Several people/group in the organization are responsible for systems development work. For example:•
• • • •
•
Steering committee: In large systems, the outcome of a particular project is typically decided by a top management level steering committee, usually consisting of a group of key IT service users that acts as a review body for Information Systems plans and applications development. The steering committee ensures that ongoing systems development activities are consistently aimed at satisfying the information requirements of managers and users within the organization. Project management team: A project management team generally consists of both computer professionals and key users. System analyst: System analysts are assigned the task to determine user requirements, design the system and assist in development and implementation activities. Systems designer: In any systems organization, systems designers take a lead role during the design, development and implementation stages. Accountant/auditors: Accountants understand the business and accounting process as well as internal controls associated with such process. Hence their participation is also required in designing a new system so that the new system has inbuilt internal controls. Accountant might also perform cost-benefit analysis of the new project. End-users: In end-user based development the ultimate responsibility of building a system lies with the end-user only. The IT team is there to guide them and review the quality assurance procedures.
SYSTEMS DEVELOPMENT METHODOLOGY A system development methodology is a formalized, standardized, documented set of activities used to manage a system development project. There are several system development methodologies and each of the available methodology is best suited to specific kinds of a project, based on various technical, organizational, project and team considerations. All systems development methodologies are characterized by the following common features: •
• •
• • • •
Division of project: The project is divided into a number of identifiable processes, and each process has a starting point and an ending point (also called project milestones). Each process comprises several activities, one or more deliverables, and several management control points. The division of the project into these small, manageable steps facilitates both project planning and project control. Every stage should have some deliverables: Specific reports and other documentation, called deliverables must be produced periodically during system development to make development personnel accountable for faithful execution of system development tasks. Signoffs/approvals at every stage: Users, managers, and auditors are required to participate in the project. These people generally provide approvals, often called signoffs, at preestablished management control points. Signoffs signify approval of the development process and the system being developed. Testing: The system must be tested thoroughly prior to implementation to ensure that it meets users’ needs. User Training: A training plan is developed for those who will operate and use the new system. Change management: Formal program change controls are established to prevent unauthorized changes to computer programs. Post implementation review (PIR): A post-implementation review of all developed systems must be performed to assess the effectiveness and efficiency of the new system and of the development process.
CA Clues
Nikhil Gupta
Approaches to System Development Since organizations vary significantly in the way they automate their business procedures, and since each new type of system usually differs from any other, several different system development approaches are often used within an organization. All these approaches are not mutually exclusive, which means that it is possible to mix these approaches, e.g. perform some prototyping while applying the traditional approach. These approaches are as follows: (i) (ii) (iii) (iv) (v) (vi) (i)
Traditional/Waterfall/sequential: Prototyping: Incremental: Spiral: Rapid Application Development (RAD): Agile Methodologies:
Linear framework type Iterative framework type Linear + Iterative framework type Linear + Iterative framework type Iterative Framework Type Iterative Framework Type
The Traditional / Waterfall Approach / Sequential Approach:
The waterfall approach is a traditional development approach in which development work is done in different phases. In the traditional approach of system development, activities are performed in sequence. When the traditional approach is applied, an activity is undertaken only when the prior step is fully completed. Preliminary Investigation Requirement Analysis System Design System Development System Testing System Implementation and Maintenance Fig: Steps in Traditional Approach Framework type: Linear Basic Principles: (i) Project is divided into sequential phases, with some overlap and splash back acceptable between phases. (ii) Emphasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time. (iii) Tight control is maintained over the life of the project through the use of extensive written documentation, as well as through formal reviews and approval/signoff by the user at every stage.
CA Clues
Nikhil Gupta
Strengths: (i) Ideal for supporting less experienced project teams/managers or project teams whose composition fluctuates. (ii) An orderly sequence of development steps and design reviews help ensure the quality, reliability, adequacy and maintainability of the developed software. (iii) Progress of system development is measurable. (iv) Conserves resources. Weaknesses: (i) Inflexible, slow, costly, and cumbersome due to significant structure and tight controls. (ii) Project progresses forward, with only slight movement backward. (iii) Less use of iteration, which can reduce manageability if used. (iv) Depends upon early identification and specification of requirements, yet users may not be able to clearly define what they need early in the project. (v) Requirement inconsistencies, missing system components and unexpected development needs are often discovered during later phases i.e. during design and coding. (vi) Problems are often not discovered until system testing. (vii) System performance cannot be tested until the system is almost fully coded, and under capacity may be difficult to correct. (viii) Difficult to respond to changes. Changes that occur later in the life cycle are more costly and are thus discouraged. (ix) Produces excessive documentation and keeping it updated as the project progresses is time-consuming. (x) Written specifications are often difficult for users to read and thoroughly appreciate. (xi) Promotes the gap between users and developers. (ii)
The Prototyping Model:
The traditional approach sometimes may take years to analyze, design and implement a system. In order to avoid such delays, organizations are increasingly using prototyping techniques to develop smaller systems such as DSS, MIS and Expert systems. -
-
-
The goal of prototyping approach is to develop a small or pilot version of the new system called a prototype. A prototype is a usable system or system component that is built quickly and at a lesser cost, and with the intention of being modifying or replacing it by a full-scale and fully operational system. (prototypes are generally throwaway) As users work with the prototype, they make suggestions about the ways to improve it. These suggestions are then incorporated into another prototype, which is also used and evaluated and so on. Finally, when a prototype is developed that satisfies all user requirements, either it is refined and turned into the final system or it is scrapped and the knowledge gained from building the prototype is used to develop the real system.
Framework type: Iterative. Basic Principles: Prototyping can be viewed as a series of four steps, depicted in figure below, wherein Implementation and Maintenance phases take place once the prototype model is tested and found to be meet users requirements.
Step 1 - Identify Information System Requirements: In traditional approach, the system requirements have to be identified before the development process starts. However, under prototype approach, the design team needs only fundamental system requirements to build the initial prototype, the process of determining them can be less formal and time-consuming than when performing traditional systems analysis.
CA Clues
Nikhil Gupta
Step 2 - Develop the Initial Prototype: In this step, the designers create an initial base model and give very less consideration to internal controls, but instead emphasize such system characteristics such as simplicity, flexibility, and ease of use. These characteristics enable users to interact with tentative versions of the system and judge the usefulness of the system. Step 3 - Test and Revise: After finishing the initial prototype, the designers first demonstrate the model to users and then give it to them to experiment and ask users to record their likes and dislikes about the system and recommend changes. Using this feedback, the design team modifies the prototype as necessary and then resubmits the revised model to system users for re-evaluation. Thus iterative process of modification and revaluation continues until the users are satisfied. Step 4 - Obtain User Signoff of the Approved Prototype: At the end of Step 3, users formally approve the final version of the prototype, which commits them to the current design and establishes a contractual obligation about what the system will, and will not, do or provide. Prototyping is not commonly used for developing traditional applications such as accounts receivable, accounts payable, payroll, or inventory management, where the inputs, processing, and outputs are well known and clearly defined.
Strengths: (i) Improves user participation in system development. (ii) Especially useful for resolving unclear objectives. (iii) Knowledge gained in an early iteration can be used in later iterations. (iv) Helps to easily identify confusing/difficult and missing functionality. (v) Encourages innovation and flexible designs. (vi) Prototyping requires intensive involvement by the system users. Therefore, it typically results in a better definition of user needs and requirements in comparison to the traditional systems development approach. (vii) A very short time period (e.g., a week) is normally required to develop and start experimenting with a prototype. This short time period allows system users to immediately evaluate proposed system changes. (viii) Since system users experiment with each version of the prototype through an interactive process, errors are detected and eliminated early in the developmental process. Weaknesses: (i) Approval process and control are not strict. (ii) Incomplete or inadequate problem analysis may occur whereby only the most obvious and superficial needs will be addressed, resulting in current inefficient practices being easily built into the new system. (iii) Non-functional elements are difficult to identify and document. (iv) Designers may prototype too quickly, without sufficient upfront user needs analysis, resulting in an inflexible design with narrow focus that limits future system potential. (v) Prototype may not have sufficient checks and internal controls incorporated in them.
CA Clues (vi)
(vii)
(viii)
(iii)
Nikhil Gupta
Prototyping can be successful only if the system users are willing to devote significant time in experimenting with the prototype and provide the system developers with change suggestions. The interactive process of prototyping causes the prototype to be experimented with quite extensively. Because of this, the system developers are frequently tempted to minimize the testing and documentation of the ultimately approved information system. Inadequate testing can make the approved system error-prone, and inadequate documentation makes this system difficult to maintain. Prototyping may cause behavioral problems with system users. These problems include dissatisfaction by users if system developers are unable to meet all user demands for improvements as well as dissatisfaction and impatience by users when they have to go through too many interactions of the prototype.
The Incremental Model:
Framework Type: Combination of Linear and Iterative. Basic Principles: The Incremental build model is a method of software development where the model is designed, implemented and tested incrementally (a little more is added each time) until the product is finished. The product is defined as finished when it satisfies all of its requirements. This model combines the element of both waterfall model and prototyping. The product is decomposed into a number of components, each of which are designed and built separately (termed as builds). Each component is delivered to the client when it is complete. This allows partial utilization of product and avoids a long development time. This model of development also helps to simplify the implementation of new system in phases. There can be many variations/strategies for this model: (a) A series of mini-waterfalls are performed for each part and all the phases of the waterfall development model are completed for that small part of the system, before proceeding to the next increment. or (b) Overall requirements are defined before proceeding to mini-waterfall development of individual increments of the system. or (c) The initial software concept, requirement analysis, and design of architecture and system core are defined using the Waterfall approach, followed by iterative Prototyping, which concludes in installation of the final system.
Requirements Design Implementation and Unit Testing Integration and systems testing Operation Fig: Incremental Model.
CA Clues
Nikhil Gupta
Strengths: (i) Knowledge gained in an early increment can be used in the development of later increments. (ii) Moderate control is maintained over the life of the project through the use of written documentation and the formal review and approval/signoff by the user and information technology management at designated milestones. (iii) Stakeholders can be given concrete evidence of project status throughout the life cycle. (iv) More flexible – less costly to change scope and requirements. (v) Helps to mitigate integration risk earlier in the project, since compatibility issues are examined with each deliverable. In traditional approach these risk remain till the system is fully integrated with the existing system. (vi) Gradual implementation provides the ability to monitor the effect of incremental changes and make adjustments before the organization is negatively impacted. Weaknesses: (i) When utilizing a series of mini-waterfalls for a small part of the system before moving onto the next increment, there is usually a lack of overall consideration of the business problem and technical requirements for the overall system. (ii) Each phase of iteration is rigid and deals with specific issues related to that small part (build/increment) and do not takes into consideration other interdependent parts. (iii) Problems may arise pertaining to overall system architecture because not all requirements are gathered up front for the entire software life cycle. (iv) Since some modules will be completed much earlier than others, well-defined interfaces are required. (v) Difficult problems tend to be deferred to the future to demonstrate early success to management. (iv)
Spiral Model:
Framework Type: Combination Linear and Iterative. Basic Principles: The Spiral model is a software development process which combines elements of both waterfall and prototyping-in-stages (incremental) in order to minimize project risk. The spiral model is intended for large, expensive and complicated projects. (i)
(ii)
(iii)
(iv) o o o o
The new system requirements are defined in as much detail as possible. This usually involves interviewing a number of users representing all the external or internal users and other aspects of the existing system. A preliminary design is created for the new system. This phase is the most important part of “Spiral Model” in which all possible alternatives, that can help in developing a cost effective project are analyzed and strategies are decided to use them. This phase has been added specially in order to identify and resolve all the possible risks in the project development. If risks indicate any kind of uncertainty in requirements, prototyping may be used to proceed with the available data and find out possible solution in order to deal with the potential changes in the requirements. A first prototype of the new system in constructed from the preliminary design. This is usually a scaled-down system, and represents an approximation of the characteristics of the final product. A second prototype is evolved by a fourfold procedure : evaluating the first prototype in terms of its strengths, weaknesses, and risks; defining the requirements of the second prototype; planning and designing the second prototype; constructing and testing the second prototype.
CA Clues
Nikhil Gupta
Strengths: (i) Low overall project risk. (ii) Helps to select the best methodology to follow for development of a given software iteration based on project risk. (iii) Can incorporate Waterfall, Prototyping, and Incremental methodologies as special cases in the framework, and provide guidance as to which combination of these models best fits a given software iteration, based upon the type of project risk. For example, a project with low risk of not meeting user requirements but high risk of missing budget or schedule targets would essentially follow a linear Waterfall approach for a given software iteration. Conversely, if the risk factors were reversed, the Spiral methodology could yield an iterative prototyping approach.
Fig. Spiral Model( Boehm 1988) Weaknesses: (i) Challenges to determine the exact composition of development methodologies to use for each iteration around the Spiral (i.e. use waterfall, prototype or incremental). (ii) Highly customized to each project, and thus is quite complex, limiting reusability. (iii) A skilled and experienced project manager is required to determine how to apply it to any given project. (iv) No established controls for moving from one cycle to another cycle. Without controls, each cycle may generate more work for the next cycle. (v) No firm deadlines - cycles continue with no clear termination condition, so there is an inherent risk of not meeting budget or schedule.
CA Clues (v)
Nikhil Gupta
Rapid Application Development (RAD)
Framework Type: Iterative. Basic Principles: Rapid Application Development (RAD) refers to a type of software development methodology which uses minimal planning in favor of rapid prototyping. The "planning" work of software developed using RAD is included with writing the software itself. The lack of extensive pre-planning generally allows software to be written much faster, and makes it easier to change requirements. (i) Key objective is for fast development and delivery of a high quality system at a relatively low investment cost, (ii) Attempts to reduce inherent project risk by breaking a project into smaller segments and providing more ease-of-change during the development process. (iii) Aims to produce high quality systems quickly, primarily through the use of iterative Prototyping (at any stage of development), active user involvement, and computerized development tools. Graphical User Interface(GUI) builders, Computer Aided Software Engineering (CASE) tools, Database Management Systems (DBMS), Fourth generation programming languages, Code generators and object-oriented techniques etc. (iv) Key emphasis is on fulfilling the business need while technological or engineering excellence is of lesser importance. (v) Project control involves prioritizing development and defining delivery deadlines or “timeboxes.” If the project starts to slip, emphasis is on reducing requirements to fit the timebox and not in increasing the deadline. (vi) Generally includes Joint Application Development (JAD), where users are intensely involved in system design, either through consensus building in structured workshops, or through electronically facilitated interaction. (vii) Active user involvement is imperative. (viii) Iteratively produces production software, as opposed to a throwaway prototype. (ix) Produces documentation necessary to facilitate future development and maintenance. (x) Standard systems analysis and design techniques can be fitted into this framework. Strengths (i) The operational version of an application is available much earlier than with Waterfall, Incremental, or Spiral frameworks. (ii) Because RAD produces systems more quickly and to a business focus, this approach tends to produce systems at lower cost. (iii) Quick initial reviews are possible. (iv) Constant integration of small modules isolates problems and encourages user feedback. (v) Holds a great level of commitment from stakeholders, both business and technical, than Waterfall, Incremental, or spiral frameworks. (vi) Concentrates on essential system elements from user viewpoint. (vii) Provides the ability to rapidly change system design as demanded by users. (viii) Produces a tighter fit between user requirements and system specifications. (ix) Generally produces a dramatic savings in time, money and human effort. Weaknesses (i) More speed and lower cost may lead to a lower overall system quality. (ii) Danger of misalignment of developed system with the business due to missing information. (iii) Project may end up with more requirements than needed (gold plating). (iv) Potential for feature creep where more and more features are added to the system over the course of development. (v) Potential for inconsistent designs within and across systems. (vi) Potential for violation of programming standards related to inconsistent naming conventions and inconsistent documentation, (vii) Difficulty in module reusability for future systems.
CA Clues (viii) (ix) (x) (xi) (xii) (vi)
Nikhil Gupta
Potential for designed system to lack scalability. Potential for lack of attention to later system administration needs built into system. Formal reviews and audits are more difficult to implement. Tendency for difficult problems to be pushed to the future to demonstrate early success to management. Since some modules will be completed much earlier than others, well–defined interfaces are required. Agile Methodologies
Basic Principles: 1. Group of S/W development methodologies for fast development 2. Iterative and Incremental approach 3. Working S/W is delivered frequently (Build Short – Build Often) 4. Time Box 5. Collaborative, Self-organizing, Cross-functional team 6. Close co-operation between user and developers 7. Face-to-face conversation 8. Rapid and flexible response to changes Strength: 1. Adaptive, can respond to changing requirement 2. Face-to-face communication, no space for guess work 3. Minimum documentation saves time 4. High quality S/W in minimum time Weakness: 1. Difficult to assess the efforts required for S/W development at the beginning 2. No importance on necessary design and documentation 3. Verbal communication results in less knowledge transfer for future reference 4. More re-work required 5. Project deviates if user in not clear about final objective/outcome 6. Experienced team is required 7. Lacks attention to outside integration
CA Clues
Nikhil Gupta
SYSTEM DEVELOPMENT LIFE CYCLE (SDLC) The System Development Life Cycle (SDLC) key features: • Sequential in nature. It consists of a set of steps or phases in which each phase of the SDLC uses the results of the previous one • Document driven which means lots of planning and documentation in involved at every stage of the process • Deliverables at every stage. A deliverable may be a substantial written document, a software artifact, a system test plan or even a physical object such as a new piece of technology that has been ordered and delivered • Process oriented. Whole focus is on defining and following pre-defined process The advantages of this system are as follows: • Better planning and control by project managers. • Compliance to prescribed standards ensuring better quality. • Documentation that SDLC stresses on is an important measure of communication and control. • The phases in SDLC are important milestones and help the project manager and the user for review and signoff. From the perspective of the IS Audit, the following are the possible advantages: (i)
The IS auditor can have clear understanding of the various phases of the SDLC on the basis of the detailed documentation created during each phase of the SDLC. The IS Auditor on the basis of his examination, can state in his report about the compliance by the IS management of the procedures, if any, set by the management. The IS Auditor, if has a technical knowledge and ability of the area of SDLC, can be a guide during the various phases of SDLC. The IS auditor can provide an evaluation of the methods and techniques used through the various development phases of the SDLC.
(ii) (iii) (iv)
Risks/Shortcoming Associated with SDLC: (i) (ii) (iii) (iv)
The development team may find it cumbersome. The users may find that the end product is not visible for a long time. The rigidity of the approach may prolong the duration of many projects. IT may not be suitable for small and medium sized projects.
Following is the list of all the phases involved in the System Development Life Cycle. Phase Activity 1 Preliminary Evaluating the strategic benefits of the system and ensure that the solution fits Investigation the business strategy. Includes cost-benefit analysis of the system. 2 Requirement analysis Analysing the type of the system on the basis of the users requirements. 3 Systems design Designing the system in terms of user interface data storage and data processing functions on the basis of the requirement phase by developing flowcharts, system and data flow diagrams, screens and reports. 4 Systems development Programming the system as designed and conduct the continuous testing and debugging. 5 Systems testing Various kinds of testing is conducted before the developed system is implemented. E.g. Unit Testing, Integration Testing and System Testing 6 Systems Migration of the system to the live environment and data conversion from legacy implementation and system to the new system. Continuous evaluation of the system as it functions in maintenance the live environment and its updation. Maintenance includes continuous evaluation of the system as it functions in the live environment and its updation
CA Clues I.
Nikhil Gupta
THE PRELIMINARY INVESTIGATION
Objective: To determine and analyze the strategic benefits in implementing the system through evaluation and quantification of - Productivity gains - future cost avoidance - cost savings, and - Intangible benefits like increased customer satisfaction. A preliminary investigation is normally initiated by some sort of system request. The steps involved in the preliminary investigation phase are as follows: (i) Identification of Problem (ii) Identification of objective (iii) Delineation of scope (iv) Feasibility Study The following issues are typically addressed in the Feasibility Study: (i) Determine whether the solution is as per the business strategy. (ii) Determine whether the existing system can rectify the situation without a major modification. (iii) Define the time frame for which the solution is required. (iv) Determine the approximate cost to develop the system. (v) Determine whether the vendor product offers a solution to the problem. Document / Deliverable: A preliminary investigation report / feasibility report. (i) Identification of Problem: -
The first step in a software application development is to identify and define the problem clearly and precisely which is done only after several rounds of discussions with the user group.
-
For instance, personnel in a functional area may feel that an existing system is outdated or a manager want new report/information that he claims will lead to better decisions. Shifting business requirements, changing organizational environments, and evolving information technology may render old systems ineffective or inefficient.
-
If the need seems genuine, a system analyst is assigned to make a preliminary investigation who submits all proposals to the steering committee for evaluation to identify those projects that are most beneficial to the organization.
Thus it can be concluded that the purpose of the preliminary investigation is to evaluate the project request. It is neither a design study, nor it includes the collection of details to completely describe the business system. Rather it relates to collection of information that permits committee members to evaluate the merits of the project request and make an informed judgment about the feasibility of the proposed project. The analyst working on the preliminary investigation should achieve the following objectives: • Clarify and understand the project request. • Determine the size of the project. • Determine the technical and operational feasibility of alternative approaches. • Assess costs and benefits of alternative approaches. • Report findings to the management with recommendation.
CA Clues
Nikhil Gupta
(ii) Identification of Objective: After the identification of the problem, it is easy to work out the objectives of the proposed solution. For instance, inability to provide a convenient reservation system, for a large number of intending passengers was the problem of the Railways. So its objective was “to introduce a system wherein intending passengers could book a ticket from source to destination, faster in real-time.” (iii) Delineation (Description) of Scope: The scope of a solution defines its boundaries. The scope should be clear and comprehensible to the user management stating what will be addressed by the solution and what will not. The following questions should be answered while stating the scope: (i) (ii) (iii) (iv) (v) (vi)
(vii)
Functionality requirements: What functionalities will be delivered through the solution? Data to be processed: What data is required to achieve these functionalities? Control requirements: What are the control requirements for this application? Performance requirements: What level of response time, execution time and throughput is required? Constraints: What are the conditions the input data has to conform to? For example, what is the maximum number of characters that a name can have in a database? Interfaces: Is there any special hardware/software that the application has to interface with? For example-Payroll application may have to capture from the attendance monitoring system that the company has already installed. Then the solution developer has to understand the format of data, frequency mode of data transfer and other aspects of the software. Reliability requirements: Reliability of an application is measured by its ability to remain uncorrupted in the face of inadvertent / deliberate misuse. The reliability required for an application depends on its criticality.
While producing information to delineate the scope, few aspects need to be kept in mind: • • • •
•
Different users will represent the problem and required solution in different ways. The system developer should collect the need from the initiator of the project alternately called champion or executive sponsor of the project. While the initiator of the project may be a member of the senior management, the actual users may be from the operating levels in an organization. An understanding of their profile helps in designing appropriate user interface features. While presenting the proposed solution for a problem, the development team has to clearly quantify the economic benefits to the user organization. The information required has to be gathered at this stage. It is also necessary to understand the impact of the solution on the organization- its structure, roles and responsibilities. Solutions which have a wide impact are likely to meet with greater resistance. ERP implementation in organizations is a classic example of change management requirement. Organizations that have not been able to handle this have had a very poor ERP implementation record, with disastrous consequences. While economic benefit is the main consideration when deciding on a solution, there are several other factors have to be considered from the perspective of the user management and have to be resolved. For example - in a security system, how foolproof it is, may be a critical a factor like the economic benefits that entail.
CA Clues
Nikhil Gupta
During preliminary investigation, the analyst collect the data through two primary methods: a)
b)
Reviewing internal documents: The analysts conducting the investigation first try to learn about the organization involved in, or affected by, the project. For example, to review an inventory system proposal, the analyst will try to know how the inventory department operates and who are the managers and supervisors. Analysts can usually learn these details by examining organization charts and studying written operating procedures. Conducting Interviews: Written documents tell the analyst how the systems should operate, but they may not include enough details to allow a decision to be made about the merits of a systems proposal, nor do they present users' views about current operations. Interviews allow analysts to know more about the nature of the project request and the reasons for submitting it. Usually, preliminary investigation interviews involve only management and supervisory personnel.
(iv) Feasibility Study: After possible solution options are identified, project feasibility is determined. A feasibility study is carried out by the system analysts and it refers to a process of evaluating alternative systems through cost/benefit analysis so that the most feasible and desirable system can be selected for development. The Feasibility Study of a system is evaluated under following dimensions: • Technical: Is the technology needed available? • Financial: Is the solution viable financially? • Economic: Return on Investment? • Schedule / Time: Can the system be delivered on time? • Operational: How will the solution work? • Human resource feasibility: Availability of skilled people for the new system • Behavioral: Is the solution going to bring any adverse effect on quality of work life? • Legal: Is the solution valid in legal terms? (i)
• • • • • •
Technical Feasibility: It is concerned with issues pertaining to hardware and software. Essentially, an analyst ascertains whether the proposed system is feasible with existing or expected computer hardware and software technology. The technical issues usually raised during the feasibility stage of investigation include the following: Does the necessary technology exist to do what is suggested (and can it be acquired)? Does the proposed equipment have the technical capacity to hold the data required to use the new system? Can the proposed application be implemented with existing technology? Will the proposed system provide adequate responses to inquiries, regardless of the number or location of users? Can the system be expanded if developed? Are there technical guarantees of accuracy, reliability, ease of access, and data security?
Some of the technical issues to be considered are given in the Table below. Design considerations Channel configuration Communications channels Computer programs Data storage medium Data storage structure File organization and access Input medium Operations Output frequency Output medium Output scheduling Printed output Processor Transaction processing Update frequency
Design alternatives Point to point, multidrop, or line sharing Telephone lines, coaxial cable, fiber, microwave or satellite Independent vendor or in-house Tape, floppy disk, hard disk, or hard copy Files or database Direct access or sequential files Keying, OCR, MICR, POS, EDI, or voice recognition In-house or outsourcing Instantaneous, hourly, daily, weekly, or Monthly CRT, hard copy, voice, or turn-around document Pre-determined times or on demand Pre-printed forms or system-generated forms Micro, mini, or mainframe Batch or online Instantaneous, hourly, daily, weekly, or monthly
CA Clues
Nikhil Gupta
(ii)
Financial Feasibility: The solution proposed may be prohibitively costly for the user organization. For example – Monitoring the stock through VSAT network connecting multiple locations may be acceptable for an organization with high turnover. But this may not be a viable solution for smaller ones.
(iii)
Economic Feasibility/Cost-Benefit Analysis: It includes an evaluation of all the incremental costs and benefits expected if the proposed system is implemented. The financial and economic questions raised by analysts during the preliminary investigation are for the purpose of estimating the following: a) Cost of conducting a full systems investigation. b) Cost of hardware and software for the class of applications being considered. c) Benefits in the form of reduced costs or fewer costly errors. d) Cost if nothing changes (i.e., the proposed system is not developed)
Estimating costs and benefits: After possible solution options are identified, an analyst should make a primary estimate of each solution's costs and benefits. Cost: System costs can be sub divided into Development, Operational and Intangible costs. -
-
-
Development costs for a computer based information system include costs of the system development process such as - salaries of the system analysts and computer programmers; cost of converting and preparing data files and preparing systems manual and other supportive documents; cost of preparing new or expanded computer facilities; cost of testing and documenting the system, training employees, and other start-up costs. Operating costs of a computer based information system include - hardware/software rental or maintenance charges; salaries of computer operators and other data processing personnel who will operate the new system; salaries of system analysts and computer programmers who perform the system maintenance function; cost of input data preparation and control; cost of data processing supplies; and Cost of maintaining proper physical facilities including power, light, heat, air conditioning, building rental or other facility charges and equipment and building maintenance charges etc. Intangible costs are costs that cannot be easily measured. For example, the development of a new system may disrupt the activities of an organization and cause a loss of employee productivity or morale. Customer sales and goodwill may be lost by errors made during the installation of a new system.
Benefits: The benefits which result from developing new or improved information systems that utilize EDP can be subdivided into tangible and intangible benefits. Tangible benefits are those that can be accurately measured and are directly related to the introduction of a new system, such as decrease in data processing cost. Intangible benefits such as improved business image are harder to measure and define. (iv)
Schedule or Time Feasibility: Schedule feasibility involves the design team’s estimating how long it will take a new or revised system to become operational and communicating this information to the steering committee. For example, if a design team projects that it will take 16 months for a particular system design to become fully functional, the steering committee may reject the proposal in favor of a simpler alternative that the company can implement in a shorter time frame.
(v)
Resources Feasibility: This focuses on human resources. Implementing sophisticated software solutions becomes difficult in non-metro locations because of the reluctance of skilled personnel to move to such locations.
(vi)
Operational Feasibility: It is concerned with ascertaining the views of workers, employees, customers and suppliers about the use of computer facility. A system can be highly feasible in all respects except the operational and fails miserably because of human problems. Some of the questions which help in testing the operational feasibility of a project are stated below:
CA Clues
Nikhil Gupta
-
Is there sufficient support for the system from management and from users? Are current business methods acceptable to users? Have the users been involved in planning and development of the project? Will the proposed system cause harm? Will it produce poorer results in any respect or area? Will loss of control result in any areas? Will accessibility of information be lost? - Will individual performance be poorer after implementation than before? In general, the greater the requirements for change in the user environment in which the system will be installed, the greater the risk of implementation failure. (vii)
Behavioral Feasibility: It refers to the human aspect of new system i.e. how the new system environment effect the work culture.
(viii)
Legal Feasibility: Legal feasibility is largely concerned with whether there will be any conflict between a newly proposed system and the organization’s legal obligations. Any system, which violates the local legal requirements should also be rejected. For example, a revised system should comply with all applicable federal and state statutes about financial reporting requirements, as well as the company’s contractual obligations.
Reporting Results to Management: -
-
-
-
II.
After the analyst articulates the problem and its scope, he provides one or more solution alternatives and estimates the cost and benefits of each alternative, and reports these results to the management. The report should be accompanied by a short cover letter that summarizes the results and makes the recommendation regarding further procedures. From the analyst's report, management should determine what to do next. Not all projects submitted for evaluation and review are accepted. Requests that fail to pass feasibility test are not pursued further unless they are reworked and resubmitted as new proposals. In some cases, only a part of the project is actually unworkable and the steering committee may decide to combine the workable part of the project with another feasible proposal. In certain other cases, primary investigation produces new information to suggest that improvements in management and supervision, and not the development of information systems are the actual solutions to the reported problems.
SYSTEM REQUIREMENT ANALYSIS
Objectives: This phase includes a thorough and detailed understanding of the current system, identifies the areas that need modification to solve the problem, the determination of user/managerial requirements and to have fair idea about various systems development tools. The following activities are performed in this phase: • • • • • • •
To identify the stake owners. To consult the stake owners to determine their expectations and resolve their conflicts. To analyse requirements to detect and correct conflicts and determine priorities. To verify that the requirements are complete, consistent, unambiguous, verifiable, testable and traceable. To gather data or find facts using tools like - interviewing, research/document collection, questionnaires, observation. To model activities such as developing models to document Data Flow Diagrams, ER Diagrams (Entity relationship diagram) and data dictionary. To document activities such as interview, questionnaires, reports etc.
Document/Deliverable: A Systems Requirements Specification (SRS) report.
CA Clues
Nikhil Gupta
Fact finding Techniques Various fact-finding techniques, which are used by the system analyst for determining the needs/requirements, are briefly discussed below: (i)
Documents: Document means manuals, input forms, output forms, diagrams of how the current system works, organization charts showing hierarchy of users and manager responsibilities, job descriptions for the people who work with the current system, procedure manuals, program codes for the applications associated with the current system, etc. Documents are a very good source of information about user needs and the current system. Questionnaires: Users and managers are asked to complete questionnaire about the information system when the traditional system development approach is chosen. The main strength of questionnaires is that a large amount of data can be collected through a variety of users quickly. Interviews: Users and managers may also be interviewed to extract information in depth. The data gathered through interviews often provide systems developer with a complete picture of the problems and opportunities. Interviews also give analyst the opportunity to note user reaction first-hand and to probe for further information. Observation: In prototyping approaches, observation plays a central role in requirement analysis. Only by observing how users react to prototypes of a new system, the system can be successfully developed.
(ii)
(iii)
(iv)
Analysis of the Present System -
Detailed investigation of the present system involves collecting, organizing and evaluating facts about the system and the environment in which it operates. There should be enough information assembled so that a qualified person can understand the present system without visiting any of the operating departments. Survey of existing methods, procedures, data flow, outputs, files, input and internal controls should be intensive in order to fully understand the present system and its related problems.
The following areas should be studied in depth: (i)
(ii)
(iii)
Review historical aspects: Review the organizational historical facts to identify the major turning points and milestones that have influenced its growth. A review of annual reports and organization chart can identify the growth as well as the development of various management levels, functional areas and departments. The system analyst should investigate what system changes have occurred in the past that have been successful or unsuccessful. Analyze inputs: A detailed analysis of present inputs is important since they are basic to the manipulation of data. Source documents are used to capture the originating data for any type of system. The system analyst should be aware of the various sources from where the data are initially captured, keeping in view the fact that outputs for one area may serve as an input for another area. The system analyst must understand the nature of each form, what is contained in it, who prepared it, from where the form is initiated, where it is completed, the distribution of the form and other similar considerations. Review data files maintained: The analyst should investigate the data files maintained by each department, noting their number and size, where they are located, who uses them and the number of times per given time interval these are used. Information on common data files and their size will be an important factor, which will influence the new information system. This information may be contained in the systems and procedures manuals. The system analyst should also review all on-line and off-line files which are maintained in the organization as it will reveal information about data that are not contained in any outputs.
CA Clues (iv)
(v)
(vi)
(vii)
(viii)
Nikhil Gupta
Review methods, procedures and data communications: Methods and procedures transform input data into useful output. A method is defined as a way of doing something; a procedure is a series of logical steps by which a job is accomplished. A procedure review is an intensive survey of the methods and the steps by which each job is accomplished, the equipment utilized and the actual location of the operations. Its basic objective is to eliminate unnecessary tasks or to locate improvement opportunities in the present information system. A system analyst also needs to review and understand the present data communications used by the organization. He must review the types of data communication equipments including data interface, data links, modems, dial-up and leased lines and multiplexers. Analyze outputs: The outputs or reports should be examined carefully by the system analysts in order to determine how well they will meet the organization’s needs. The analysts must understand what information is needed and why, who needs it and when and where it is needed. Review internal controls: Locating the control points helps the analyst to visualize the essential parts and framework of a system. An examination of the present system of internal controls may indicate weaknesses that should be removed in the new system. The adoption of advanced methods, procedures and equipments might allow much greater control over the data. Model the existing physical system and logical system: The logic of inputs, methods, procedures, data files, data communications, reports, internal controls and other important items is reviewed and analyzed in a top down manner. The process must be properly documented in the form of flow charts and diagrams. It allows a thorough comprehension of the numerous details and related problems in the present operation. Undertake overall analysis of present system: Based upon the aforesaid investigation of the present information system, the final phase of the detailed investigation includes the analysis of - the present work volume; the current personnel requirements; the present benefits and costs and each of these must be investigated thoroughly.
Systems Analysis of Proposed Systems After each functional area of the present information system has been carefully analyzed, the proposed system specifications must be clearly defined. While defining such specifications consideration should be given to the strengths and short comings of the present system. The required systems specifications which should be in conformity with the project's objectives are as follows: - Outputs produced with great emphasis on timely managerial reports that utilize the management by exception' principle. - Database maintained with great focus on online processing capabilities. - Input data prepared directly from original source documents for processing by the computer system. - Methods and procedures that show the relationship of inputs and outputs to the database, utilizing data communications where deemed appropriate. - Work volumes and timings carefully considered for present and future periods including peak periods. The starting point for compiling these specifications is output. After outputs have been determined, it is possible to infer what inputs, database, methods, procedures and data communications must be employed. The output-to-input process is recommended since outputs are related directly to the objectives of the organization. The future workload of the system must be defined for inputs, database and outputs in terms of average loads, peak loads and trends.
CA Clues
Nikhil Gupta
System Development Tools Many tools and techniques have been developed to improve current information systems and to develop new ones. Such tools help end users and systems analysts to – - conceptualize, clarify, document and communicate the activities and resources involved in the organization and its information systems - analyze present business operations, management decision making and information processing activities of the organization - Propose and design new or improved information systems to solve business problems or pursue business opportunities that have been identified. Many systems development tools take the form of diagrams and other graphic representations. The major tools used for system development can be grouped into four categories based on broader features. These are as follows: (I)
System components and flows: These tools help the system analysts to document the data flow among the major resources and activities of an information system. System flow charts are typically used to show the flow of data media as they are processed by the hardware devices and manual activities. A data flow diagram uses a few simple symbols to illustrate the flow of data among external entities (such as people or organizations, etc.), processing activities and data storage elements. A system component matrix provides a matrix framework to document the resources used, the activities performed and the information produced by an information system.
(II)
User interface: Designing the interface between end users and the computer system is a major consideration of a system analyst while designing the new system. Layout forms and screens are used to construct the formats and contents of input/output media and methods. Dialogue flow diagrams analyze the flow of dialogue between computers and people. They document the flows among different display screens generated by alternative end user responses to menus and prompts.
(III)
Data attributes and relationships: The data resources in information system are defined, catalogued and designed by this category of tools. A Data Dictionary catalogues the description of the attributes (characteristics) of all data elements and their relationships to each other as well as to external systems. Entity-Relationship diagrams are used to document the number and type of relationship among the entities in a system. File layout forms document the type, size and names of the data elements in a system. Grid charts help in identifying the use of each type of data element in input/output or storage media of a system.
(IV)
Detailed system process: These tools are used to help the programmer develop detailed procedures and processes required in the design of a computer program. Decision trees and decision tables use a network or tabular form to document the complex conditional logic involved in choosing among the information processing alternatives in a system. Structure charts document the purpose, structure and hierarchical relationships of the modules in a program.
We will now describe some of these tools in detail: (i) Structured English: Structured English, also known as Program Design Language (PDL) or Pseudo Code, is the use of the English language with the syntax of structured programming. Thus, Structured English aims at getting the benefits of both the programming logic and natural language. Program logic that helps to attain precision and natural language that helps in getting the convenience of spoken languages.
CA Clues
Nikhil Gupta
(ii) Flowcharts: Flowcharting is a graphic technique that can be used by analysts to represent the inputs, outputs and processes of a business in a pictorial form. It is a common type of chart, which represents an algorithm or process showing the steps as boxes of various kinds, and their order by connecting these with arrows. Flowcharts are used in analyzing, designing, documenting or managing a process or program in various fields. (iii) Data Flow Diagrams: A Data Flow Diagram uses few simple symbols to illustrate the flow of data among external entities (such as people or organizations, etc.), processing activities and data storage elements. A DFD is composed of four basic elements: Data Sources and Destinations, Data Flows, Transformation processes, and Data stores. These four symbols are combined to show how data are processed. Symbol
Name Data source and data destination
Explanation The people and organizations that send data to and receive data from the system are represented by square boxes called Data destinations or Data Sinks.
Data flows
The flow of data into or out of a process is represented by curved or straight lines with arrows. The processes that transform data from inputs to outputs are represented by circles, often referred to as bubbles.
Transformation process
Data stores
The storage of data is represented by two horizontal lines.
(iv) Decision Tree: A Decision Tree (or tree diagram) is a support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. Decision tree is commonly used in operations research, specifically in decision analysis, to help identify a strategy most likely to reach a goal and to calculate conditional probabilities. (v) Decision Table: A Decision Table is a table which may accompany a flowchart, defining the possible contingencies that may be considered within the program and the appropriate course of action for each contingency. Decision tables are necessitated by the fact that branches of the flowchart multiply at each diamond (comparison symbol) and may easily run into scores and even hundreds. If, therefore, the programmer attempts to draw a flowchart directly, he is liable to miss some of the branches. The four parts of the decision table are as follows: (i) Condition Stub - which comprehensively lists the comparisons or conditions; (ii) Action Stub - which comprehensively lists the actions to be taken along the various program branches; (iii) Condition entries - which list in its various columns the possible permutations of answer to the questions in the conditions stub); and (iv) Action entries - which lists, in its columns corresponding to the condition entries the actions contingent upon the set of answers to questions of that column.
CA Clues
Nikhil Gupta
Example: No charges are reimbursed to the patient until the deductible has been met. After the deductible has been met, reimburse 50% for Doctor's Office visits or 80% for Hospital visits. There will be 4 rules: (i) The first condition (Is the deductible met?) has two possible outcomes – yes or no. (ii) The second condition (type of visit) has two possible outcomes - Doctor's office visit (D) or Hospital visit (H). Two times two is four. Solution: Conditions 1. Deductible met? 2. Type of visit Actions 1. Reimburse 50% 2. Reimburse 80% 3. No reimbursement
1 Y D
2 Y H
3 N D
4 N H
X
X
X X
(vi) CASE (Computer-Aided-Software Engineering) Tools: - CASE tool refers to those software which help to automatically develop high quality, defect free and maintainable software. - CASE tools automate methods for designing, documenting, and producing structured computer code in the desired programming language. - For example, the data flow diagram and system flow charts that programmers review are commonly generated by systems developers using the on-screen drawing modules found in CASE software packages. - CASE refers to the automation of anything that humans do to develop systems and support virtually all phases of system development process. For example, these packages can be used to create complete and internally consistent requirements specifications. - Some of the features that various CASE products possess are - Data Dictionary tools; Computer aided Diagramming Tools; Screen and Report generator; Prototyping tools; Code Generation; and Reverse Engineering. (vii) System Components matrix: - A System Component Matrix provides a matrix framework to document the resources used, the activities performed and the information produced by an information system. - It can be used as an information system framework for both systems analysis and system design - It views the information system as a matrix of components that shows how the basic activities of input, processing, output, storage and controls are done in a system, and how the use of hardware, software and people resources can convert data resources into information products. Table below illustrates the use of a system component matrix to document the basic components of a sales processing and analysis system in an organization. Information systems activity Input
Hardware resources Machines Media
Software resources Programs Procedures
POS terminals
Data entry program
Data entry procedures
Processing
Mainframe computers
Sales transaction procedures
Output
POS terminals,
Sales processing program, sales analyses program Report
Bar tags, mag strip cards
Paper
Output use
People resources Specialists Users Sales clerk, customers Computer operators
Sales clerk managers
Sales clerk
Data resources
Information products
Customer data, product data Customer, inventory & sales database
Data entry display Processing status display
Sales
CA Clues
Nikhil Gupta
management workstations
reports & receipts
Storage
Magnetic disk drive
Magnetic disk packs
Control
POS terminals, management workstations
Paper doc & control reports
(viii) -
-
-
generator program, graphic program Database management system
and distribution procedures
Performance & security monitoring program
Correction procedures
managers, customers Computer operators Computer operators, control clerks
Customer, inventory & sales database Customer, inventory & sales database
receipts, sales analyses reports
Data entry display, sales receipts, error display
Data Dictionary: A data dictionary is a computer file that contains detail information about the data items in the files/database of a business information system. Thus, a data dictionary is data about data and is also called meta-data. Each record of a data dictionary contains information about a single data item used in a business information system. This information may include o the identity of the source documents used to create the data item o the names of the computer files that store the data item o the names of the computer programs that modify the data item o the identity of the computer programs or individuals permitted to access the data item for the purpose of file maintenance, upkeep, or inquiry o the identity of the computer programs or individuals not permitted to access the data item etc. As new data fields are added to the record structure of a business file, information about each new data item is used to create a new record in the data dictionary. Similarly, when new computer programs are created which access data items in existing files, the data dictionary is updated. Finally, when data fields are deleted from the structure of file/database, their corresponding records in the data dictionary are also dropped.
Fig. below shows a sample record from a data dictionary which is basically a file about data. Each file record contains information about one data field used in other files
Accountants and auditors can also make good use of a data dictionary. For example, a data dictionary can help establish an audit trail because it can identify the input sources of data items, the computer programs that modify particular data items, and the managerial reports in which the data items are used as output. (ix) Layout form and Screen Generator, Menu Generator, Report generator, Code Generator Layout form and Screen Generator: These consist of template or pre-printed electronic forms on which the size and placement of titles, headings, data and information can be designed. Layout forms and screens are used to design source documents, input/output and storage records, files and output displays and reports.
CA Clues Customer Order Report Date Order Number Customer Name Catalog Number XXXXXXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXXXXX XXXXXXXXXXXXX
Nikhil Gupta MM/DD/YY 9999 XXXXXXXXXXXXXXXXXXXXXXX Available Location Cost Stock Level X XXXXXXX 999.99 99999 X XXXXXXX 999.99 99999 X XXXXXXX 999.99 99999 X XXXXXXX 999.99 99999
Menu Generator: Menu generator outlines the functions which the system is aimed to accomplish. Menu may be linked to other submenus that will enable the user to understand how the screens and sub-screens will be used for data entry or inquiry. Report Generator: Report generator has capacity of performing similar functions as found in screen generators for designing new report formats. In addition, it can also indicate totals, paging, sequencing and page breaks in creating samples of the desired report. Code Generator: Code generator allows the analyst to generate modular units of source code from the high level specifications provided by the system analyst and play significant role in systems development process. Systems specifications: At the end of the analysis phase the system analyst prepares a document called “systems requirement specifications (SRS)” which contains the following: 1. Introduction: Goals and objectives of the software and context of the new system. 2. Information description: Problem description, information content flow and structure, hardware software and human interface for internal and external systems elements. 3. Functional description: Diagrammatic representations of functions, processing narrative of each functions, relationship among functions, design constraints. The complete description of the functions to be performed by the software specified in the SRS will assist the potential users to determine if the software specified meets their needs or how the software must be modified to meet their needs. 4. Behavioral description: This shows the response to external factor/events and internal controls. 5. Validation criteria: Organizations can develop their validation and Verification plans much more productively from a good SRS. Class of test to be performed to validate functions, performance and constraints can also be decided accordingly. 6. Appendix: Data flow diagrams, tables, algorithms, graphs, charts etc. 7. SRS Review: It contains the following: o The development team makes a presentation to the user/client and then hands over the SRS document to the user/client for review. o This review helps the user/client to judge the development teams understanding of the existing processes. The user should sign the document only after ensuring that the SRS document represents existing/required processes accurately. This is a technical requirement of the contract between the users and the development team/organization.
CA Clues
Nikhil Gupta
Roles involved in SDLC: (i) Steering committee: Functions - To provide overall direction - To ensure appropriate representation of all user/deptt - To monitor cost and schedule - To conduct meetings to track the progress of the project - To take corrective actions like rescheduling, re-staffing etc (ii) Project manager: - A project manager is responsible for the overall coordination and direction. - He can have several projects under him at any point of time. - He has to liaison with the client and coordinate with his team and project leader. - He has to deliver the project within the time and budget allocated to him. (iii) Project leader: - A project leader generally has one project under him at any point of time. - He is more dedicated and directly involved in the project and reviews the project more frequently then project manager. - The entire project team reports to him. (iv) Systems analyst / Business analyst: - Main responsibility of systems analyst is to understand the user/client requirement and convey it to the development team. - He is the main link between the user and the programmer. (v) Team leader / Module leader: - Each project is divided into several manageable modules and the development of each module is assigned to module leader. - For example, while developing a financial accounting application – Treasury, Accounts payable, Accounts receivable can be identified as separate modules and can be assigned to different module leaders. - They are responsible for the delivery of tested modules within the allowed time and cost. (vi) Programmer / Code developer: - Programmer is the mason of software industry who converts design into programs by coding using programming languages. - He is also responsible for debugging activity. (vii) Database administrator (DBA): - The data in a database environment has to be maintained by a specialist called DBA so as to support the application program. - The DBA handles multiple projects; ensures the integrity and security of information stored in the database and also helps the application development team in database performance issues. - Inclusion of new data elements has to be done only with the approval of the database administrator. (viii) -
Quality Assurance: This team sets the standards for development, and checks how the project teams are complying with these standards on a periodic basis. Any quality assurance person who has participated in the development process shall not be viewed as “independent” to carry out quality audits.
(ix) Tester: - Tester is a junior level quality assurance personnel attached to a project who tests programs and subprograms as per the plan given by the module / project leaders and prepare test reports.
CA Clues
Nikhil Gupta
(x) Domain Specialist: - Whenever a project team has to develop an application in a field that’s new to them, they take the help of a domain specialist. - For example, if a team undertakes application development in Insurance, about which they have little knowledge, they may seek the assistance of an Insurance expert at different stages. This makes it easier to anticipate or interpret user needs. - A domain specialist need not have knowledge of software systems. (xi) IS Auditor: - As a member of the team, IS Auditor ensures that the application development also focuses on the control perspective. - He should be involved at the Design Phase and the final Testing Phase to ensure the existence and the operations of the Controls in the new software.
III.
SYSTEMS DESIGN
After the completion of requirements analysis for a system, the systems design activity takes place for the alternative which is selected by management. Objective: Design an Information System that best satisfies the user / managerial requirements. In addition to the above, it also describes - The parts of the system and their interaction, - Sets out how the system shall be implemented using the selected hardware, software and network facilities, - Specifies the program and the database specifications and the security plan and - Further specify the change control mechanism to prevent uncontrolled entry of new requirements. Activities: Key design phase activities include - Describing inputs and outputs, such as screen design and reports - Determining the processing steps and computation rules for the new solution - Determining data file or database system design - Preparing the program specifications for the various types of requirements and - Internal / external controls. Document / Deliverable: Creates a ‘blueprint’ for the design with the necessary specifications for the hardware, software, people and data resources. System design involves first logical design and then physical construction of a system. The logical design of an information system is like an engineering blueprint; it shows major features of the system and how they are related to one another. Physical construction of system is done after doing logical designing. Design specifications instruct programmers about what the system should do. The programmers, in turn, write the programs that accept input from users, process data, produce the reports, and store data in the files. Once the detailed design is completed, the design is then distributed to the system developers for coding. The design phase involves following steps: (i) (ii) (iii) (iv) (v) (vi)
Architectural Design Design of the Data / Information Flow Design of the Database Design of the User-interface Physical Design; and Design of the hardware/system software platform
CA Clues (i)
Nikhil Gupta
Architectural Design
Architectural design deals with the organization of applications in terms of hierarchy of modules and sub -modules. At this stage, we identify - major modules - function and scope of each module - interface features of each module - modules that each module can call directly or indirectly and The architectural design is made with the help of a tool called Functional Decomposition which can be used to represent hierarchies as shown in Fig below It has three elements – Module; Connection; and Couple The module is represented by a box and connection between them by arrows. Couple is data element that moves from one module to another and is shown by an arrow with circular tail.
Functional decomposition diagram (ii)
Design of Data / Information flow
The design of the data and information flows is a major step in the conceptual design of the new system. In designing the data / information flow for the proposed system, the inputs that are required are - existing data / information flows - problems with the present system and - objective of the new system. All these have been identified in the analysis phase and documented in Software Requirements Specification (SRS). (iii)
Design of Database
Design of the database involves determining its scope i.e. local database V/S global structure. The scope is decided on the basis of interdependence among organizational units. The greater the interdependence, the greater will be the need for a global database. The design of the database involves four major activities as discussed in Table below: Design activity Conceptual modelling Data modelling
Explanation A conceptual data model is developed based on the data requirements for the application that is being developed Conceptual Models need to be translated into data models so that they can be accessed and manipulated by both high-level and low level programming languages Storage Decisions must be made on how to linearize and partition the data structure structure design so that it can be stored on some device. Physical layout Decisions must be made on how to distribute the storage structure across design specific storage media and locations –for example, the cylinders, tacks, and sectors on a disk and the computers in a LAN or WAN
CA Clues
Nikhil Gupta
Design of User-Interface
(iv)
Design of user interface involves determining the ways in which users will interact with a system. The points that need to be considered while designing the user interface are: -
source documents to capture raw data hard-copy output reports screen layouts for source document input inquiry screens for database interrogation graphic and colour displays requirements for special input/output device.
Designing System Outputs Any information system is useful only when it produces right kind of output at right time. Designing computer output should proceed in an organized, well thought out manner so that the output element is easy to understand and effective. Input Objectives: Input design consists of developing specifications and procedures for data preparation, developing steps which are necessary to put transactions data into a usable form for processing, and data-entry, i.e., the activity of putting the data into the computer for processing. Output Objectives: The output from an information system should accomplish one or more of the following objectives: -
Convey information about past activities, current status or projections of the future. Signal important events, opportunities, problems or warnings. Trigger an action. Confirmation of an action.
Important factors in Input / Output design: Characteristic Content
Definition Refers to the actual pieces of data to be gathered to produce the required output to be provided to users.
Input Design The analyst is required to consider the types of data that are needed to be gathered to generate the desired user outputs. New documents for collecting such information may be designed.
Timeliness
Timeliness refers to when users need outputs, which may be required on a regular, periodic basis daily, weekly, monthly, at the of quarter or annually
Format
Input format refers to the manner in which data are physically arranged. Output format refers to the arrangement referring to data output on a printed report or in a display screen Input-output medium refers to the physical device used for input, storage or output
Data needs to be inputted to computer in time because outputs cannot be produced until certain inputs are available. Hence, a plan must be established regarding when different types of inputs will enter the system After the data contents and media requirements are determined, input formats are designed on the basis of few constraints like – the type and length of each data field as well as any other special characteristics
Media
This includes the choice of input media and subsequently the devices on which to enter the data. Various user input alternatives may include display workstations, magnetic tapes, magnetic disks, key-boards,
Output Design The contents of a weekly output report to a sales manager might consist of sales person's name, sales calls made by each sales person during the week, and the amount of each product sold by each salesperson to each major client category. A sales manager, may be requiring a weekly sales report. Other users, such as airline agents, require both real- time information and rapid response time in order to render better client service Format of information reports for the users should be so devised that it assists in decision-making, identifying and solving problems, planning and initiating corrective action and searching A variety of output media are available in the market these days which include paper, video display, microfilm, magnetic tape/disk and voice output
CA Clues
Nikhil Gupta
Form
Form refers to the way the information is inputted in the input form and the content is presented to users in various output forms - quantitative, non-quantitative, text, graphics, video and audio
Input Volume / Output Volume
Input volume refers to the amount of data that has to be entered in the computer system at any one time. The amount of data output required at any one time is known as output volume
(v)
optical character recognition, penbased computers and voice input etc. Forms are pre-printed papers that require people to fill in responses in a standardized way. Forms capture information required by organizational members that often will be input to the computer. Through this process, forms often serve as source documents for the data entry personnel In some decision-support systems and many real-time processing systems, input volume is light. In batch-oriented transaction processing systems, input volume could be heavy which involves thousands of records that are handled by a centralized data entry department using key-to-tape or keyto disk systems
The form of the output should be decided keeping in view the requirements for the concerned user. For example – Information on distribution channels may be more understandable to the concerned manager if it is presented in the form of a map, with dots representing individual outlets for stores It is better to use high-speed printer or a rapid-retrieval display unit, which are fast and frequently used output devices in case the volume is heavy
Physical Design:
For the physical design, the logical design is transformed into units, which in turn can be decomposed further into implementation units such as programs and modules. During physical design, the primary concern of the auditor is effectiveness and efficiency issues. The auditor should seek evidence that designers follow some type of structured approach like – CASE tools and simulation to achieve their relative performance when they undertake physical design. Some of the issues addressed here are - Type of hardware for client application and server application - Operating systems to be used - Type of networking - Processing – batch – online, real – time - Frequency of input, output Design Principles: • • • • •
There is a tendency to develop merely one design and consider it the final product. However the recommended procedure is to design two or three alternatives and choose the best one on pre-specified criteria. The design should be based on the analysis. The software functions designed should be directly relevant to business activities. The design should follow standards laid down. For instance, the user interface should have consistent colour scheme, menu structure, location of error message and the like. The design should be modular.
Modularity: A module is a manageable unit containing data and instructions to perform a well-defined task. Interaction among modules is based on well-defined interfaces. Modularity is measured by two parameters: Cohesion and Coupling. Cohesion refers to the manner in which elements within a module are linked. Coupling is a measure of the interconnection between modules. It refers to the number and complexity of connections between ‘calling’ and ‘called’ modules. In a good modular design, cohesion will be high and coupling low.
CA Clues
Nikhil Gupta
Design of the Hardware / System Software Platform:
(vi)
In some cases, the new system requires hardware and system software not currently available in an organization. For example – a DSS might require high-quality graphics output not supported by the existing hardware and software. The new hardware/system software platform required to support the application system will then have to be designed. If different hardware and software are not able to communicate with each, subsequent changes will have to be made and resources expanded in trying to make the hardware and software compatible to each other. Auditors should be concerned about the extent to which modularity and generality are preserved in the design of the hardware/system software platform. Stage IV: Systems acquisition and software development
SYSTEM ACQUISITION After a system is designed either partially or fully, the next phase of the systems development starts which relates to the acquisition of hardware, software and services. Acquisition Standards: Management should establish documented acquisition standards that should focus on – • • • •
Ensuring security, reliability, and functionality already built into a product. Ensuring that managers review the appropriate vendors, contracts, and licensing agreements. Ensuring that new products are compatible with existing systems. Ensuring that functional, security, and operational requirements are accurately identified and clearly detailed in request-for-proposals (RFP).
Acquiring Systems Components from Vendors At the end of the design phase (stage III), the organization gets a reasonable idea of the types of hardware, software and services it needs for the new system. Acquiring the appropriate hardware and software is critical for the success of the whole project. Management also decides whether the hardware is to be purchased, leased from a third party or to be rented. (I) Hardware Acquisition: Acquisition of computer hardware is different from acquiring other fixed assets like machines, tools, equipments etc. In case of procuring machines, tools, equipment etc., the management can normally rely on the time tested selection techniques and the objective selection criteria can be delegated to the technical specialist. But in case of computers, the acquisition process is complex since the management depends upon the vendor for support services, systems design, education and training etc., and expansion of computer installation for almost an indefinite period; therefore, this is not just buying the machine and paying the vendor for it but it amounts to a long term relation with the vendor. (II) Software Acquisition: Once user output and input designs are finalized, the nature of the application software requirements must be assessed by the systems analyst. This determination helps the systems development team to decide what types of application software are needed. This helps the system developers in deciding about the nature of the systems software and computer hardware that will be most suitable for generating the desired outputs, and also the functions and capabilities that the application software must possess. Also, at this stage, the system developers must determine whether the application software should be created in-house or acquired from a vendor.
CA Clues
Nikhil Gupta
(III) Contracts, Software Licenses and Copyright Violations: Contracts between an organization and a software vendor should clearly describe the rights and responsibilities of the parties to the contract. The contracts should be in writing with sufficient detail to provide assurances for performance, source code accessibility, software and data security, and other important issues. Software license is a license that grants permission to use computer software in a particular manner as defined in license agreement. Virtually all proprietary software is sold under some form of license agreement, including free software and open source software which are usually distributed under the terms of their “end user license agreement”. Copyright laws protect proprietary as well as open-source software. The use of unlicensed software or violations of a licensing agreement expose organizations to possible litigation. (IV) Validation of vendors’ proposals: This process consists of evaluating and ranking the proposals submitted by vendors and is quite difficult, expensive and time consuming, but in very essential for selecting the right product and right vendor. This problem is made difficult by the fact that vendors would be offering a variety of configurations. The following factors have to be considered towards rigorous evaluation. • The Performance capability of each proposed System • The Costs and Benefits of each proposed • The Maintainability of each proposed • The Compatibility of each proposed system with Existing Systems • Vendor Support (V) Methods of validating the proposal: Large organizations would naturally tend to adopt a sophisticated and objective approach to validate the vendor’s proposal. Some of the validation methods are as follows: i)
Checklists: It is the most simple and subjective method for validation and evaluation. The various criteria are put in check list in the form of suitable questions against which the responses of the various vendors are validated. For example : Support Service Checklists may have parameters like – Performance; System development; Maintenance; Conversion; Training; Back-up; Proximity; Hardware; Software.
ii)
Point-Scoring Analysis: Point-scoring analysis provides an objective method of selecting a final system. There are no absolute rules in the selection process, only guidelines for matching user needs with software capabilities. Thus, even for a small business, the evaluators must consider such issues as the company’s data processing needs, its inhouse computer skills, vendor reputations, software costs, and so forth. For example the following table illustrates a Point Scoring Analysis list.
Software Evaluation Criteria Does the software meet all mandatory specifications? Will program modifications, if any, be minimal to meet company needs? Does the software contain adequate controls? Is the performance (speed/accuracy/reliability) adequate? Are other users satisfied with the software? Is the software user-friendly? Can the software be demonstrated and testdriven? Does the software have an adequate warranty? Is the software flexible and easily maintained? Is online inquiry of files and records possible? Will the vendor keep the software up to date? Totals
Points 10 10
Vendor A 7 8
Vendor B 9 9
Vendor C 6 7
10 10 8 10 9 8 8 10 10 123
9 7 6 7 8 6 5 8 8 94
9 9 7 8 8 7 7 9 8 106
8 6 5 6 7 6 5 7 7 85
CA Clues
Nikhil Gupta
iii)
Public Evaluation Reports: Several consultancy agencies compare and contrast the hardware and software performance for various manufacturers and publish their reports in this regard. This method has been frequently and usefully employed by several buyers in the past. For those criteria, however, where published reports are not available, resort would have to be made to other methods of validation. This method is particularly useful where the buying staff has inadequate knowledge of facts.
iv)
Bench marking problem for vendor’s proposals: Benchmarking problems for vendors’ proposals are sample programs that represent actual processing workload or at least a part of the buyer’s primary computer work load and include current applications programs or new programs that have been designed to represent processing needs. That is, benchmarking problems are oriented towards testing whether a computer offered by the vendor meets the requirements of the job on hand of the buyer.
v)
Test problems: Test problems disregard the actual job mix and are devised to test the true capabilities of the hardware, software or system. For example, test problems may be developed to evaluate the time required to translate the source code (program in an assembly or a high level language) into the object code (machine language), response time for two or more jobs in multi-programming environment, overhead requirements of the operating system in executing a user program, length of time required to execute an instruction, etc. The results, achieved by the machine can be compared and price performance judgment can be made. It must be borne in mind, however that various capabilities to be tested would have to be assigned relative weight.
SYSTEMS DEVELOPMENT Objective: To convert the specification into a functioning system. Activities: Application programs are written, tested and documented, conduct system testing. Document / Deliverable: A fully functional and documented system. A good coded program should have the following characteristics: • • • • • •
Reliability: It refers to the consistence which a program provides over a period of time. However poor setting of parameters and difficult coding of some data, subsequently could result in the failure of a program after some time. Robustness: It refers to the process of taking into account all possible inputs and outputs of a program in case of least likely situations. Accuracy: It refers not only to what program is supposed to do, but should also take care of what it should not do. The second part becomes more challenging for quality control personnel and auditors. Efficiency: It refers to the performance which should not be unduly affected with the increase in input values. Usability: It refers to a user-friendly interface and easy-to-understand document required for any program. Readability: It refers to the ease of maintenance of program even in the absence of the program developer.
Some other issues in systems development: (I) Program Coding Standards: The logic of the program outlined in the flowcharts is converted into program statements or instructions at this stage. For each language, there are specific rules regarding format and syntax. Syntax means vocabulary, punctuation and grammatical rules for a particular programming language. Different programmers may write a program using different sets of instructions but each giving the same results. Therefore, the coding standards are defined
CA Clues
Nikhil Gupta
which serves as a method of communication between teams, amongst the team members and users, thus working as a good control. Coding standards minimize the system development setbacks due to programmer turnover. Coding standards provide, simplicity, efficient utilization of storage and least processing time. (II) Programming Language: Application programs are coded in the form of statements or instructions and the same is converted by the compiler into binary machine language for the computer to understand and execute. The programming languages commonly used are as follows: • High – level general purpose programming language such as COBOL and C language. • Object oriented languages such as C++, JAVA etc. • Scripting language like JAVA Script, VB Script. • Decision Support or Expert System languages like PROLOG. Choice of Programming Language: The following are among the most important criteria on the basis of which the language to be used should be decided on the basis of application area; algorithmic complexity; environment (H/W and O/S) in which software has to be executed; performance consideration; data structure complexity; knowledge of software development staff; and capability of in-house staff for maintenance. (III) Program Debugging: Debugging is the most primary form of testing activity which refers to correcting programming language syntax and diagnostic errors so that the program compiles cleanly. A clean compile means that the program can be successfully converted from the source code written by the programmer into machine language instructions. Debugging can be a tedious task consisting of following four steps: • Inputting the source program to the compiler, • Letting the compiler find errors in the program, • Correcting lines of code that are erroneous, and • Resubmitting the corrected source program as input to the compiler. (IV) Test the program: A careful and thorough testing of each program is necessary for the successful installation of any system. The programmer should plan the testing to be performed, including testing all possible exceptions. The test plan should require the execution of all standard processing logic. The program test plan should be discussed with the project manager and/or system users. A log of test results and all conditions successfully tested should be kept. The log will later on provide evidence in answering the question 'Did you ever test for this condition?' (V) Program Documentation: The writing of narrative procedures and instructions for people who will use software is done throughout the program life cycle. Managers and users should carefully review documentation in order to ensure that the software and system behave as the documentation indicates. If they do not, documentation should be revised. User documentation should also be reviewed for understandability i.e. the documentation should be prepared in such a way that the user can clearly understand the instructions. (VI) Program Maintenance: The requirements of business data processing applications are subject to continual change. This calls for modification of the various programs. There are, usually separate categories of programmers called maintenance programmers who are entrusted with this task.
CA Clues
Nikhil Gupta
Stage V: Systems Testing Testing is a process used to identify the correctness, completeness and quality of developed computer software. Testing should systematically uncover different classes of errors in a minimum amount of time and with a minimum amount of effort. The data collected through testing can also provide an indication of the software's reliability and quality. However, testing cannot show the absence of defect, it can only show that software defects are present. Different levels of Testing are as follows: Level 1: Unit testing
Level 2: Integration testing
Level 3: System testing
Level 4: Acceptance testing
Level 1: Unit Testing In computer programming, unit testing is a software verification and validation method in which a programmer tests if individual units of source code are fit for use. A unit is the smallest testable part of an application which may be an individual program, function, procedure, etc. Unit tests are typically written and run by software developers to ensure that code meets its design and behaves as intended. The goal of unit testing is to isolate each part of the program and show that the individual parts are correct. A unit test provides clearly defined written conditions that the piece of code must satisfy. There are five categories of tests that a programmer typically performs on a program unit: 1.
2.
3.
4.
5.
Functional Tests: Functional tests check ‘whether programs do what they are supposed to do or not’. The test plan specifies operating conditions, input values, and expected results, and as per this plan programmer checks by inputting the values to see whether the actual result and expected result match. Performance Tests: Performance tests are designed to verify the response time, the execution time, the throughput, primary and secondary memory utilization and the traffic rates on data channels and communication links. Stress Tests: Stress testing involves testing the system beyond its normal operational capacity, often to a breaking point, in order to observe the results. These tests are designed to overload a program in various ways. The purpose of a stress test is to determine the limitations of the program. For example, during a sort operation, the available memory can be reduced to find out whether the program is able to handle the situation. Structural Tests: Structural tests are concerned with examining the internal processing logic of a software system. For example, if a function is responsible for tax calculation, the verification of the logic is a structural test. Parallel Tests: In Parallel tests, the same test data is used in the new and old system and the output results are then compared.
Types of Unit Testing: (a) Static testing (i.e. testing without actual running of program) (b) Dynamic testing (i.e. testing by actual running of program) (a) Static testing: Some important Static Analysis Tests are as follows: i) ii) iii)
Desk Check: This is done by the programmer himself. He checks for logical syntax errors, and deviation from coding standards. Structured walk-through: The application developer leads other programmers through the text of the program and explanation. Code inspection: The program is reviewed by a formal committee. Review is done with formal checklists. The procedure is more formal than a walk-through.
CA Clues
Nikhil Gupta
(b) Dynamic testing: i)
Black Box Testing: Black Box Testing takes an external view of the test object to derive test cases. These tests can be functional or non-functional, though usually functional. The test designer selects valid and invalid inputs and determines the correct output. There is no knowledge of the software's internal structure. This method of test design is applicable to all levels of software testing: unit, integration, functional testing, system and acceptance.
ii)
White Box Testing: White box testing uses an internal view of the system to design test cases based on internal structure. It requires programming skills to identify all paths through the software. The tester chooses test case inputs to check all paths through the program code and determines the appropriate outputs. This test is applicable at the unit, integration and system levels of the testing process, but is typically applied to the unit testing.
iii)
Gray Box Testing: Gray box testing is a software testing technique that uses a combination of black box testing and white box testing. In gray box testing, the tester applies a limited number of test cases to the internal workings of the software under test. In the remaining part of the gray box testing, one takes a black box approach in applying inputs to the software under test and observing the outputs.
Level 2: Integration Testing Integration testing is an activity of software testing in which individual software modules are combined and tested as a group. It occurs after unit testing and before system testing with an objective to evaluate the connection of two or more components that pass information from one area to another. This is carried out in the following manner: i)
Bottom-up Integration: Bottom-up integration is the traditional strategy used to integrate the components of a software system into a functioning whole. It consists of unit testing, followed by sub-system testing, and then testing of the entire system. Bottom-up testing is easy to implement, since at the time of module testing, tested sub-modules are available. The disadvantage, however is that testing of major decision / control points is deferred to a later period.
ii)
Top-down Integration: Top-down integration starts with the main routine, and stubs are substituted, for the modules directly subordinate to the main module. An incomplete portion of a program code that is put under a function in order to allow the function and the program to be compiled and tested, is referred to as a stub. Once the main module testing is complete, stubs are substituted with real modules one by one, and then these modules are again tested. This process continues till the root-level sub-modules are reached. Since decision-making processes are likely to occur in the higher levels of program modules, the top-down strategy emphasizes on major control decision points encountered in the earlier stages of a process and detects any error in these processes. The difficulty arises in the top-down method is due to the fact that the high-level modules are not tested with real outputs from sub-modules, but from stubs.
iii)
Regression Testing: Each time a new module is added as part of integration testing, the software changes. New data flow paths are established, new I/O may occur and new control logic starts. These changes may cause problems with functions that previously worked correctly. In the context of the integration testing, the regression tests ensure that changes or corrections have not introduced new errors. The data used for the regression tests should be the same as the data used in the original test.
CA Clues
Nikhil Gupta
Level 3: System Testing System testing is a process in which software and other system elements are tested as a whole. System testing begins either when the software as a whole is operational or when the well defined subsets of the software's functionality have been implemented. The purpose of system testing is to ensure that the new or modified system functions properly. These test procedures are often performed in a non- production test environment. The types of testing that might be carried out are as follows: i)
ii)
iii)
iv)
Recovery testing: This is the activity of testing ‘how well the application is able to recover from crashes, hardware failures and other similar problems’. In recovery testing, forced failure of the software is done in a variety of ways to verify that recovery is properly performed. Security testing: This testing is done to determine that an Information System protects data and maintains functionality as intended or not. The six basic security concepts that need to be covered by security testing are – confidentiality, integrity, authentication, authorization, availability and non-repudiation. It also ensures the existence and proper execution of access controls in the new system. Stress testing: Stress testing is used to determine the stability of a given system or entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results. Stress testing may be performed by testing the application with large quantity of data during peak hours to test its performance. Performance testing: In the computer industry, software performance testing is used to determine the speed or effectiveness of a computer, network, software program or device. This testing technique compares the new system's performance with that of similar systems using well defined benchmarks.
Level 4: Final Acceptance Testing Final Acceptance Testing is conducted when the system is just ready for implementation. During this testing, it is ensured that the new system satisfies the quality standards adopted by the business and the system satisfies the users. It has two major parts: i)
ii)
Quality assurance testing: It ensures that the new system satisfies the prescribed quality standards and the development process is as per the organization’s quality assurance methodology. User acceptance testing: It ensures that the functional aspects expected by the users have been well addressed in the new system. There are two types of the user acceptance testing: a) Alpha Testing: This is the first stage, often performed by the users within the organization. b) Beta Testing: This is the second stage, generally performed by the external users. This is the last stage of testing, and normally involves sending the product outside the development environment for real world exposure.
CA Clues
Nikhil Gupta
Stage VI: Systems Implementation and maintenance Objective: To implement the new system i.e. put it into production. Activities: The activities involved in System Implementation are as follows : • Conversion of data to the new system files. • Training of end users. • Completion of user documentation. • System changeover. • Evaluation of the system at regular intervals. Document / Deliverable: A full functional / documented system in its operational environment.
Systems implementation includes all those activities that take place to convert from the old system to the new. The new system may be totally new, replacing an existing manual or automatic system or it may be a major modification in an existing system. Activities during Implementation Stage: The activities involved in system implementation stage are as follows: I. Equipment Installation: The hardware required to support the new system is selected prior to the implementation phase. The necessary hardware should be ordered in time to allow for installation and testing of equipment during the implementation phase. An installation checklist should be developed at this time with operating advice from the vendor and system development team. Following activities are done during this stage: (a) Site Preparation: An appropriate location must be found to provide an operating environment for the equipment that will meet the hardware's temperature, humidity and dust control specifications. (b) Installation of new hardware / software: The equipment must be physically installed, connected-to the power source and wired to communication lines, if required. If the new system interfaces with the other systems or is distributed across multiple software platforms, some final commissioning tests of the production environment may be desirable to prove end to end connectivity. (c) Equipment check out: The equipment must be turned on for testing under normal operating conditions. Not only the routine 'diagnostic test' should be run by the vendor, but also the implementation team should devise and run extensive tests of its own to ensure that equipments are in proper working condition. II. Training Personnel: A system can succeed or fail depending on the way it is operated and used. Therefore, the quality of training received by the personnel involved with the system in various capacities helps the successful implementation of information system. Thus, training is a major component of systems implementation. When a new system is acquired which often involves new hardware and software, both users and computer professionals generally need some type of training. Often this is imparted through classes, which are organized by vendor, and through hands-on learning techniques. III. System Implementation Conversion Strategies: Conversion or changeover is the process of changing from the old system to the new system. It requires careful planning to establish the basic approach to be used in the actual changeover. The Four types of implementation strategies are as follows:
CA Clues
Nikhil Gupta
Direct / Abrupt Conversion: In this conversion scheme the old system is discarded and new system is implemented at the same time. It reduces cost of redundant processing but if the new system fails due to any reason then old system will not be available for recovery.
Phased Conversion: In this conversion scheme the old system is discarded in a phased manner and the new system is also implemented module-by-module. In this way implementation becomes easy.
Parallel Conversion: In this conversion scheme the new system is implemented but the old system also continues to work for some time until the new system becomes completely reliable.
Pilot implementation: Other than the above mentioned conversion strategies there can be “Pilot implementation” also. The new system is first implemented in modules of non-critical units and if it is successful then it is moved to larger unit. Activities involved in conversion: Conversion includes all those activities which must be completed to successfully convert from the previous system to the new information system. These activities can be classified as follows: i)
ii)
iii)
iv)
Procedure conversion: Operating procedures should be completely documented for the new system that applies to both computer-operations and functional area operations. Information on input, data files, methods, procedures, output, and internal control must be presented in clear, concise and understandable terms for the average reader. Written operating procedures must be supplemented by oral communication during the training sessions on the system change. File conversion: Because large files of information must be converted from one medium to another, this phase should be started long before programming and testing are completed. Adequate control, such as record counts and control totals, should be implemented during conversion. The existing computer files should be kept for a sufficient period of time until the new system is stable and sufficient back up of converted files is available. System conversion: After on-line and off-line files have been converted and the reliability of the new system has been confirmed for a functional area, daily processing can be shifted from the old system to the new system. All transactions initiated after this time are processed on the new system. Consideration should be given to operating the old system for some more time to permit checking and balancing the total results of both systems. Scheduling personnel and equipment: Scheduling data processing operations of a new information system for the first time is a difficult task for the system manager. As users become more familiar with the new system then the job becomes more routine. Schedules should be set up by the system manager in conjunction with departmental managers which are using the new system.
CA Clues
Nikhil Gupta
Post implementation review (PIR) and systems maintenance Post Implementation Review - PIR ascertains the degree of success of the project - PIR also examines the effectiveness of the new system to see if further improvements can be made to optimize the benefit delivered - PIR should be done some time after the solution has been deployed. Typical periods range from 6 weeks to 6 months, depending on the type of solution and its environment. There are three basic dimensions of Information system that should be evaluated: I. Development evaluation: Evaluation of the development process is primarily concerned with whether the system was developed on schedule and within budget. It requires schedules and budgets to be established in advance and that records/documentation of actual performance and cost be maintained. II. Operation evaluation: The evaluation of the information system's operation pertains to whether the hardware, software and personnel are capable to perform their duties. Operation evaluation is relatively straightforward if evaluation criteria are established in advance. For example, if the systems analyst lays down the criterion that a system which is capable of supporting one hundred terminals should give response time of less than two seconds, evaluation of this aspect of system operation can be done easily after the system becomes operational. III. Information evaluation: An information system should also be evaluated in terms of information it provides. This aspect of system evaluation is difficult and it cannot be conducted in a quantitative manner, as is the case with development and operation evaluations. The objective of an information system is to provide information to support the organizational decision system. Therefore, the extent to which information provided by the system is supportive to decision making is important area in evaluating the system. System Maintenance Most information systems require at least some modification after development. The need for modification arises from a failure to anticipate all requirements during system design and/or from changing organizational requirements. Maintenance can be categorized in the following six ways: i)
ii)
iii)
iv)
v)
vi)
Scheduled maintenance: Scheduled maintenance is anticipated and can be planned for. For example, the implementation of a new inventory coding scheme can be planned in advance. Rescue maintenance: Rescue maintenance refers to previously undetected malfunctions that were not anticipated but require immediate solution. A system that is properly developed and tested should have few occasions of rescue maintenance. Corrective maintenance: Corrective maintenance deals with fixing bugs in the code or defects found. A defect can result from design errors, logic errors; coding errors, data processing and system performance errors. The need for corrective maintenance is usually initiated by bug reports drawn up by the end users. Examples of corrective maintenance include correcting a failure to test for all possible conditions or a failure to process the last record in a file. Adaptive maintenance: Adaptive maintenance consists of adapting software to changes in the environment, such as the hardware or the operating system. The term environment in this context refers to the totality of all conditions and influences which act from outside upon the system, for example, business rule, government policies, work patterns, software and hardware operating platforms. The need for adaptive maintenance can only be recognized by monitoring the environment. Perfective maintenance: Perfective maintenance mainly deals with accommodating to new or changed user requirements and concerns functional enhancements to the system and activities to increase the system’s performance or to enhance its user interface. Preventive maintenance: Preventive maintenance concerns activities aimed at increasing the system’s maintainability, such as updating documentation, adding comments, and improving the modular structure of the system.
CA Clues
Nikhil Gupta
Operation manuals Operation Manuals: A user's guide, also commonly known as an Operation Manual, is a technical communication document intended to give assistance to people using a particular system. Operation manuals are most commonly associated with electronic goods, computer hardware and software. Operation manual often include the following: • A cover page, a title page and copyright page • A preface (Introduction) and information on how to navigate the user guide • A contents page • A guide on how to use at least the main functions of the system • A troubleshooting section detailing possible errors or problems that may occur, along with how to fix them • A FAQ (Frequently Asked Questions) • Where to find further help, and contact details • A glossary and, for larger documents, an index Auditors Role in SDLC The audit of system under development can have three main objectives 1. 2. 3.
To provide an opinion on the efficiency, effectiveness and economy of project management. The new system being developed provides for adequate audit trails and controls to ensure the integrity of data processed and stored To assess the controls being provided for the management of the system’s operations
The auditor can achieve the above objectives by: i. ii. iii. iv. v. vi. vii.
Attend project and steering committee meetings Examine project documentation Conducting interview Check the compliance with development standards Examine systems operational documentation to see operational controls The auditor can give rating (1 to 10) for various SDLC phases Auditor may ask for technical expert report on technical aspects (e.g. database design)
Some control considerations for an auditor to examine are: i. ii. iii. iv. v. vi. vii. viii. ix. x. xi.
Documented policy and procedures Established project team Good infrastructure Trained development staff Appropriate approvals Separation of development and test environment Standards are followed User department approval before implementing Version control Safety of source code Systems maintains proper audit trail
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 16
May 2012 14
Nov 2011 21
May 2011 13
Nov 2010 12
May 2010 10
Nov 2009 Nil
June 2009 10
Nov 2008 15
Nov 2012: (5 Marks) Q: State the advantages of SDLC from the perspective of the IS audit. Nov 2012: (6 Marks) Q: What are the characteristics of a good coded program? Nov 2012: (5 Marks) Q: Being an IS auditor, what objectives can you set for the audit of systems under development and how can you achieve your objectives? MAY 2012 (6 Marks) Q: What are the tangible and intangible benefits that can result from the development of a computerized system? MAY 2012 (4 Marks) Q: What are the major activities involved in the design of a database? MAY 2012 (4 Marks) Q: Short Note – Data Dictionary. Nov 2011: (5 Marks) Q: (Case Study) What areas are required to be studied in order to know about present system? Nov 2011: (4 Marks) Q: At the end of analysis phase, the systems analyst prepares a document called “Systems Requirement Specification (SRS)”. Write the content of SRS. Nov 2011: (4 Marks) Q: Following are involved in the System Development Life Cycle (SDLC). Discuss their roles: i) Project Manager ii) Systems Analyst iii) Database Administrator (DBA) iv) IS Auditor Nov 2011: (4 Marks) Q: Draw the flow chart to find the sum of first 50 even numbers, starting from 2. Nov 2011: (4 Marks) Q: Short note on: Information Systems Maintenance May 2011: (5 Marks) Q: What do you mean by systems requirement analysis? What are the activities to be performed during systems requirement phase? May 2011: (8 Marks) Q: Discuss in brief the various functional areas to be studied by a system analyst for a detailed investigation of the present system. Nov 2010: (8 Marks) Q: As a person incharge of systems development life cycle, you are assigned a job of developing a model for a new system which combines the features of a prototyping model and the waterfall model. Which would be the model of your choice and what are its strengths and weaknesses? Nov 2010: (4 Marks) Q: From the perspective of IS audit, what are the advantages of Systems Development Life Cycle? May 2010: (5 Marks) Q: (Case Qus) What are the two primary methods through which the analyst would have collected the data? May 2010: (5 Marks) Q: How would you use data dictionary as a tool for file security and audit trails?
CA Clues
Nikhil Gupta
June 2009: (10 Marks) Q: The top management of company has decided to develop a computer information system for its operations. Is it essential to conduct the feasibility study of system before implementing it? If answer is yes, state the reasons. Also discuss three different angles through which the feasibility study of the system is to be conducted. Nov 2008: (10 Marks) Q: State and briefly explain the six stages of System Development Life Cycle (SDLC). Nov 2008: (5 Marks) Q: Write short note on “Information system maintenance.”
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta
CHAPTER 3
CONTROL OBJECTIVES
Cost of computer abuse Cost of incorrect decision making
Value of H/W, S/W & personnel
Organization Organizational cost of data loss
High cost of computer error Maintenance of privacy Controlled evolution of computer use
Control and Audit of computer based information systems ◙ Need for controls in IT environment: 1) High Cost of Data Loss: Data is a critical resource of an organization and if it is lost then it can result in huge financial loss to the organization. 2) Incorrect Decision Making: If IT environment is not equipped with proper controls then slight deviation in any process can give wrong information which can result in wrong decision making by the end user of that information. 3) Costs of Computer Abuse: Unauthorized access to computer systems, computer viruses, unauthorized physical access to computer facilities and unauthorized copies of sensitive data can lead to destruction of assets (hardware, software, documentation etc.) 4) Value of Computer Hardware, Software and Personnel: These are critical and expensive resources of an organization and have huge impact on business competitiveness. 5) High Costs of Computer Error: In a computerized environment a single data error during entry or processing can cause great damage. 6) Maintenance of Privacy: Today data collected in a business process contains personal information about an individual or customer like medical, educational, employment, residence etc. If this information gets leaked then the organization will face severe consequences. 7) Controlled evolution of computer Use: Technology use and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive.
CA Clues
Nikhil Gupta
◙ Objective of the information systems audit function: Information Systems auditing is the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively and uses resources efficiently. 1) Asset Safeguarding Objectives: The IT assets (hardware, software, data files etc.) must be protected by a system of internal controls from unauthorized access and misuse. 2) Data Integrity Objectives: Data integrity means that organizations data does not undergo any unauthorized modification, deletion or addition. 3) System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet substantial user requirements. 4) System Efficiency Objectives: Efficiency means to optimize the use of various information system resources (machine time, peripherals devices, system/application software and labour) in best possible manner. 5) Compliance: To ensure Compliance with Information System related policies, guidelines, circulars, and any other instructions requiring compliance in whatever name called. Benefits of “INFORMATION SYSTEMS AUDITING”
Organization
Improved Safeguarding of assets
Improved data Integrity
Improved system effectiveness
Improved System efficiency
◙ Effect of computers on internal control: The location and operation of internal controls has changed drastically in computerized environment. There can be various categories of internal controls in an organization: a.
Selection of personnel: Selection of trustworthy and competent staff is a prerequisite for any organization. Control over selection process will accomplish such objective. In computerized environment it becomes important to check the IT skills of the new employees also.
b.
Segregation of duties: It means that the stages in processing of a transaction are split between different people so that one person cannot process a complete transaction from its start to finish. In computerized environment this is accomplished by creating user ID with different rights. In manual system whole focus was on segregation of duties in financial department, but in computerized environment segregation of duties in IT department is more crucial. IT department has complete control over the various IT resources like application programs and database. In such case the system becomes more vulnerable to frauds.
c.
Authorization procedure: This ensures that each transaction is authorized by a competent person before it is executed. In computerized environment different users have different authorization rights which are configured in their user ID. Also a supervisor’s signature, may be replaced by computerized authorization controls such as automated controls written into the computer programs (e.g. programmed credit limit approvals)
CA Clues
Nikhil Gupta
d.
Record keeping: Various automated controls are involved in record keeping for protecting and storing documents, transaction details, audit trail etc in computerized environment. E.g. validity control, completeness control, user control, application control etc.
e.
Access to assets and records: In manual environment unauthorized access to various assets and records was protected by physical lock & key. In computerized environment this protection is more difficult to implement and is achieved by user control techniques like use of user ID and passwords for various resources.
f.
Management supervision and review: Management supervision and review helps to prevent and detect both errors and fraud. In manual environment this was achieved by direct supervision and review of employees work. But, in IT environment various other methods for supervision and performance measurement of employees are there. E.g. work performed by employees can be monitored online as well as detailed transaction logs are also maintained relating to all users logging into the system.
g.
Concentration of program and data: Mater files and transaction data are stored in the same computer systems which makes them more vulnerable to frauds in absence of proper controls. In manual system physical access control was sufficient to prevent any unauthorized activity but in computer physical access is not sufficient since data can be accessed from different locations. The only control to prevent such frauds is to implement strong logical access controls in application software as well as in database.
◙ Elements of internal control: Internal controls used within an organization comprise of the following five interrelated components (Also known as five COSO internal control elements): 1) Control environment: The control environment means the over all management policy towards control and the awareness and support of staff towards the controls. The control environment is reflected in management’s operating style, the ways authority and responsibility are assigned, the functional method of the audit committee, the methods used to plan and monitor performance and so on. 2) Risk Assessment: Before designing and implementing controls it is necessary to identify and analyze the risks faced by an organization and the ways the risk can be managed. 3) Control activities: These are the activities/methods that operate to ensure transactions are authorized, duties are segregated, adequate documents and records are maintained, assets and records are safeguarded, and independent checks are done. 4) Information and communication: Relevant information is identified, captured and communicated in a timely and appropriate form to enable people to take decisions and discharge their responsibilities. 5) Monitoring: Control activities are monitored and modifications are made as necessary. Monitoring of controls ensures that internal controls operate reliably over time.
CA Clues
Nikhil Gupta
◙ Effects of computers on audit: Use of computers in the business organization has created great impact in the audit methodology. This is due to the following reasons: 1. Change in evidences collection 2. Changes in evidence evaluation Let us take this discussion in detail: 1. Change in audit evidences collection techniques: Audit trail is a chronological sequence of audit records which gives the evidence of a particular transaction to the auditor. The existence of audit trail is a prerequisite for any audit assignment. But in computerized environment nature of audit trail changes extensively. (a)
(b)
(c)
(d)
(e)
(f)
Data retention and storage: In computerized environment data is retained in digital format which cannot be read directly. For reading that data some software is required which can convert that digital format into human readable format. Further there is limitation also in the volume of data that can be stored in computer memory. So the detailed logs are maintained for a short period and thereafter new log is overwritten over them. This creates difficulty for the auditor to get proper audit evidence. Absence of input document: Sometimes there is no input document for supporting the transactions which are initiated by customers through online services like internet banking or EDI transactions. In such case no paper document is generated for that transaction and auditor has to rely on systems log for gathering the evidence of that transaction. Lack of visible audit trail: The audit trail in some computers may exist for only a short period of time. In such case auditor has to depend upon some other collaborative audit evidence to provide the assurance that the transaction has been processed correctly. Lack of visible output: Generally the transactions are processed in the system without generating physical copy of each transaction. Only the consolidated figures are printed when required. In such case if auditor wants to examine some individual transactions then he has to see them in system only using his separate login ID with “read only” access. Audit evidence: Certain transactions are systems generated like depreciation on fixed assets, interest on loan/deposits etc. In such case there is no physical authorization for passing these ledger entries and the auditor can only get assurance about the correctness of these transaction by reviewing the process used by the software for such automated transactions and their parameters. Legal issues: The use of computers and internet for carrying out transactions has resulted in new problem about legal validity of such transactions. Now this has to be judged in light of Information Technology Act.
2. Changes in evidence evaluation due to new opportunities and mechanism of fraud and errors: (a)
(b)
System generated transactions: As discussed before many transactions are automatically triggered by system and executed without human intervention. For example purchase order can be automatically generated and send to vendor when the stock level falls below a particular level. In such case new sources of errors arise which were not there in manual system. Systematic errors: If anything goes wrong in the computer system then the effect of that error is of multiplying nature. For example if wrong interest rate is configured in the parameter then interest will be credit at the wrong rate in all the customer accounts without any alarm signal.
CA Clues
Nikhil Gupta
◙ Responsibility of controls: -
It is the responsibility of management to establish and maintain controls Management has to apply internal control standards to fulfill internal control objectives Generally there are three management levels in an organization, senior , middle and supervisory Management is involved in setting controls as follows (i) Long range planning o Done by senior management o Defining goals and objectives o Identifying strengths and weaknesses (ii) Long range planning and IT department o Develop and implement cost effective controls o Assess the adequacy of internal controls in programs and operations o Check that internal controls are consistent with the security policy of the organization o Identify areas of improvement o Take corrective actions o Reporting over internal controls (iii) Short range planning and tactical planning o The functions and activities are performed to meet overall goals and objectives (iv) Personnel management controls o Clear job description o Proper budget of salary and allowances o Clear recruitment standards and criteria o Proper evaluation of job performance o Screening and follow security standards
◙ The IS Audit Process: Knowledge requirement for IS auditor: 1. 2. 3. 4. 5. 6.
Knowledge of business operations Knowledge of legal compliance Knowledge of information technology environment Knowledge of control procedures Knowledge of IS audit standards and IT controls standards knowledge of audit software tools
Functions of IS Auditor: 1. 2. 3. 4. 5. 6.
Review IT security policies and procedures Risk assessment Evaluation of controls Evaluation of IS in terms of economy, efficiency, and effectiveness Review of BCP/DRP Investigating IT related frauds
Categories/Types of IS audits: 1. Application systems audit: This audit is to verify that application softwares are appropriate, efficient, and have adequate controls to ensure correct working. 2. Operating systems audit: This audit is to very the functioning of operating system and to check controls over it. 3. Database audit: This audit aims to check controls over database to ensure integrity and security of database. 4. Network systems audit: This audit aims to verify controls and security over LAN, WAN and telecommunications networks.
CA Clues
Nikhil Gupta
5. IT Infrastructure audit: This audit is to verify that hardware and processing facilities are controlled to ensure timely, accurate, efficient and secure processing of data under normal and disruptive conditions. 6. Systems Development, implementation and maintenance audit: This audit is to verify that the systems development, implementation and maintenance process is secure and comply with generally accepted standards. 7. Regulatory compliance audit: This audit is done to comply with some law applicable over the organization e.g. SOX audit 8. Investigation of IT related crimes, frauds & forensics: This audit is conducted for investigating IT related frauds. Steps in Information Technology Audit: 1. Scoping and pre-audit survey: The auditors and the management determine the scope of IS audit and then he decides the main areas of focus based on his risk assessment. A pre-audit survey is done to know more about the organization and its workflows. 2. Planning the audit: In this step the scope of audit is broken down into greater levels of detail and an audit program / work plan is prepared. 3. Fieldwork: In this phase the auditor collects evidence by interviewing staff and managers, reviewing documents, printouts and data, testing controls, observing processes etc. Systems generated logs can be examined and special audit software like ACL or IDEA can also be used during this phase 4. Analysis: This step involves reviewing and analyzing all the evidence that was gathered earlier. 5. Reporting: Drafting of final report and discussing it with management. 6. Closure: Closure involves preparing notes for future audits and follow–up with management on the issues raised in the previous audits. Audit Standards: (Covered in chapter 8) Following are some of the audit standards or best practices standards related to IS audit: 1) Audit standards issued by ICAI: ICAI issues various standards and guidance notes in relation to audit. These standards can be helpful in IS audit also. 2) ISACA standards: ISACA (Information Systems Audit and Control Association) of USA has issued - 16 IS audit standards - 39 IS auditing guidelines and - 11 IS auditing procedure 3) COBIT (Control Objectives for information and related technology) 4) ISO 27001: Information Security Management System 5) ITIL (Information Technology Infrastructure library) 6) Global Technology Audit Guide (GTAG): The Institute of Internal Auditors (IIA), USA, has issued GTAG which provides control and security guidelines in IT environment. Following is the list of GTAG developed by IIA. - GTAG 1: Information Technology Controls - GTAG 2: Change and Patch Management Controls - GTAG 3: Continuous Auditing - GTAG 4: Management of IT Auditing - GTAG 5: Managing and Auditing Privacy Risks - GTAG 6: Managing and Auditing IT Vulnerabilities - GTAG 7: Information Technology Outsourcing - GTAG 8: Auditing Application Controls - GTAG 9: Identity and Access Management.
CA Clues
Nikhil Gupta
Cost effectiveness of control procedures: Internal controls are essential element in any business process but they have two problems which should be taken care of: 1st – Controls involve cost. 2nd – Controls make the process slow. Thus the cost of implementing internal control should not exceed the benefits derived from it. Costs: - Cost of design, - Implementation - Operation - Maintenance
Benifites: Reduction in expected loss due to control
COST BENEFIT-ANALYSIS OF CONTROL
Example: Let us take an example to understand this cost-benefit analysis: My Company has large number of employees and every month-end payroll processing is done which involves cost of Rs 10,000 every cycle. If a mistake is found then the processing is done again at the same cost i.e. Rs 10,000.
Cost of payroll processing each time Probability of error in payroll processing Expected loss because of reprocessing
Cost of software
validation
Payroll processing without validation procedure Rs 10,000
Payroll processing with validation procedure Rs 10,000
15%
1%
Rs 1500
Rs 100
0
Rs 600
Net expected benefit of using validation control software
0
Rs 1400 savings in expected loss by using validation control software Rs 600 additional cost for using validation control software Rs 800 benifit
Thus we see that the probable benefit is more than cost of new control, so it should be implemented. ◙ Information systems control techniques: The basic purpose of information system controls in an organization is to ensure that the business objectives are achieved and undesired risk events are prevented or detected and corrected. This is achieved by designing an effective information control framework, which comprise policies, procedures, practices, and organization structure that gives reasonable assurances that the business objectives will be achieved. Definition of controls: Controls are defined as “The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected”.
CA Clues
Nikhil Gupta
Understanding difference between “objective of controls” and “control objectives”:
Objective of controls is to • Protect assets and resources • Check frauds and errors • Regulate the business processes • reduce or eliminate the causes of the potential loss
Control objective is defined as “A statement of the desired result or purpose to be achieved by implementing a particular control procedure in particular IT process or activity”. Control objectives define what is sought to be accomplished by implementing that particular control and the purpose thereof. The control objectives serve two main purposes: 1. Outline the policies of the organization as laid down by the management. This helps in designing of control. 2. A benchmark for evaluating whether control objectives are met. This helps in test of control.
_____________________x_____________________________________x_________________ ◙ Categories of Controls:
Categories of controls Objective of controls
Nature of IS resources
Functional nature
1. Preventive
1. Environmental
1. Accounting and finance
2. Detective
2. Physical access
2. Operational
3. Corrective
3. Logical access
3. Administrative
4. Compensatory
4. IS Operational 5. IS Management 6. SDLC
1. Classification based on Objective of controls 1. 2. 3. 4.
Preventive controls Detective controls Corrective controls Compensatory controls
1. Preventive controls: Preventive controls are designed to prevent an error, omission or malicious act from occurring. These are designed by using three step process as follows: (i) Understanding the vulnerability of the asset or process (ii) Understanding the probable threats (iii) Making provision to encounter such threats.
CA Clues
Nikhil Gupta
Examples of preventive controls are: • Employing qualified staff • Segregation of duties • Access control • Proper documentation • Training of staff • Using firewalls • Using antivirus software • Password protection The relevance of such controls remains same in computerized environment also, only their mechanism changes. The following table shows how the same purpose is achieved by using manual and computerized controls. Purpose Manual control Computerized control Restrict unauthorized Post a security guard on the gate Use access control software, entry into the building smart card, biometrics etc Restrict unauthorized Keep the computer in a secured Use access control entry into the software location and allow only authorized mechanism like user ID, application persons to use the applications password smart card etc 2. Detective control: These controls are designed to detect and report errors, omissions or malicious acts that have already occurred. These are implemented as follows: (i) Setting parameters of desired result / actions (ii) Establishing mechanism for monitoring and reporting the deviations (iii) Updating the preventive controls for their further improvement Examples of detective controls are: • Hash totals • Check points in a process for monitoring • Echo controls • Audit logs • Duplicate checking of calculations • Intrusion detection system • Internal audit function • Cash count and bank reconciliation statement • Variance analysis 3. Corrective controls: Corrective controls are designed to correct errors or irregularities that have been detected. These are implemented to: (i) Minimize the impact of threats (ii) Identify the causes of the problem (iii) Resolve the problems discovered by detective controls (iv) Get feedback from preventive and detective controls (v) Develop better process to minimize future occurrence of problems Examples of corrective controls are: • Business continuity plans • Disaster recovery plans • Backup procedure • Rerun procedure 4. Compensatory controls: These are such controls which are effective for protection of assets in absence of some other direct control. For example segregation of duties in not required in very small business since direct supervision of owner compensates for segregation of duties. While designing control the cost-benefit analysis of implementing that control should be done.
CA Clues
Nikhil Gupta
2. Classification based on Nature of IS resources Another classification of controls is based on the nature of such controls with regard to the nature of IS resources or activity to which they are applied: 1. Environmental controls: Controls relating for housing IT resources such as power, airconditioning, UPS, smoke detection, fire-extinguishers, dehumidifiers etc. 2. Physical Access Controls: Controls relating to physical security of the tangible IS resources and intangible resources stored on media. Such controls include Access control doors, Security guards, door alarms, restricted entry to secure areas, visitor register, CCTV etc. 3. Logical Access Controls: Controls relating to logical access to information resources such as operating systems access controls, Application software boundary controls, networking controls, database access control, cryptographic controls etc. 4. IS Operational Controls: Controls relating to routine IS operation, administration and its management such as day begin and day end controls, IS infrastructure management, incident management, helpdesk etc. 5. IS Management Controls: Controls relating to overall IS management, administration, policies, procedures, standards and practices, monitoring of IS operations, Steering committee etc. 6. SDLC Controls: Controls relating to planning, design, development, testing, implementation and post implementation review of application and other software.
3. Classification based on Functional nature Further another category of controls is based on their functional nature. When reviewing a client’s control systems, the auditor will be able to identify three components of internal control. Each component is aimed at achieving different objectives. 1. Accounting and financial controls: Controls which are intended to safeguard the client’s assets and ensure the reliability of the financial records. 2. Operational controls: These deals with the day to day operations, functions and activities to ensure that the operational activities are contributing to business objectives. 3. Administrative controls: These are concerned with ensuring efficiency and compliance with management policies, including the operational controls.
◙ Control techniques:
9. Application controls
8. BCP/DRP controls
7. SDLC controls
6. Logical access controls
5. Physical access controls
4. Data processing controls
3. Financial controls
2. Management controls
1. Organizational controls
Control techniques
CA Clues
Nikhil Gupta
1. Organizational Controls: Organizational control techniques include documentation of: 1. Definition of responsibilities and objectives of each functions 2. Policies and procedures 3. Job descriptions 4. Segregation of duties 1. Defining responsibilities and objectives of each function: Each information systems function must be clearly defined and documented, including systems software, application programming and systems development, database administration, and operations. 2. Policies, standards, procedures and practices: These are the standards and instructions that all IS personnel must follow when completing their assigned duties. Policy establishes the broader guideline for delegating responsibility and authority to individuals in the enterprise. Procedures establish the instructions that individuals must follow to compete their daily assigned tasks. Example of policy: “All requests for changes to existing programs must be approved by user and IS management before programmers and analyst can work on them”. • Documented policies should exist in IS for: - Use of IS resources - Physical security - Data security - On-line security - Use of terminals - Reviewing, evaluating, and purchasing hardware and software - System development methodology - Application program changes. • Documented procedures should exist for all data processing activities. 3. Job descriptions: Job description shows management’s specific expectations for job performance. It establish instructions on how to do the job and define the authority of the employee. All jobs must have a current, documented job description readily available to the employee. Job descriptions establish responsibility and the accountability of the employee’s actions. 4. Segregation of duties: This is a common control technique aimed at separating conflicting job duties, primarily to discourage fraud, because separating duties makes collusion necessary to commit a fraud. Such separation can also force an accuracy check of oneperson work by another, so that employees to some extent review each other. Examples of segregation of duties are: - Systems software programming group from the application programming group - Database administration group from other data processing activities - Computer hardware operations from the other groups - Application programming group into various subgroups for individual application systems - Systems analyst function from the programming function - Physical, data, and online security group(s) from the other IS functions - IS Audit From a functional perspective, segregation of duties should be maintained between the following functions: − Data entry − Network management − System administration − Systems development and maintenance − Change management − Security administration − Security audit
CA Clues
Nikhil Gupta
2. Management Controls: The scope of control here includes framing overall high level IT policies, procedures, standards and establishing a sound internal controls framework within the organization. The high level policies establish a framework on which the controls for lower hierarchy of the enterprise are designed. The controls to be considered when reviewing the organization and management controls in an IS system shall include: 1. Senior management responsibility: There should be a strategy to have a senior management personnel responsible for the IS function. 2. An official IT structure: There should be a prescribed organization structure with all staff deliberated on their roles and responsibilities by written down and agreed job descriptions. 3. An IT steering committee: The steering committee shall comprise of user representatives from all areas of the business, and IT personnel. The committee would be responsible for the overall direction of IT. 3. Financial Control Techniques: These controls are generally defined as the procedures exercised by the management for financial integrity of transactions ranging from system input, processing and output. The financial control techniques are numerous. A few examples are highlighted here: 1. Authorization: This control involves obtaining the authority to perform some kind of transaction or access to some kind of information. 2. Budgets: Budgets include estimates of the amount of time or money expected to be spent during a particular period of time, project, or event. The budget alone is not an effective control but budget must be compared with the actual performance and finding the variances. 3. Cancellation of documents: In this control a document is marked in such a way so as to prevent its reuse. This is a typical control over invoices marking them with a “paid” or “processed” stamp or punching a hole in the document. 4. Documentation: This includes written or typed explanations of actions taken on specific transactions; it also refers to written or typed instructions, which explain the performance of tasks. 5. Dual control (Dual access): A control procedure whereby the active involvement of two people is required to complete a specified process. Such control may be physical; e.g. two persons required to unlock the Data Safe, or logical; as in the case of a higher level authorization password required to permit the entry of data created or amended by another person. In dual access only the access to systems is done by two users, thereafter only one user can proceed to do the task. 6. Input/ output verification: This entails comparing the information provided by a computer system to the input documents. It is usually aimed at such non-monetary totals like hash totals, dollar totals and item counts. 7. Safekeeping: This entails physically securing assets, such as computer disks, under lock and key, in a desk drawer, file cabinet storeroom, or vault. 8. Segregation of duties: This entails assigning similar functions to separate people to provide reasonable assurance against fraud and provide an accuracy check of the other persons work. For example, the responsibilities for making financial entries to the application and to the general ledger should be separated. 9. Sequentially numbered documents: These are working documents with preprinted sequential numbers, which enables the detection of missing documents. 10. Supervisory review: This refers to review of specific work by a supervisor. This control requires a sign-off on the documents by the supervisor, in order to provide evidence that the supervisor at least handled them.
CA Clues
Nikhil Gupta
4. Data Processing Environment Controls: • These controls are hardware and software related and include procedures exercised in the IS environmental areas. • The IS environmental areas include system software programming, on-line programming, online transaction systems, database administration, media library, application program change control and data center. 5. Physical Access Controls: These controls relate to the procedures exercised on access by employees and outsiders to IT resources. • The controls relate to establishing appropriate physical security and access control measures for IT facilities, including off-site use of information devices in conformance with the general security policy. • These Physical security and access controls should address not only the area containing system hardware, but also locations of wiring used to connect elements of the system, supporting services (such as electric power), backup media and any other elements required for the system’s operation. • The other measures relate to visitor escort, personnel health and safety, protection against environmental factors and uninterruptible power supply. 6. Logical Access Controls: • Logical access controls are implemented to ensure that access to systems, data and programs is restricted to authorized users so as to safeguard information against unauthorized use, disclosure or modification, damage or loss. • The key factors considered in designing logical access controls include confidentiality and privacy requirements, authorization, authentication and access control, user identification and authorization profiles, incident handling, reporting and follow-up, virus prevention and detection, firewalls, centralized security administration, user training and tools for monitoring compliance, intrusion testing and reporting. 7. SDLC (System Development Life Cycle) controls: These are functions and activities generally performed manually that control the development of application systems, either through in-house design and programming or package purchase. • The first control requirement is system development standards that specify the activities that should occur in each system development life cycle (SDLC) phase. For example, these standards specify the type and quantity of testing that should be conducted. • The second element of controls is documented procedures which communicate how the activities in each phase should be accomplished. These procedures establish control functions in each phase. 8. Business Continuity (BCP) Controls: • These controls relate to having an operational and tested IT continuity plan, which is in line with the overall business continuity plan • The controls include criticality classification, alternative procedures, back-up and recovery, systematic and regular testing and training, monitoring and escalation processes, internal and external organizational responsibilities, business continuity activation, fallback and resumption plans, assessment of single points of failure and problem management. 9. Application Control Techniques: • The objective of application controls is to ensure that data remains complete, accurate and valid during its input, update and storage. • The specific controls could include form design, source document controls, input, processing and output controls, media identification, movement and library management, data back-up and recovery, authentication and integrity, data ownership, data administration policies, integration and consistency across platforms, legal and regulatory requirements. • Any function or activity that works to ensure the processing accuracy of the application can be considered an application control.
CA Clues
Nikhil Gupta
◙ Audit trail: In computerized environment audit trails means logs that record activity at the system, application and user level. It is one of the most important detective control which helps to implement security policy of the organization. Objectives of audit trail are: 1. Detecting unauthorized access to the system: Audit logs can show the access attempts made by any person into the system. User ID used for such access together with other information like time of access, number of attempts etc are all logged into the system. 2. Facilitating the reconstruction of events: It helps to create complete description of the situation and conditions at the time of particular event. In this way the exact reason for the problem that occurred can be investigated. 3. Creating personal accountability: Ever user works in the system using his login ID and leaves his foot prints in the form of audit logs. Later on it can be easily established that which user did which transactions whit the help of audit logs. Problem in implementing audit trails: Audit logs generate data in great details. Thus important information can easily get lost among superfluous details of routine operations. Thus poorly designed logs can actually be dysfunctional. ***
***
***
◙ Specific controls in IT environment: 1. User controls 2. Systems development and acquisition control 3. Control over system and program changes 4. Quality control 5. Control over system implementation 6. Control over systems maintenance 7. Control over data integrity, privacy and security 8. Logical access controls 9. Physical access controls 10. Environmental controls Now let us discuss these controls in details.
***
***
CA Clues
Nikhil Gupta
Control No 1. User controls (Application system controls) The objective of application controls is to ensure that data remains complete, accurate and valid during its input, update and storage
User Controls
(i) (ii) (iii) (iv) (v)
Boundary controls Input controls Processing controls Output controls Database controls
(i) Boundary Controls: The major controls of the boundary system are the access control mechanisms. Access controls are implemented over an access mechanism which links the authentic users to the authorized resources which they are permitted to access. The access control mechanism uses three step process of identification, authentication and authorization. The user can provide three classes of input information for the authentication process and gain access control to his required resources. The three classes of information with respect to the corresponding input to the boundary control are summarized in the table below. Class of information Personal information Personal characteristics Personal objects
Type of input Name, date of birth, Acc No, password, PIN Signature, figure print, voice , retina ID card, badge, key, token
Boundary control techniques are: - Cryptography - Passwords - Personal identification number (PIN) - Identification cards (ii) Input Controls: Input controls are responsible for ensuring the accuracy and completeness of data and instruction input into an application system. Input controls are important since substantial time is spent on input of data and involve human intervention and therefore there are more chances of error and fraud.
CA Clues
Nikhil Gupta
Types of data coding errors: • Addition: Addition of an extra character in a code e.g. 54329 coded as 543219 • Truncation: Omission of characters in the code e.g. 54329 coded as 5439 • Transcription: Recording wrong characters 54329 coded as 55329 • Transposition: Reversing adjacent characters 54329 coded as 45329 • Double transposition: Reversing characters separated by one or more 54329 is entered as 52349. Factors affecting coding errors are as follows: • Length of the code: Long codes have more chances of errors. Long codes should be broken using hyphens, slashes or spaces to reduce coding errors. • Alphabetic numeric mix: The code should provide for grouping of alphabets and numerical separately if both are used. Intermingling both would result in more errors. • Choice of characters: Certain alphabets are confused with numerical such as B, I, O, S, V and Z would be confused with 8, 1, 0, 5, U, 2 when written on source document and entered into the system. Such characters should be avoided • Mixing uppercase/lowercase fonts: Upper case and lower case should NOT be mixed when using codes since they delay the process of keying in due to usage of the shift key. Further such codes have more chances of errors. • Sequence of characters: Character sequence should be maintained as much as possible. Such as using ABC instead of ACB. List of input controls (Data validation controls): − − − − − − − − −
Proper form design Pre-printed forms wherever possible Check digit verification Field check Missing data check (record count) Completeness check Table lookup check Redundant data check Automatic system data entry
(iii) Processing Controls: Data processing controls perform validation checks to identify errors during processing of data. They are required to ensure both the completeness and the accuracy of data being processed. Data processing controls are: −
− − − −
−
Run-to-run totals: These help in verifying data that is subject to process through different stages. If the current balance of an invoice ledger is Rs.150,000 and the additional invoices for the period is of total Rs.20,000 then the total sales value should be Rs.170,000. A specific record (probably the last record) can be used to maintain the control total. Reasonableness verification: Two or more fields can be compared and cross verified to ensure their correctness. For example the statutory percentage of PF can be calculated on the gross pay amount to verify if the provident fund contribution deducted is accurate. Edit checks: Edit checks are similar to the data validation controls and can also be used at the processing stage to verify accuracy and completeness of data. Field initialization: Data overflow can occur, if data is added to a table or fields without initializing it, i.e., setting all values to zero before inserting the field or record. Exception reports: Exception reports are generated to identify errors in data processed. Such exception reports give the exception transaction and why the particular transaction was not processed or what is the error in processing the transaction. For example, while processing a journal entry if only debit entry was updated and the credit entry was not updated due to absence of one of the important fields, then the exception report would detail the transaction code, and why it was not updated in the database. Existence/Recovery Controls: The check-point/restart logs facility is a short-term backup and recovery control that enables a system to be recovered if failure is temporary and localized.
CA Clues
Nikhil Gupta
(iv) Output Controls: These controls ensure that the data delivered to users will be presented, formatted and delivered in a consistent and secured manner and the confidentiality and integrity of the output is maintained. Output can be in any form, it can either be a printed data report or a database file in a removable media such as a floppy disk or CD-ROM or it can be a Word document on the computer’s hard disk. Some output controls are: − Storage and logging of sensitive, critical forms: Pre-printed stationery should be stored securely to prevent unauthorized usage. Only authorized persons should be allowed access to stationery supplies such as security forms, negotiable instruments etc. − Log of output program execution: When programs for output of data are executed then proper log should be maintained of such activity. − Control over spooling: When files are waiting for printing then they should be securely stored so that unauthorized modification or deletion cannot be done on them. − Control over printing: It should be ensured that unauthorized disclosure of information through printing is prevented. Users must be trained to select the correct printer and access restrictions may be placed on the workstations that can be used for printing. − Report distribution and collection controls: Distribution of reports should be made in a secure way to ensure that there is no unauthorized disclosure of data. Following points should be taken care of • Distribution should be immediately after printing • Log of reports generated and distributed should be maintained • User should be responsible for timely collection of the report • Uncollected reports should be stored securely − Retention controls: Retention controls consider the duration for which outputs should be retained before being destroyed. Retention control requires that a date should be determined for each output item produced. Various factors ranging from the need of the output, use of the output, to legislative requirements would affect the retention period − Existence/Recovery Controls: These controls are needed to recover output in the event that it is lost or destroyed. − Shredding of output: Shredding means cutting paper or CD or any other storage media into very small pieces using automatic shredding machines. (v) Database Controls: These are meant for protecting the integrity of a database. Three types of database controls are: • Update controls: • Report controls: • Recovery controls: Let us discuss each one of these controls: • −
− −
−
Update controls: Sequence check of transaction and master files: When a transaction file is updating a master file it is important that they have same sequence of tables and fields. The sequence can get out of order due to incorrect patches or errors in program which results in incorrect sequence. Ensure all records on files are processed: To ensure that all the records in a transaction file are processed and updated in the master file, end-of-file protocols must be followed. Processing of multiple transactions for a single master record in the correct order: Multiple transactions can occur based on a single master record e.g. dispatch of a product to different distribution centers of a customer. Here the order in which transactions are process must be done based on a sorted transaction codes i.e. correct quantity should be recorded for each location. Maintain a suspense account: When updating the master record with the transaction record results in a mismatch due to failure in the corresponding record entry in the master record then these transactions are maintained in a suspense account. A non-zero balance of the suspense accounts reflect the errors to be corrected.
CA Clues • −
− −
• − − −
Nikhil Gupta
Report controls: Control over standing Data: Application programs use many internal tables to perform various functions like say gross pay calculation, billing calculation based on a price table, bank interest calculation etc,. Maintaining integrity of the pay rate table, price table and interest table is critical within an organization. Any changes or errors in these tables would have an adverse effect on the organizations basic functions. Periodic monitoring of these internal tables by means of manual check or by calculating a control total is mandatory. Print Run-to-Run control Totals: Run-to-Run control totals help in identifying errors or irregularities like record dropped erroneously from a transaction file, wrong sequence of updating or the application software processing errors. Print Suspense Account Entries: Similar to the update controls the suspense account entries are to be periodically monitors with the respective error file and action taken on time. Recovery controls: The back-up and recovery strategies are important to restore the database in case of failure in a database. Backup and recovery strategies are implemented using prior version and log of transactions or changes to the database since the prior version. Recovery strategies involve roll-forward (current state database from a previous version) or the rollback (previous state database from the current version) methods.
Control No 2. Systems development and acquisition control − − −
Systems development means developing new information systems or changing old system with a new system within the organization. System acquisition means acquiring a new information system from outside vendors In both the case there should be a formal and well documented methodology to govern such activity.
Control over systems development phase and auditor’s role: (i)
Problem definition: In this phase the problems and opportunities in the existing system are identified so that solution can be developed for them. Controls: o Proper investigation of problem o Support of top management o Understanding the impact of possible solutions Auditor’s role: o Ensure that stakeholders have reached agreements on the problem or opportunity o Ensure that stakeholders have an understanding of the risks associated with the possible solution
(ii)
Management of change process: Management of the change process runs parallel to all the phases of SDLC. Controls: o Promoting the need for change o Preparing the organization (employees) for change by feedback, training and participatory decision making o To help users to understand new roles and responsibilities Auditor’s role: o Review the change management policies and procedures. o Evaluate the quality of decisions made about project management and change facilitation
CA Clues (iii)
Nikhil Gupta
Entry and feasibility assessment: The purpose of entry and feasibility assessment phase is to evaluate whether cost-effective solutions are available to address the problems that have been identified. Controls: o Technical feasibility: Is the technology available to support the proposed project? o Operational feasibility: Is the system usable? o Economic feasibility: Do the benefits of the system exceed the cost? o Behavioral feasibility: What impact will the new system have on the users working?
Auditor’s role: o Review feasibility reports o Check that the proposed system is not imposed on the stakeholders. (iv)
Analysis of the existing system: To design a new system, first it is essential to understand the existing system. Controls: o Study the existing organizational history, structure and culture o Study the existing information flows Auditor’s role: o Review the methodologies used to analyze the existing system
(v)
Formulation of strategic Requirements: The strategic requirement for the system specifies the overall goals and objectives and the new systems specifications. These are defined in systems requirement specification (SRS) document. Control: o Formulation of documented strategic requirement Auditor’s role: o Overall quality of SRS o SRS is in alignment with overall business objectives of the organization
(vi)
Organizational and job design: The proposed new system can require redesign of organizational structure and jobs. This can result in behavioral problems amongst its stakeholders. Controls: o The roles and responsibilities of the end-users should be defined and documented Auditor’s role: o Review the organizational structure to see that there is no conflict of duties. o Assess the control risk associated with duties and responsibilities and increase substantive testing if required.
(vii)
Information processing systems design: In this phase actual designing work of new information system is done. Controls: o User requirement mapping – interviews, GD, prototyping o User interface designing – screen layouts, report format, logos/icons o Platform designing – modularity and generality o Physical designing – modularity o Database designing – conceptual modeling, data modeling and storage layout
CA Clues
Nikhil Gupta
Auditor’s role: o User requirements of all the stakeholders have been considered o User interface is easy to understand o Check the cost effectiveness and efficiency of the system (viii)
Application Software Acquisition/Selection Process: After the information processing system design phase is complete, application software have to be acquired or developed. Controls: o Deciding evaluation criteria used in the vendor selection process, like stability of vendor, existing customer base of vendor, after sales support, customization support etc o Detailed Request For Proposal (RFP) to be made o Technical comparative study of the available softwares o Cost Benefit analysis including hardware support required Auditor’s role: o Review vendor selection process o Check adequacy of RFP (request for proposal) o Review contract with vendors for safeguard and completeness
Control No 3. Control over system and program changes Change management: All changes, including emergency maintenance and patches, relating to system and applications within the organization must be formally managed in a controlled manner. Changes (including procedures, processes, system and service parameters) must be logged, assessed and authorized before implementation and reviewed against planned outcomes after implementation. This reduces the risks of negatively impacting the stability or integrity of the production environment. Risk associated with changes in system: i) ii) iii) iv) v)
Unauthorized changes coming into the system Data loss during change process Poor segregation of duties during change process System breakdown or instability during change process New types of errors coming into the system
Change management controls: i) ii) iii) iv) v) vi) vii) viii) ix) x) xi) xii)
Documented change management policy and procedures Periodical review of all systems for need of change. Change request to be made in standardized format. Assess the impact of the requested change in system. Setting priorities of change requests. Specific procedures for urgent and emergency changes. Segregation of duties in systems change procedures. Check over access rights during systems change procedures. All changes should go through development, testing and implementation phase. Testing of changes in non-production environment before implementing. Proper back-up plans for critical processes. Quality check procedures to see that all standards and procedures were followed.
Authorization control: Authorization control means all the changes in the system should be properly authorized by the management before they are implemented. Management should review the change request before giving the authorization.
CA Clues
Nikhil Gupta
Documentation control: Documentation control means each and every policy, procedure, standards and approvals should be well documented and preserved methodically. Request for change (RFC) should be in standard format and should be logged. A reference number should be given to each RFC so that proper tracking of the change can be done Testing and quality control: Testing and quality control procedures ensure that the system changes have been thoroughly tested and proper quality control procedures have been followed. Quality control standards like ISO 9000 or BS7799 can be used for such functions. To meet this objective it will be necessary to confirm that the new system:i) conforms with the organization’s technical policies and standards ii) performs all the required functions iii) can be used by the staff for whom it is intended iv) meets it performance objectives v) is reliable in operation IS auditor’s role: The auditor’s checklist for the assessment of systems and program changes includes: i) Is the process of system and program change well documented? ii) Review change authorization procedure to see that proper authority has authorized the change request. iii) Checking quality review procedures being followed. iv) Have all the components of change passed the quality control procedures? v) Are defects discovered during quality review have been corrected? vi) Review of roles and responsibility of staff during change procedures. vii) Review of segregation of duties during change procedures. viii) Checking of back-up and contingency plans during change procedures. ix) Check that user manuals have also been updated according to the change. x) Checking the procedure for reporting of failures during testing the changes. xi) Checking data migration procedures and migration reports. xii) Checking that new and old parameters are compatible.
Control No 4. Quality control Quality control management is concerned with ensuring that: 1) the information systems produced by the information systems function achieve certain quality goals and 2) development, implementation, operation, and maintenance of information systems comply with a set of quality standards Quality control management includes the following aspects: − − − − − − − − −
Establishment of a quality culture Defining quality plans and quality control practices Defining quality assurance responsibilities Quality control in System development life cycle methodology Program and system testing and documentation Conducting quality assurance reviews and reporting Training and involvement of end-user and quality assurance personnel Development of a quality assurance knowledge base Benchmarking against industry norms
Quality Standards: Quality management controls are implemented in-order to drive maturity into the organizational processes. Two important quality standards are:
CA Clues (i)
Nikhil Gupta
Capability Maturity Model Integration (CMMI): CMMI is developed by Software Engineering Institute (SEI). It is a framework for organizing and assessing the maturity level of IT processes for software development and maintenance of products and services. The software process maturity is the extent, to which a specific process is explicitly defined, managed, measured, and controlled, and is effective. A detail discussion on five levels of CMM is given in chapter 8. The five levels of CMM are: Level 1 – Initial Level 2 – Repeatable Level 3 – Defined Level 4 – Managed Level 5 – Optimizing
(ii)
ISO 9000 Quality Management and Quality Assurance Standards: ISO 9000 is a family of standards for quality management systems. Certification to an ISO 9001 standard does not guarantee any quality of end products and services; rather, it certifies that formalized business processes are being applied. Some of the requirements in ISO 9000 include a set of procedures that cover all key processes in the business: (a) monitoring processes to ensure they are effective (b) keeping adequate records of processes and activities (c) checking output for defects, with appropriate and corrective action where necessary (d) regularly reviewing individual processes and the quality system itself for effectiveness (e) facilitating continual improvement
Auditor’s Role: The following are the general questions that the auditor will need to consider for quality control: i) Does the system design follow a defined and acceptable standard? ii) Are completed designs discussed and agreed with the users? iii) Does the project’s quality assurance procedures ensure that project documentation (e.g. design documents, specifications, test and installation plans) is as per the organization’s technical standards and policies. iv) Do quality reviews follow a defined and acceptable standard? v) Are quality reviews carried out under the direction of a technically competent person who is managerially independent from the design team; vi) Are auditors/security staffs invited to comment on the internal control aspects of system designs and development specifications? vii) Are statistics of defects uncovered during quality reviews and other forms of quality control maintained and analyzed for trends? viii) Are defects uncovered during quality reviews always corrected? ix) Are all system resources (hardware, software, documentation) that have passed quality review been placed under change control management and version control? x) Has a System Installation Plan been developed and quality reviewed? xi) Has a Training Plan been developed and quality reviewed? Has sufficient time and resources been allocated to its delivery? Copyright Violations: • Software programs can easily be copied or installed on multiple computers. • It is necessary for organizations to specifically address software piracy in training, in policy and procedures, or in the application of general internal controls. • Violation of copyright laws may lead to potential risk. The computing environment needs controlling to prevent software piracy and copyright violations. • The Copyright Notice: Any information owned/created by the company and considered its intellectual property in a written, printed, or stored as data, must be labeled with a copyright notice in the following format : Copyright © [year] [Company Name] All Rights Reserved.
CA Clues
Nikhil Gupta
Contract / Warranties: IT related contract for software and hardware are important for organization Similar to other business contracts. IT contracts should address two issues: i) Meet IT users expectations and the systems should perform as intended ii) Able to file litigation in response to dissatisfaction with products or services IT auditors can help companies avoid contract failures by designing good quality IT related contracts. The evidence gathered by auditors can assist the organization in specifying both performance standards and remedies for nonperformance. The review areas of IT-related contracts are: i) Review of supplier contract terms to see that it does not limit supplier liability. ii) Review of contract objectives and performance measurements to ensure objectives have been met. iii) The acceptance criteria of goods and services should be made clear in the contract. iv) The three key goals to achieve while contracting for computer goods and services are: − Preparation of clear criteria of user requirements − Negotiating the contract assuring supplier compliance, and − Monitoring contract compliance v) To identify major control weakness, problems and contract issues which require immediate management attention. The contract should also provide for escrow agreement for source code of the software. vi) Does the contract reflect the organization’s requirements and have appropriate levels within the organization verified them? vii) Have the requirements been translated into measurable acceptance criteria that can be monitored and verified? viii) Ensure that the RFP contains the needs and requirements and how they will be met. ix) Was the legal consultant present at all meetings and documentation of proceedings recorded? x) What changes or agreements were reached in refining contract terms and were they verified with management? xi) Acceptance tests are performed on all products or services provided and tests are documented and reviewed by management. xii) The organization exercises its right to accept or decline the contract, and documentation supports its decision. Service Level Agreements (SLA): •
The SLA is a formal agreement between a customer requiring services and the organization that is responsible for providing those services. • It is not a legal contract in itself, but an essential component of it. • SLA is to state the required performance of the system in terms of its availability to users, response times, and numbers of transactions processed and any other suitable criteria meaningful to the user. • Performance indicators are to be agreed, and the delivered level of service is to be regularly monitored against that specified. SLA of an organization could include the organization’s IT Department, a facilities management contractor, an external agency, a telecommunications supplier, or a hardware maintenance contractor. SLA should define the following: i) The level of technical support to be provided to users. ii) The procedures for proposing changes to the system. iii) Standards of security over data access, monitoring system and network use. iv) Emergency requirements v) And a schedule of charges for the services to be provided.
CA Clues
Nikhil Gupta
Auditors review: The auditor is to ensure that the following form a part of the SLA i) Service provider should comply with all legal requirements that are applicable to the outsourced activity. ii) Should provide for a right to audit clause and requirement of control responsibilities. iii) Responsibility of the service provider to establish performance monitoring procedures. iv) SAS 70 audit compliance by the service provider. v) Business continuity measures to be put in place to ensure continuity of service. vi) Non disclosure requirements as regards information and processes of the audited organization handled and control stipulations in this regard. vii) Insurance requirements.
Control No 5. Control over system implementation (i) New systems need to be made operational (ii) after development work is complete. Implementing the new system involves the (iii) (iv) following steps:
Procedure development for Conversion Conversion of old system into new system Acceptance testing User training
(i) Procedure development: • Procedures should cover - Who? What? When? Where? How? Of every aspect • Procedures should cover both hardware and software implementation • Every step of system implementation procedure should be documented in clear terms • The design of procedures should match the job responsibilities of the users (ii) Conversion: Conversion from old to new system involves the following activities: • Deciding the procedures for migrating data into the new application, determining what data can be converted through software and what data has to be converted manually • Performing data cleansing before data conversion • Identifying the methods to know the accuracy of conversion like record counts and control totals • Designing exception reports showing errors during data conversion • Establishing responsibility for verifying and signing off and accepting overall conversion by the system owner. The conversion strategies are: Direct / Abrupt Conversion: In this conversion scheme the old system is discarded and new system is implemented at the same time. It reduces cost of redundant processing but if the new system fails due to any reason then old system will not be available for recovery. Phased Conversion: In this conversion scheme the old system is discarded in a phased manner and the new system is also implemented module-by-module. In this way implementation becomes easy.
CA Clues
Nikhil Gupta
Parallel Conversion: In this conversion scheme the new system is implemented but the old system also continues to work for some time until the new system becomes completely reliable. Pilot implementation: The new systems is first implemented in modules of non-critical units and then moved to larger unit. Auditor’s role: Has a Data Conversion Plan been drawn up and approved? Review the data conversion plan to see that the Data Conversion Plan: • • • • • • • • • •
Describe the data conversion strategy to be followed (e.g. the procedures for reconciling differing charts of accounts; the sequence of files to be converted; the conversion timetable? Allocate staff to each task and define specific roles and responsibilities during conversion. Define procedures for identifying and correcting the quality of the existing data so that missing and incompatible data is corrected before conversion Define procedures to deal with the correction of data rejected by the new system) Testing of tailor-made software that has been developed to support the data conversion task? Define the controls to assure that data has been transferred completely, accurately and correctly posted (e.g. hash and control totals, and record counts; checking a sample of detailed records back to the old system; reconciling balances between the two systems) Implement an effective separation of duties between those involved in transferring data and those involved in verifying that it has been correctly transferred Define procedures to ensure that converted data is kept up-to-date in new system Define backup and recovery procedures for the converted data on the new system Define how the audit trail is to be preserved after cut over
(iii) Acceptance testing: Accepting testing is a complete end-to-end test of the new system including all its manual procedures. It is aimed to provide the confirmation that: • The end user requirement has been met • Operational documentation is accurate, comprehensive and usable • End user documentation is accurate, comprehensive and usable • Supporting manual procedures work effectively • Help desk function is performing effectively • Backup and recovery procedures are working effectively In acceptance testing following testing are done: (a) Performance testing: This is expressed in terms of average response time and maximum response time for various computer applications. Response time means the time taken by the computer system to do the desired task for the user. (b) Volume testing: This testing is done to check that the system can handle large volume of data during its peak processing hours. (c) Stress testing: This testing is done to check the tolerance limit of system to handle large volume of data in very short time. (d) Security testing: This test is done to check the systems security controls. (e) Clerical procedure checking: This testing is done to ensure that all manual procedures which are incidental to the systems are well documented and working effectively. (f) Back-up and recovery procedure testing: This testing aims to confirm that proper back-up and recovery mechanism is there for data and configuration files.
CA Clues
Nikhil Gupta
Role of IS Auditor in systems acceptance testing phase: a) Review of acceptance testing plan to see that it covers all aspects of testing. b) Is the acceptance testing plan: - fully documented - allocates adequate resources for testing - defines individual roles and responsibility - fully involves end-user in testing - includes ancillary procedures c) Segregation of duties during testing phase. d) Check that the system has built-in controls to ensure proper operation e) Check that the new system provides the capability to track events through the systems and thus supports audit review of the system f) How testing data has been designed. It should contain all possible set of input to see the output in every possible way. g) Are there adequate access controls during testing phase to avoid unauthorized changes. h) Is sufficient audit trail of testing and changes maintained i) Are regression tests carried out to ensure that previously accepted areas of the new system continue to work after new changes have been implemented in the system? (iv) User training: • •
•
Training both the end-users and the IS operations personnel is critical for the efficient and effective implementation of a system. Training would involve − Manager’s training on overview of application systems. They may not use the system for entering the routine transactions but then will be using the reports generated by the new applications so they should have the overview of new system and its capabilities. − End user training on how to use the software, enters the data, and generates the output. − IT staff training on the technical aspects of the new system since they will be providing the operational support for the new systems. − Systems administrator training − Other support staff training Ongoing user support along with training is another important component needed to ensure a successful implementation.
Control No 6. Control over system maintenance • •
• • •
System maintenance is an important phase during the implementation of system. The maintenance phase involves making changes to hardware, software, and documentation to support its operational effectiveness. Maintenance can be undertaken under the following three categories: I. Corrective maintenance: It includes emergency program fixes and routine debugging of program errors. II. Adaptive maintenance: It includes changes in the system as per the change-in user environment. III. Perfective maintenance: It includes improvement in system, improved documentation, and recoding for improving processing efficiency. To ensure that modifications does not disrupt operations or degrade a system’s performance or security, organizations should establish appropriate change management standards and procedures. Maintaining accurate, up-to-date hardware and software inventories is a critical part of all change management processes. Management should carefully document all modifications to ensure accurate system inventories.
CA Clues
Nikhil Gupta
Auditor’s Role: Effectiveness and efficiency of the system maintenance process is evaluated with the following metrics: • The ratio of actual maintenance cost per application/department versus the average cost of all applications/department. • Average time to fix a problem or deliver change requests. • The number of change requests for the system application that were related to bugs, critical errors, and new functional specifications. • The number of production problems per application. • The instances of divergence from standard procedures such as undocumented applications, unapproved design, and untested applications. • The number of softwares/modules returned to development due to errors discovered in acceptance testing. Performance Measurement: Performance measurement is dependent on the business strategy and objectives of the organization. The aspects to be measured are: • the value delivered by the IT system (tangible/intangible) • the cost of IT services per unit of business function • the response time of the system for a new or change in operations; and • the ongoing costs of the system to maintain its effectiveness. Common performance measurement techniques are: • Throughput: Output per unit of time • Utilization: Percentage of time the system is being productively used • Response time: how long it takes the system to respond Post implementation review: -
PIR is done to see whether the new system: • Fulfills the business objectives i.e. delivered within time and budget and producing desired savings and benefits. • Fulfills the user expectations i.e. new system is user friendly and efficient • Fulfills the technical requirements i.e. scalability, easy to operate & maintain, low running cost and provides ready interface with other systems.
-
Timing: PIR should not be done too early or too late after the implementation. If PIR is done just after implementation then users will not get sufficient time to interact with the new system and to know the hidden problems. If PIR is done too late then the changing technology and other factors will make it difficult to review the benefits as they were originally planned.
-
PIR team: The PIR team should not contain any staff that was responsible for the development of the new system, since their presence can bias the review. External consultants can be hired to make the team more impartial.
-
Activities to be reviewed/undertaken in PIR: • The main functionality of the new system as per the user requirement specification. • Systems performance and operations • The development techniques and methodologies used in designing new system • Any change in user requirement was authorized before implementation • Final conclusions and recommendations in a report format • Identify any new benefit which was not anticipated
-
Action on PIR report: The authorizing authority, based on the PIR report: • Approve the system • Approve plans to modify the system • Terminate the system and give instructions for new course of action
CA Clues -
Nikhil Gupta
Control consideration: Auditors review during PIR: • Interview end-users in each functional area to know their satisfaction level. • Interview security, operations and maintenance staff to know their response. • Whether system fulfills all “user requirement specifications”. • Previous system has been removed, if not, then the reasons for that. • Review problem reports of the new system. • Internal controls in the new system are operating as planned. • Check service level agreements with internal as-well-as with external agencies. • Check systems back-up and restoration mechanism is documented and working. • Review the “business case” which was responsible for implementation of new system to check that all anticipated benefits have been achieved in given time and cost.
Control No 7. Control over data integrity, privacy and security Information classification: For effective control over information it is necessary to first classify it according to its sensitivity and importance and then exercise control over it. Information can be classified in following categories:
Classification Top secret
Highly confidential
Proprietary
Internal use only
Public documents
Description − Highly sensitive − Relating to strategic issues − E.g. investment plans, merger & acquisition plans, scientific designs etc − Sensitive information − Cannot be made public or even shared in the organization unnecessarily − E.g. accounting information, confidential reports, customer details etc. − Internal information about operations − Strictly for the use by authorized employee of the organization − E.g. project plans, work manuals, designs and specifications, internal reports etc. − Information not for general public circulation − If disclosed to public then it will not result in serious damage but can create difficulty for the management. − E.g. internal memos, minutes of meetings, internal operational reports etc − Information is for general public − E.g. press statements, annual reports etc
Protection level − Highest security level − Highly restricted distribution − High security level − Restricted distribution − − − −
−
High security level Authorized distribution only General security level Limited distribution only
Minimum security level
Data integrity control: Primary objective of data integrity control is to prevent, detect and correct errors in transactions as they flow through the various stages of data processing. Following are the six categories of data integrity controls:
CA Clues Control category Source data control
Input validation routines
Online data entry controls
Data processing and storage control
Output control
Data transmission control
Nikhil Gupta Threat/Risk Invalid, incomplete or inaccurate source data input
controls − Proper form design − Pre-printed forms wherever possible − Provide titles, headings, notes and instructions in manual forms − Sequentially pre-numbered forms − Turnaround documents − Authorization review − Cancellation of processed documents − Check digit verification Invalid or inaccurate − Field check data in transaction − Range and limit check files − Sequence check − Duplicate check − Missing data check − Reasonableness check − Completeness check − Table lookup check − Batch check (control totals, sequence check) − File check (internal labels, retention dates, control totals) − Maintain error logs Invalid or inaccurate − Field check transaction input − Reasonableness check entered through on− Redundant data check line terminals − Used ID’s and password check − Automatic system data entry − Completeness check − Maintenance of transaction logs Inaccurate or − Design of policies and procedures incomplete data in − Exception reporting computer-processed − Run-to-run totals master files − Version control − Default values check − Back-up procedures − Write-protection mechanism Inaccurate or − Report distribution control incomplete computer − Control over printing output − Retention controls − Deletion controls − Shredding of redundant reports and data Unauthorized − Backup communication lines access or data error − Preventive network maintenance during transmission − Data encryption − Parity check − Echo check − CRC/LRC check − Use of Secure channels (VPN)
CA Clues
Nikhil Gupta
Data Integrity Policies: i) ii) iii) iv) v) vi) vii)
Virus-Signature Updating: Virus signatures must be updated immediately when they are made available from the vendor. Software Testing: All software must be tested in a suitable test environment before installation on production systems. Division of Environments: The division of environments into Development, Test, and Production is required for critical systems. Version Zero Software: Version zero software (1.0, 2.0, and so on) must be avoided whenever possible to avoid undiscovered bugs. Offsite Backup Storage: Backups older than one month must be sent offsite for permanent storage. Quarter-End and Year-End Backups: Quarter-end and year-end backups must be done separately from the normal schedule, for accounting purposes Disaster Recovery: A comprehensive disaster-recovery plan must be used to ensure continuity of the corporate business in the event of an outage.
Data privacy and security: • •
Data security includes the protection of data against accidental or intentional disclosure to unauthorized persons as well as the prevention of unauthorized modification and deletion of the data. Many levels of data security are necessary in an information systems environment; they include database protection, security controls over hardware and software, physical security over the user, and organizational policies.
An IS auditor is responsible to evaluate the following when reviewing the adequacy of data security controls: (i) (ii) (iii) (iv) (v) (vi) (vii)
Who is responsible for the accuracy of the data? Who is permitted to update data? Who is permitted to read and use the data? Who is responsible for determining who can read and update the data? Who controls the security of the data? If the IS system is outsourced, what security controls and protection mechanism does the vendor have in place to secure and protect data? Contractually, what penalties or remedies are in place to protect the sensitive information? ***
***
***
***
***
CA Clues
Nikhil Gupta
◙ Security concepts and techniques Cryptosystem: It refers to cryptographic system consisting of encryption and decryption algorithms and generation of key pair. This system is used to secure electronic mail and other information. It includes methods for digital signatures, cryptographic hash functions, key management techniques etc. some important terms used in this context are: − − − − − − −
Cryptography: Cryptography is the science of encrypting and decrypting written communication. Cipher: A cipher is an algorithm (algorithm is a list of well-defined instructions for completing a task) for performing encryption or decryption Encryption: Encryption is the process of transforming human readable information (called plaintext) using an algorithm (called cipher) into unreadable format (called cipher text). Decryption: Decryption is the reverse process of encryption in which unreadable information is converted back into readable information. Plain text: It is the original human readable text before encryption. Cipher text: It is the unreadable text generated after encryption. Symmetric encryption: This encryption uses same key for both encryption and decryption. (e.g. DES, AES, Blowfish) Key Plain text
−
Encryption
Key Cipher text
Asymmetric encryption: In this type of encryption a pair of key is generated. One key is called private key and the other is called public key. Encryption done through one key can be decrypted by the other key and vice-versa. (e.g. RSA) Key 1 Plain text
−
Decryption
Plain text
Encryption
Key 2 Cipher text
Decryption
Plain text
One-way encryption: This is also called hash function. When this encryption is used then a hash is generated of the plain text. This hash cannot be converted back to the plain text. The most famous algorithm for hash computation are MD5 (Message Digest 5) and sha1 which generates a 32 and 40 hexadecimal digits hash for text of any length.
Data encryption standard (DES): − − − − −
DES is an encrypting algorithm used for symmetric encryption. It was developed by National Institute of Standards and Technology (NIST), USA in 1976. A DES has small key size of 64 bits and thus it is a week algorithm. A TDES (Triple DES) key consists of three DES keys, which are also referred to as a key bundle. Authorized users of encrypted computer data must have the keys that were used to encipher the data in order to decrypt it. DES is now considered a week algorithm and is not used in critical applications. It is replaced by more powerful algorithm like Triple DES, Advance Encryption Standard (AES), Blowfish encryption standard, RC5 encryption standard etc.
CA Clues
Nikhil Gupta
Public Key Infrastructure (PKI): Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. It uses asymmetric encryption and hash function to generate digital signature. Following steps are involved in signing a document using digital signature: Sender’s side
Receiver’s side
Document
Compare these 2 outputs. If same, then document is authenticated and integrity is assured.
Calculate hash of document
Hash (using sha1)
Digital signature i.e. encrypt hash using senders Pvt Key
Decrypt digital signature using public key of sender
Document + Digital signature
Digital certificate: • • • • •
Digital certificates are digital files that certify the identity of an individual or institution. The digital certificate links the identity of an individual or institution to a digital public key. The contents of a digital certificate are prescribed by the X.509 standard, developed by the International Standards Organization (ISO) and adopted by the American National Standards Institute (ANSI. The latest version is now X.509 v3. The principal elements of a digital certificate are as follows:
-
Content of an X.509 V3 Certificate Version number of the certificate format Serial number of the certificate Signature algorithm identifier Issuer of digital certificate Validity period Unique identification of certificate holder Public key information
Certifying authority: Certifying Authority (CA) provides all of the services required to issue, store, manage, and revoke digital certificates for users of digital signature.
CA Clues
Nikhil Gupta
PKI control policies: The certifying authority (CA) should consider the following while issuing and maintaining digital certificates: - Methods of initial verification of the user, e.g. his identity proof and address proof must be obtained before issuing digital certificates. - Maximum validity period of digital certificate should not be more then 2 years. - Defining the circumstances in which the digital certificate will be revoked, e.g. when private key of user is lost. - Updating the database of revoked certificates. - Employing strict measures to protect root key i.e. private key of certifying authority. - Maintenance of proper logs of all activities.
Data security and public network: Firewalls:
• •
• •
A firewall is a system designed to protect and regulate traffic flowing between private network and public network. All traffic, from private network to public network and from public network to private network, must pass through firewall. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls block or allow traffic based on rules configured by the administrator. Rule sets can be static or dynamic. A static rule set is an unchanging statement to be applied to packet header, such as blocking all incoming traffic with certain source addresses. A dynamic rule set often is the result of coordinating a firewall and an IDS (Intrusion Detection System). For example, an IDS that alerts on malicious activity may send a message to the firewall to block the incoming IP address. Firewalls are subject to failure. When firewalls fail, they typically should fail closed, blocking all traffic, rather than fail open and allowing all traffic to pass. Famous firewalls are cisco-pix and check point
Outgoing traffic
Incoming traffic
Firewall
•
Outgoing traffic
Public Network: Internet / WAN
Incoming traffic
Private network: LAN
Types of firewall: I Packet filtering firewall: Packet filtering firewall evaluates the information contained in header of each incoming and outgoing data packet to check that it has a - valid internal address, - originates form a permitted external address, - connects to an authorized protocol or service and - contains valid basic header information.
CA Clues
Nikhil Gupta
If the packet does not match the pre-defined criteria for allowing traffic, then the firewall rejects the packet. This type of firewall only analyzes the header information of the packet and does not look into the contents of the packet. Header: Source address. Destination address. Sequence number. Protocol. Other information.
Data: - - - - - - - - - - - - - - - - - - - - - - - -----------------------------------------------------------------------------------------
Trailer: End of packet. Checksum.
Data packet This kind of firewall is less secure and fast in performance and useful for small office and home office (SOHO) systems. Packet filtering firewall has the following weakness: This firewall is unable to prevent attacks that exploit application-specific vulnerabilities and functions because it does not examine data contents of packet. Log maintenance functionality is limited to the same information that is used to make access control decisions i.e. header information. Does not support user authentication schemes like password control. The firewalls are easy to misconfigure, which allows traffic to pass that should otherwise be blocked. II Stateful inspection firewall: Stateful inspection firewalls are packet filters that monitor the state of the TCP connection. Each TCP session starts with an initial “handshake” communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall. III Proxy server firewall: -
-
-
Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. The proxy server rewrites packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands. They may implement antivirus and anti-spam filtering, disallow connections to potentially malicious servers, and disallow the downloading of files in accordance with the institution’s security policy. Proxy servers protects against encapsulation techniques (protocols that are tunneled through other protocols). For example, a protocol-aware proxy may be designed to allow Web server requests to port 80 of an external Web server, but disallow other protocols encapsulated in the port 80 requests.
IV Application-level firewall: Application-level firewalls perform application-level screening, i.e. they have the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewall examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.
CA Clues
Nikhil Gupta
The primary disadvantages of application-level firewalls are as follows: -
-
The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application-level firewall and passed through different access controls. Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.
Firewall services and configuration: Firewall can provide some additional features like: (i)
Network address translation (NAT): NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.
(ii)
Dynamic host configuration protocol (DHCP): DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.
(iii)
Virtual private network gateway (VPN gateway): A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines. Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.
Unauthorized intrusion: • • •
Intrusion detection is the attempt to monitor and possibly prevent attempts to intrude into or otherwise compromise the system and network resources of an organization. Intrusion detection systems (IDS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. They are like firewall but more expensive and intelligent then firewalls. They are generally used as complementary with firewall and they update the firewall with new types of security threats.
Intrusion Detection systems fall into two broad categories: • • •
Network based systems: These types of systems are placed on the network before the systems being monitored. They examine the network traffic and determine whether it falls within acceptable boundaries. Host based systems: These types of systems actually run on the system being monitored. These examine the system to determine whether the activity on the system is acceptable. A more recent type of intrusion detection system are those that reside in the operating system kernel and monitor activity at the lowest level of the system. These systems have recently started becoming available for a few platforms, and are relatively platform specific.
CA Clues
Nikhil Gupta
Hacking: Hacking is an act of penetrating computer systems to gain knowledge about the system and how it works. What are Hackers? Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to the technical workings of a computer. However, most people understand a hacker to be what is more accurately known as a 'cracker'. What are Crackers? Crackers are people who try to gain unauthorized access to computers. This is normally done through the use of a 'backdoor' program installed on the machine. A lot of crackers also try to gain access to resources through the use of password cracking software, which tries billions of passwords to find the correct one for accessing a computer. Another common technique is called social engineering in which the hacker tries to get some useful information just by interacting with the other person. What damage can a Hacker do? This depends upon what backdoor program(s) are hiding on the PC. Different programs can do different amounts of damage. However, most allow a hacker to smuggle another program into your PC. This means that if a hacker can't do something using the backdoor program, he can easily put something else onto your computer using backdoor which he has already smuggled. Hackers can see everything you are doing, and can access any file on your disk. Hackers can write new files, delete files, edit files, and do practically anything to a file that could be done to a file. A hacker could install several programs on to your system without your knowledge. Such programs could also be used to steal personal information such as passwords and credit card information. How do Hackers hack? There are many ways in which a hacker can hack. Some are as follows – NetBIOS, ICMP Ping, FTP, rpc.statd, HTTP (i)
NetBIOS: NetBIOS hackers are the worst kind, since they don't require you to have any hidden backdoor program running on your computer. This kind of hack exploits a bug in Windows 98. NetBIOS is meant to be used on local area networks, so machines on that network can share information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can access your machine remotely.
(ii)
ICMP ‘Ping’ (Internet Control Message Protocol): ICMP is one of the main protocols that make the Internet work. It stands for Internet Control Message Protocol. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would respond to this ping, telling the sender that the computer does exist. This is all pings are meant to do. Pings may seem harmless enough, but a large number of pings can make a Denial-of-Service attack, which overloads a computer. Also, hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings) If a computer responds to a ping, then the hacker could launch a more serious form of attack against a computer.
(iii)
FTP (File Transfer Protocol): FTP is a standard Internet protocol, standing for File Transfer Protocol. It can be used for file downloads from some websites. If you have a web page of your own, you may use FTP to upload it from your home computer to the web server. However, FTP can also be used by some hackers. FTP normally requires some form of authentication for access to private files, or for writing to files. FTP backdoor programs, such as Doly Trojan, Fore, Blade Runner, simply turn your computer into an FTP server, without any authentication.
CA Clues
Nikhil Gupta
(iv)
rpc.statd: This is a problem specific to Linux and Unix. The problem is the infamous unchecked buffer overflow problem. This is where a fixed amount of memory is set aside for storage of data. If data is received that is larger than this buffer, the program should truncate the data or send back an error, or at least do something other than ignore the problem. Unfortunately, the data overflows the memory that has been allocated to it, and the data is written into parts of memory it shouldn't be in. This can cause crashes of various different kinds. However, a skilled hacker could write bits of program code into memory that may be executed to perform the hacker's evil deeds.
(v)
HTTP (Hypertext Transfer Protocol): HTTP hacks can only be harmful if you are using Microsoft web server software, such as Personal Web Server. There is a bug in this software called an 'unchecked buffer overflow'. If a user makes a request for a file on the web server with a very long name, part of the request gets written into parts of memory that contain active program code. A malicious user could use this to run any program they want on the server.
Data privacy: • • • • -
Data privacy refers to protecting private and sensitive data from disclosure. Privacy problems exist wherever uniquely identifiable data relating to persons are collected and stored in paper or digital form. The challenge in data privacy is to share data without disclosing the personnel identity of any individual. The most common source of data that are affected by data privacy issues are:
Health information Criminal justice Financial information Genetic information Locational information
Protecting data privacy in information systems: In information systems, the privacy policy has to be communicated and enforced across the system and network. This is done by several privacy protocols which communicate and enforce user’s privacy preferences automatically. These fall under two categories: (i)
Policy Communication: P3P - The Platform for Privacy Preferences. P3P is a standard for communicating privacy practices by websites and comparing them to the preferences of individuals.
(ii)
Policy Enforcement: XACML - The eXtensible Access control markup language together with its privacy profile is a standard for expressing privacy policies in a machine-readable language which a software system can use to enforce the policy in enterprise IT systems. EPAL - The Enterprise Privacy Authorization Language is very similar to XACM but is not yet a standard. WS-Privacy - "Web Service Privacy" will be a specification for communicating privacy policy in web services.
• • •
CA Clues
Nikhil Gupta
Control against virus and other malware: Virus: A virus is a program (usually destructive) that attaches itself to a legitimate program to penetrate the operating system. The virus destroys application programs, data files, and operating systems in a number of ways. One common technique is for the virus to simply replicate itself over and over within the main memory, thus destroying whatever data or programs are resident. One of the most dangerous aspects of a virus is its ability to spread throughout the system and to other systems before perpetrating its destructive role until the virus has copied itself a specified number of times to other programs and systems. The virus thus grows geometrically, which makes tracing its origin extremely difficult. Virus programs usually attach themselves to the following types of files: An .exe (executable file) or .com (command file) The .ovl (overlay) program file The boot sector of a disk A device driver program When a virus-infected program is executed, the virus searches the system for uninfected programs and copies itself into these programs. The virus in this way thus spreads to the applications of other users or to the operating system itself. Anti-virus Software: Among the counter measures against virus attacks, anti-virus software are the most widely used techniques to detect viruses, and prevent their further propagation and harm. There are three types of anti-virus software. (i)
Scanners: The software looks for a sequence of bits called virus signatures that are characteristic of virus codes. They check memory, disk boot sectors, executables and systems fillies to find matching bit patterns. In this context it may be noted that on an average 1500 newer viruses emerge every month. Hence, it is necessary to frequently update the scanners with the data on virus code patterns for the scanners to be reasonably effective.
(ii)
Active Monitor and Heuristic Scanner: This looks for critical interrupt calls and critical operating systems functions such as OS calls and BIOS calls, which resemble virus action. However this also makes them inefficient since they cannot differentiate between genuine systems calls and virus action. These could be annoying and generally do not serve the purpose.
(iii)
Integrity Checkers: These can detect any unauthorized changes to files on the system. They require the software to “take stock” of all files resident on the system and compute a binary check data called the Cyclic Redundancy Check (CRC) When a program is called for execution, the software computes the CRC again and checks with the parameter stored on the disk. However, such checks assume that frequent changes to applications and systems utilities do not occur.
Further, technical controls such as securing systems with hardware based password and encryption locks and remote booting are also used. However, there is no single way that can act as a solution for all virus attacks. The best policy for virus control is preventive control. Of course, detective and controls should be in place to ensure complete control over virus propagation and damage control.
CA Clues
Nikhil Gupta
Control No 8. Logical access controls Logical access controls are the system-based mechanism to regulate the users of the system to access the system as per their authority and job role. Thus, these controls prevent unauthorized person from using the system resources and letting the authorized persons use the system resources as per their scope of work. Logical access paths: −
Online terminals: These are computer terminals located in the organization and which are connected to the main server. User has to provide login ID and password to access the system through these terminals.
−
Operator console: These types of input console are used for various purposes like main server configuration console, router/switch configuration console etc. Generally console have high privileged access capabilities and therefore such console have to be physically as well as password protected
−
Batch job processing: In batch processing environment all the jobs are processed in a batch. All the transactions in a particular job are accumulated in batches and then these are processed together. In such case there is a risk of unauthorized job entering the batch for processing.
−
Dial-up ports: A computer located at a geographically different location can dial-up a remote organizational server using modem and telephone line and get access into the system. There can also be a system of dial-back line to ensure authentication of the user.
−
Telecommunication network: PC’s can connect to main server through the use of different devices using telecommunication network like switches, routers, wireless equipments.
Logical access issues threats and exposures: Two kinds of exposures are related to access control weakness (a) Technical exposures and (b) Computer crime exposure.
CA Clues
Nikhil Gupta
(a) Technical exposures −
Data diddling: It means unauthorized modification in the input data. This can be done manually by altering the source voucher or it can be done in system also by altering the input file which is waiting for processing.
−
Logic bombs: Logic bombs are malicious program codes deliberately implanted in the main software by the program developer. The code triggers upon happening of certain event for example “if a file named abc.exe is deleted then delete the file/memory location c:/salary”. Such bombs are dormant till that triggering event does not happen and as soon as that event happens they run and destroy the targeted system.
−
Time bombs: This is also a malicious code in a software which is similar to logic bomb and is set to activate at a particular future time. When the computer clock reaches that time, the codes get activated and do the destruction.
−
Trojan horse: A Trojan horse is non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system. It is attached in the host program and installs itself during software downloads, opening websites containing activeX controls, downloading email attachments or through application exploits.
−
Worms: A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other computes and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program.
−
Rounding down: This technique involves rounding down of amount and transferring it in a separate account.
−
Salami techniques: This technique involves slicing of small fraction of amount and transferring it in a separate account. It is similar to rounding down technique, except the fact that in this case the last digits are altogether removed instead of rounding down. E.g. figure of Rs 54850.58 maybe be rounded down as Rs 54850.55 and in salami technique the last digit can be removed as Rs 54850.50 or as Rs 54850.00
−
Trap doors: Trap doors (also called system exits) are application software vulnerabilities. Programmers sometimes insert these trap door codes during programming new software so that they can later on use these to gain access into the system without using the normal login procedure and do the unauthorized work and then exit the system.
−
Asynchronous attack: Such attack is possible in devices which uses asynchronous transmission of information. In asynchronous transmission, the data has to wait for a while to get transmitted or processed. Meanwhile this data can be manipulated by intercepting the transmission lines.
−
Data leakage: Data leakage means leaking information out of computer system by means of coping files to some media.
−
Wire-tapping: It involves telecommunication network.
−
Piggybacking: This involves getting unauthorized access by following an authorized data packet.
−
intercepting
data
while
it
is
being
transmitted
over
CA Clues
Nikhil Gupta
−
Denial of service: In this attack the perpetrator floods the host computer with so much of request that it is not able to process that and finally has to shutdown the service for some period.
−
Masquerading: In this technique perpetrator impersonates as a legitimate user and tries to gain unauthorized access in the system.
−
Spoofing: In this attack one system is used to impersonate the other. For example system A wants to communicate with system B. The attacker uses system C in between then and for system A he pretends to be system B and for system B he pretends to be system A.
−
Phishing: In phishing technique a fraudulent website is made resembling the original website of a bank or any other organization and the legitimate user is made to believe that he is logging into the actual website and thus sensitive information such as usernames, passwords and credit card details are captured by masquerading as a trustworthy website.
(b) Computer crime exposure As the use of computer is increasing in business environment, the risk of committing frauds in computer systems is also increasing. People with wrong motives and good technical knowledge try to gain access into the system for committing various frauds. Such frauds results in:
- Financial loss to the organization - Legal consequences - Loss of credibility - Industrial espionage - Leakage of confidential information. People involved in computer crime: - Hackers / Crackers / Phreackers - Disgruntled Employees - IS personals - End users - Former employees - Competitors - Organized criminals. Logical access controls: Data protection is required wherever data is present. Generally data is present at following three places: (i) in computers and servers (ii) in some backup media like CD, floppy or USB drives (iii) on communication lines while it is in transit. Logical access controls is all about protection of these assets wherever they reside. Following controls are established for logical access control: a) User access management
b) User responsibilities c) Network access control
d) Operating system access control
(i) (ii) (iii) (iv) (i) (ii) (i) (ii) (iii) (iv) (v) (i) (ii) (iii) (iv)
User registration procedure Privilege management Password management Periodic review of user access rights Use of strong password Unattended user equipment Policy on use of internet Enforced path using firewall Segregation of networks Network connection and routing control Security of network services Automated terminal identification Terminal log-on procedures User identification and authentication Password management system
CA Clues
e) Application and monitoring system access control
f) Mobile computing
Nikhil Gupta (v) (vi) (vii) (viii) (i) (ii) (iii) (iv) (v) (i)
Use of system utilities Duress alarm to safeguard users Terminal time out Limitation of connection time Information access restriction Sensitive system isolation Event logging Monitor system use Clock synchronization Mobile computing
a) User access management: (i) User registration procedure: Information about every user is documented. The following questions are to be answered:- Why is the user granted the access? Has the data owner approved the access? Has the user accepted the responsibility? The de-registration process is also equally important. (ii) Privilege management: Access rights to the employees should be according to job requirements and responsibilities. For example, an operator at the sales counter should have access to billing activity of the application system. (iii) Password management: Passwords are usually the default screening point for access to systems. Allocations, storage, revocation, and reissue of password should be done in a secured manner. User should be educated about safekeeping of their passwords. Challenge response passwords and onetime passwords can also be used for additional security. (iv) Periodic review of user access rights: A user's need for accessing information changes with time and thus requires a periodic review of his access rights to ensure that these rights are according to his new roles and responsibilities. b) User awareness and responsibilities: (i) Use of strong password: Mandatory use of strong passwords to maintain confidentiality. (ii) Unattended user equipment: Users should ensure that no equipment under their responsibility is ever left unprotected. They should also secure their PCs with a password, and should not leave it accessible to others. c) Network access control: (i) Policy on use of internet: Use of internet in an organization should be governed as per the security policy. Selection of appropriate internet services and approval to access them will be part of this policy. (ii) Enforced path using firewall: Based on risk assessment, it is necessary to specify the exact path or route connecting the networks; say for example internet access by employees will be routed through a firewall. (iii) Segregation of networks: Based on the sensitive information handling function; say a VPN connection between a branch office and the head-office this network is to be isolated from the internet usage service availability for employees. (iv) Network connection and routing control: The traffic between networks should be restricted, based on identification of source and authentication access policies implemented across the enterprise network facility. (v) Security of network services: The techniques of authentication and authorization policy implemented across the organization’s network services, e.g. Wi-Fi etc. d) Operating system access control: (i) Automated terminal identification: This will help to ensure that a particular session could only be initiated from a particular location or computer terminal. (ii) Terminal log-on procedures: The log-on procedure does not provide unnecessary help or information, which could be misused by an intruder. (iii) User identification and authentication: The users must be identified and authenticated in a foolproof manner. More stringent methods like Biometric Authentication or Cryptographic means like Digital Certificates can also be used.
CA Clues (iv)
(v)
(vi)
(vii) (viii)
Nikhil Gupta
Password management system: An operating system could enforce selection of good passwords. Internal storage of password should use one-way encryption algorithms and the password file should not be accessible to users. Use of system utilities: System utilities are the programs that help to manage critical functions of the operating system—for example, addition or deletion of users. This utility should not be accessible to general users and access to these utilities should be strictly controlled and logged. Duress alarm to safeguard users: If users are forced to execute some instruction under threat, the system should provide a means to alert the authorities. An example could be forcing a person to withdraw money from the ATM. Many banks provide a secret code to alert the bank about such transactions. Terminal time out: Log out the user if the terminal is inactive for a defined period. This will prevent misuse in absence of the legitimate user. Limitation of connection time: Define the available time slot. Do not allow any transaction beyond this time period. For example, no computer access after 8.00 p.m. and before 8.00 a.m.—or on a Saturday or Sunday.
e) Application and monitoring system access control (i) Information access restriction: The access to information is prevented by application specific menu interfaces, which limit access to system function. A user is allowed to access only to those items he is authorized to access. Controls are implemented on the access rights of users, For example, read, write, delete, and execute. (ii) Sensitive system isolation: Based on the criticality of a system in an organization it may even be necessary to run the system in an isolated environment. (iii) Event logging: In Computer systems it is easy and viable to maintain extensive logs for all types of events. It is necessary to review if logging is enabled and the logs are archived properly. (iv) Monitor system use: Monitoring system access and use is a detective control, to check if preventive controls are working or not. If not, this control will detect and report any unauthorized activities. The log files are to be reviewed periodically. (v) Clock synchronization: Event logs maintained across an enterprise network plays a significant role in correlating an event and generating report on it. Hence the need for synchronizing clock time across as per a standard time is mandatory. f) Mobile computing (i) Mobile computing: Theft of data carried on the disk drives of portable computers is a high risk factor. Both physical and logical access to these systems is critical. Information is to be encrypted and access identifications mechanism like password or fingerprint scanner is necessary security feature. Role of IS auditor in evaluating logical access control: − − − −
− − −
Review the security policy of the organization to see whether it covers all the aspects of access control. Review risk assessment done by management. Review access control administration, i.e. how new user ID’s and passwords are created and distributed or old ID’s deleted. Login ID’s and passwords should not be sent together to the user, they should be sent separately using different modes. Review password policy, e.g. does the system requires: i) Minimum length of password e.g. 8 characters. ii) Alfa-numeric passwords with special characters. iii) Mandatory change in passwords after certain days e.g. 60 days. iv) Old password cannot be again set as new password. v) Limited number of unsuccessful attempts after which the login ID should be locked Potential access paths should be identified and reasons for their existence should be noted. Review of access control mechanism at operating system level and at application program level. Check whether redundant login ID’s exist and reasons for their existence.
CA Clues
Nikhil Gupta
Control No 9. Physical access controls In a computer environment, critical organizational information and data resides in electronic form in physical devices such as various hardware devices, modems, switches, routers, storage media etc. these needs to be protected from physical access also. Physical access issues and exposure: Following can be the threats in an organization due to improper physical access: − Unauthorized person getting access in restricted areas of the organization. − Employees gaining access to unauthorized areas within the organization. − Damage, theft or embezzlement of equipments. − Abuse of systems resources. − Improper disposal of computer and hardware devices. Because of the above mentioned threats following loss can occur: − Financial loss − Compromising confidentiality of information − Compromising integrity of information − Compromising availability of information Sources of physical access threat can be from: − Unauthorized persons: For example thieves, hackers, former employees, competitors or ignorant persons. − Employees: For example disgruntled employees, employees on strike, employees under suspension or termination. Infrastructure to be protected: i) Computer room ii) Server room iii) Network devices (switches and routers) iv) Telecommunication equipments v) LAN
vi) vii) viii) ix) x)
Firewalls Operators console Back-up storage media Disposal sites UPS room
Physical access control mechanism: Physical access control is a three step process i)
Identification: The user gives his identification to the system
ii)
Authentication: The system authenticates the user on the basis of some information given by the user. For this purpose the user can use the following mechanism Remembered information Object possessed by the user Personal characters
iii)
Name, account number, password Badges, smart cards, key Figure prints, voice prints, signature
Authorization: The system authorizes the user for various resources. This authorization can be done either by using “ticket oriented approach” or “list oriented approach”. In ticket oriented approach the authorization matrix (Row) gives the authorization level for various users for various resources. In list oriented approach the authorization matrix (Column) of each resource has a list of users who can access the resources. For example:
User A User B User C User D
Zone A Zone B Enter Enter Enter Enter Authorization matrix
Server A Enter -
Store C Enter -
CA Clues
Nikhil Gupta
Physical access controls: Some of the techniques used for physical access controls are: a) Locks on doors: Locks can be of following types − Normal lock: This is also called bolting lock or padlock; it uses metal key for opening and closing the lock. − Cipher lock: This is also called combination lock; it uses unique number combination for unlocking. − Electronic door locks: This lock uses magnetic strip card or token and a sensor to read the card to unlock the door. This kind of lock is particularly useful in restricting access of employees in different areas of a building and according to time also. Use of theses locks makes it easy for the administration of access rights and the card/tokens can be easily disabled when the employee resigns from the organization. − Biometric door locks: These locks are highly secure and uses unique body features to unlock the door, like voice prints, fingerprint scanner, retina scanner b) Physical identification medium: − Identification badges: Special identification badges such as employee cards, privileged access pass, visitor pass etc. enable the tracking movement of personnel. These may also contain signature and photograph. These can be identified by the security staff to permit or deny access. − Personal Identification Number (PIN): This number is assigned to the individual and he has to punch this on a key pad for authenticating himself. PIN is used in conjunction with other identification medium like ID cards. − Plastic cards: These are ID cards like identification badges. c) Maintenance of log: − Manual logging: All visitors should be asked to sign a visitor’s register indicating their name, address, whom to meet and purpose of visit. The security staff can further check some valid ID proof like driving license to allow access. − Electronic logging: When electronic or biometric identification is used then the access logs are also maintained in electronic form. The system automatically generates these logs as and when a person enters the door using his token/ card etc. d) Other measures: − Security guards: They are most commonly deployed depending on the cost and sensitivity of the resources to be secured. Sometimes dogs are also effective, particularly during night time. − Video cameras: CCTV cameras provide detective control. This technique needs to be supplemented by security monitoring and guards for taking actions. The video recording should be retained for some period of time, depending upon the risk perception. − Dead man doors: This system uses a pair of door one after the other. When a person enters the first door then the second door remains closed. Now the first door will close and then only the second door will open. This mechanism is effective in checking piggybacking. − Controlled single point entry: Physical access to the area is restricted to a single guarded point. Multiple entry points may dilute administration of effective security. − Security alarm: Security alarm can be used together with motion sensors and door sensors. − Boundary fencing: Appropriate fencing should be used to secure the area. − Visitor entry through escorts: All visitors like auditors, vendors etc should be escorted within the organization by some employee or security staff.
CA Clues
Nikhil Gupta
Auditing physical access: Auditing physical access requires auditor to review the physical access risks and controls to form an opinion on the effectiveness of the physical access controls. This involves the following: − − − − − −
Risk assessment: The auditor must satisfy himself that the risk assessment procedure adequately covers periodic and timely assessment of all the assets and physical access threats over them. Review of security policy: Auditor should review security policy of the organization and security procedure documents for physical access security. This includes building plans, cable diagrams, camera locations, security guard location etc. Control assessment: On the basis of risk assessment the auditor evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risk. Testing of controls: The auditor should physically see the access control mechanism by taking a tour of the organization. Interviewing staff personnel can also provide information on the awareness and knowledge of procedures. Examination of physical access logs: This includes examination of incident reporting logs and problem resolution reports. Some special consideration: Check all entry and exit points, glass windows, moveable and modular cubical, air ducts and false ceiling.
Control No 10. Environmental controls This control deals with the external environmental factors and preventive measures to overcome them. From the perspective of environmental exposures and controls, information systems resources may be categorized as follows, with the focus primarily on facilities which house: i) ii)
iii) iv)
v)
Hardware and Media: Includes Computing Equipment, Communication equipment, and Storage Media. Information Systems Supporting Infrastructure or Facilities: This typically includes the following: • Physical premises, like computer rooms, cabins, server rooms, data centre premises, • Printer rooms, remote facilities and storage areas • Communication closets • Cabling ducts • Power source • Heating, ventilation and air conditioning (HVAC) Documentation: Physical and geographical documentation of computing facilities with emergency evacuation plans and incident planning procedures. Supplies: The third party maintenance procedures for say air-conditioning, fire safety, and civil contractors whose entry and assess with respect to their scope of work assigned are to be monitored and logged. People: People include employees, contract employees, visitors, supervisors and third party maintenance personnel.
Environment issues and exposures: Environment exposures are primarily due to nature and some are man made also. Common environmental threats, both natural and man made, are: − Fire induced by lightning and natural disasters. − Fire due to human negligence. − Natural disasters like earthquake, storm, floods etc − Extreme variation in temperature such as heat or cold, snow and light. − Power spike, power failure. − Electrical shock
CA Clues − − − − − − − − −
Nikhil Gupta
Air conditioning failure, Humidity, dust and smoke. Food particles, residues and smoking in computer room. Insects and rodents. Equipment failure Electro-magnetic interference. Radiations Chemical effects Bomb threat
Control over environment exposures: Following controls can be implemented to overcome environment exposure: − − − − − − − − − − − − −
− − −
Documented policies and procedures: There should be well documented policy to deal with environmental risk factors. Fire proof walls, floors and ceilings: Fire proof construction material should be used. Fire resistance rating of at least two hours is generally recommended. Concealed protective wiring: Power and communication cables should be laid in separate fire resistant panels and ducts. Pest control: Proper setup should be in place for pest control. Ventilation and air-conditioning: Proper air-conditioning is required to maintain right temperature particularly in server room. Proper ventilation is required to remove any fumes generated in UPS batteries. Prohibition against eating, drinking and smoking: These things should be strictly prohibited in the computer/server room. Uninterrupted power supply (UPS): Depending on the application, UPS having specific time back-up power supply should be used. Electrical surge protector/spike busters/line conditioners: Power supply from external sources has many problems like surge, spikes, sag, brown outs, noise, grounding etc. Thus it requires special equipments to make to usable for computer systems. Smoke and fire detectors: Smoke and fire detectors have sensors which get activated with smoke or heat and raises alarm. Manual fire alarm: These should be places at strategic location so that in case of emergency they can be easily accessed. Emergency power off: Emergency power off switch should be installed so that in case of emergency it can be used to cutoff power. Hand-held fire extinguishers: These should be placed at such locations from where they can be easily accessed in case of emergency. Sprinkler system: There are two kinds of sprinkler systems which are used for fire fighting: • Wet-pipe sprinkler: In this case, sprinklers are provided at various places in the ceiling and water is filled in the pipes. In case a fire breaks out, the sprinkler showers water over that location. • Dry-pipe sprinkler: These are similar to wet-pipe sprinkler, except that fact that water is not flooded in the pipes. The pipes remain dry and when the fire sensors sense the fire then water is pumped in the pipes. Gas based fire extinguishers: Halon gas based fire extinguishers can be used in places where water sprinklers can create short circuit. But they are not environmental friendly and adversely affect ozone layer. Strategically locating the computer server room: Computer server room should not be located on ground floor or basement of building since water flooding in case of heavy rain can easily occur in these areas. Regular fire inspection: Regular inspection of the building by fire and safety experts is a good preventive control.
CA Clues
Nikhil Gupta
Auditing environmental controls: The auditor should review the following: − − − − − − −
Review the policy and procedures of environmental control to see whether all aspects of environmental control have been covered. Building plans, wiring plans, location of computer rooms and server rooms need to be reviewed to determine their appropriateness. Review preventive maintenance by examining service reports. Check the construction material used in computer and server room and its fire fighting ability by seeing the fire rating of such material. Check the location of fire extinguishers, date of refilling and servicing. Review of emergency procedures, evacuation plans, business continuity plans and disaster recovery plans (BCP/DRP). Maintenance logs, AMC and service records of sprinklers, UPS, generators and other devices.
See Module:Appendix – 1: Master Checklist on Logical Access Controls Appendix – 2: Master Checklist for Physical and Environmental Security
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 17
May 2012 18
Nov 2011 23
May 2011 21
Nov 2010 21
May 2010 15
Nov 2009 20
June 2009 25
Nov 2008 10
Nov 2012: (5 Marks) Q: What are the activities to be undertaken during the post implementation review? Nov 2012: (6 Marks) Q: XYX Ltd. Is a large multinational company with offices in many locations. It stores all its data in just one centralized computer centre. It uses internal controls in order to asset safeguarding, data integrity, systems efficiency and effectiveness. What could be the interrelated components of its internal control? Discuss them briefly. Nov 2012: (6 Marks) Q: What is the skill set expected from an IS auditor? May 2012: (6 Marks) Q: What do you mean by unauthorized intrusion? What is hacking and what damage can a hacker do? May 2012: (6 Marks) Q: What is a virus? What policy and procedure controls can be recommended for ensuring control over virus proliferation and damage? May 2012: (6 Marks) Q: As an IS Auditor, what are the steps to be followed by you while conducting IT auditing? Nov 2011: (5 Marks) Q: (Case Study) What kind of training you will recommend to enrich the human resources for effective utilization of the proposed new system and standards? Nov 2011: (4 Marks) Q: What is the significance of Post Implementation Review? How it is performed? Nov 2011: (6 Marks) Q: What id Data Privacy? Explain the major techniques that are used to address privacy protection for IT systems. Nov 2011: (4 Marks) Q: In what ways, an audit trail is used to support security objectives? Describe each one of them. Nov 2011: (4 Marks) Q: Short note: Locks on doors with respect to physical access control. May 2011: (5 Marks) Q: What are the points that need to be taken into account for the proper implementation of physical and environmental security in respect of information system security? May 2011: (8 Marks) Q: Discuss the policies and controls that any financial institution needs to consider when utilizing public key infrastructure. May 2011: (4 Marks) Q: Describe the role of an IS auditor in the evaluation of physical access control. May 2011: (4 Marks) Q: Short note:- Firewalls Nov 2010: (5 Marks) Q: (Case Qus) When the existing information system is to be converted into a new system, what are the activities involved in the conversion process? Nov 2010: (8 Marks) Q: “Once the information is classified on various levels, the organization has to decide about the implementation of different data integrity controls.” Do you agree? If yes, explain about data integrity and its policies.
CA Clues
Nikhil Gupta
Nov 2010: (8 Marks) Q: Systems maintenance is an important phase during the implementation of the system. If so, what are the three categories in which maintenance can be undertaken? As an IS auditor of the organization, how will you evaluate the effectiveness and efficiency of the systems maintenance process? May 2010: (10 Marks) Q: The management of ABC Ltd. wants to design a detective control mechanism for achieving security policy objectives in a computerized environment. As an auditor explain, how audit trails can be used to support security objectives. May 2010: (5 Marks) Q: Explain the role of IS auditor in evaluating logical access control. Nov 2009: (5 Marks) Q: How should the human resources be enriched for effective utilization of the proposed new systems and standards? Nov 2009: (5 Marks) Q: Explain the term ‘Cryptosystems’. Briefly discuss data encryption standard. Nov 2009: (5 Marks) Q: Discuss the three processes of access control mechanism, when a user request for resources. Nov 2009: (5 Marks) Q: Discuss anti-virus software and its types. June 2009: (5 Marks) Q: “While reviewing a client’s control system auditor will identify three components of internal controls.” State and explain these three components. June 2009: (10 Marks) Q: A company is engaged in the stores taking activities. Whenever, input data error occurs, the entire stock data is to be reprocessed at a cost of Rs 50,000. The management has decided to introduce a data validation step that would reduce errors from 12% to .5% at a cost of Rs 2,000 per stock taking period. The time taken for validation causes an additional cost of Rs 200. (i) Evaluate the percentage of cost-benefit effectiveness of the decision taken by the management and (ii) suggest preventive control measures to avoid errors for improvement. June 2009: (5 Marks) Q: What are the issues that should be considered by a system auditor at post implementation review stage before preparing the audit report. June 2009: (5 Marks) Q: Write short note on: Firewall Nov 2008: (5 Marks) Q: Briefly explain the formal change management policies, and procedures to have control over system and program changes. Nov 2008: (5 Marks) Q: What do you understand by classification of information? Explain different classifications of information.
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta CHAPTER 4
TESTING – GENERAL AND AUTOMATED CONTROLS
◙ Introduction to Basis of Testing (Reasons for Testing):
•
Testing is a scientific process performed to determine whether the - Controls are designed correctly (Test of Design - TOD), and - Controls are working effectively (Test of Effectiveness - TOE)
• • •
Testing involves understanding the process and the expected results. Testing of large amount of transactions or data is not possible, so sampling is used. Two methods of control testing are - Substantive Testing: This testing ensures that the process is working as per the design of the control and produces reliable results. - Compliance Testing: This testing ensures that the control is working as designed and adherence to management directives.
◙ The Information Systems Control Audit involves the following three phases: 1. Planning: The auditor develops an audit plan so that the control testing can be done in an effective and efficient manner. 2. Testing: The auditor tests the design and effectiveness of IS controls. 3. Reporting: The auditor concludes and reports the results of audit. 3 Phases in IS Audit Phase I: Audit Planning
Phase II: Audit Testing
Phase III: Audit Reporting
Phase I: Audit Planning • •
•
During audit planning the auditor examines the materiality and significance of different processes and controls to plan effective and efficient audit procedures. Accordingly he determines the nature, timing and extent of audit procedures. To determine materiality and significance of any process or control, both quantitative and qualitative factors should be taken into account. A transaction or process may be quantitatively insignificant but it may be qualitatively significant since it may contain sensitive data or provide access to other sensitive resources. For example a web-server of the organization that provides non-critical public information to the external users, if wrongly configured, may expose critical information. Planning is done during the audit work also since the auditor may change the planned audit approach as new situations and evidence comes to his knowledge.
CA Clues
Nikhil Gupta
Phase II: Audit Testing ◙ Audit Testing Introduction: • • • • •
Before testing, the auditor decides on test plan and nature, timing and extent of testing and testing methodologies. Depending on the audit, computer assisted techniques and Generalized Audit Software (GAS) like IDEA and ACL can be used. These software can help in sampling, data extraction, exception reporting and statistical analysis. To test various application controls, the auditor should use both valid and invalid range of test data to check the ability of the system to detect, correct and prevent errors. During testing phase the auditor should focus on critical controls over high risk areas and critical processes. The auditor performs the necessary testing by using documentary evidence, corroborating interviews and personal observation. The information gathered during this phase has to be validated (cross-checked) in several ways - Asking same question to different employees and comparing the answers - Asking the same question in different ways - Comparing the checklist answers to observations, work papers, documents, tests results etc. - Conducting mini-studies of critical operations.
IS Controls Audit Process: IS Control audit process involves: • Understanding the organization and its key business processes, • Understanding the network structure of the organization • Identifying the key areas of audit interest (files, applications, systems, locations etc.) • Assessing IS risk on a preliminary basis, • Identifying critical control points (e.g. external access points to network) • Preliminary understanding of IS controls, and • Performing other audit planning procedures
IS Control audit as part of financial audit: If the IS control audit is performed as part of financial audit then the auditor has to understand internal controls over financial reporting to access the risk of material misstatement of financial statements and how these controls are implemented in IT environment. IS Control audit as part of performance audit: If during performance audit the IS controls are determined to be significant to the audit objective then the auditor should evaluate the design and operating effectiveness of such controls. In the above cases, the auditor has to determine: • The extent to which internal controls depend on the information systems. • The availability of evidence outside the information system to support the findings and conclusions. • The relationship of information systems controls to data reliability. • Assessing the effectiveness of IS controls as an audit objective itself.
CA Clues
Nikhil Gupta
Identify Key Areas of Audit Interest: •
• • •
The auditor should identify key areas of audit interest which are critical for achieving the audit objectives. For financial audit, this would include key financial applications and data and related feeder systems. For performance audit, this would include critical systems and processes that are likely to be significant to the audit objectives. For each key area, the auditor should document general support systems and major applications and files, including: - The operational location of each key system or file - Critical components of the system e.g. hardware, software, firewall, routers etc. - Other systems or resources that support the key areas of audit interest - Prior audit/problem reports The auditor should also identify all access paths to/from those systems which he has identified as key areas of audit interest. The auditor should prioritize critical systems, files, processes or locations in order of importance to the audit objectives. While documenting the preliminary understanding of the design of IS controls, the auditor should include the following: - Documented security plans. - Documented risk assessments - Identification of entity-wide controls and the auditor’s conclusion about the design effectiveness of such controls. Further the areas where such controls are missing should be identified and the corresponding risks should be noted. - Identification of business process level controls for key applications and their design effectiveness. Further the areas where such controls are missing should be identified and the corresponding risks should be noted. - Review any internal or third-party IS audit or special testing (e.g. penetration testing, DRP testing and application specific testing) done in earlier years. - Managements action plan that address IS weaknesses and control weaknesses. - Status of prior years’ audit findings - Any IS incident reported in prior years. - Certification and accreditation documents related to information systems. - Documented BCP/DRP - A description of third-party IT services used by the entity. - Any laws and regulations applicable over the entity and its implication on audit objectives. - Documentation of communication with management. - If data processing is done by outside service organization then review service auditors report.
Performing Information System Control Audit Tests: The auditor should identify and evaluate the controls at following three levels: (i) Entity wide or component level: These are general controls at entity/component level. For example, the entity may have entity-wide policies and procedures for configuration management which defines accountability, responsibility, development and maintenance, monitoring and centralized configuration management tools. The absence of entity-wide control processes may be a root cause of weak or inconsistent controls. (ii) System level: These controls are more specific than those at the entity/component level and generally relate to single type of technology or major application. There can be three sub-levels as follows: - Network: This includes the control and monitoring of organizations LAN/WAN - Operating system: This includes control over operating system
CA Clues -
Nikhil Gupta
Infrastructure applications: These software applications are not directly related to the business processes but help in performing systems operations. E.g. database, e-mail, browsers, plug-ins and utilities etc. For example, configuration management control at systems level should determine whether the entity has applied appropriate configuration management practices for each significant type of technology (e.g. firewall, routers) in each of the three sublevels. Such configuration management practice may include standard configuration guidelines and tools for various systems components
(iii) Business process application level: Controls at the business process application level consists of policies and procedures for controlling specific business processes. For example, the entity’s configuration management should reasonably ensure that all the changes to application systems are handled accordingly.
Fig below shows control activities applicable at different levels of audit:
CA Clues
Nikhil Gupta
◙ Testing Critical Control Points • The auditor should evaluate the effectiveness of IS controls related to each control point and should note down all the potential ways in which the critical control point could be accessed. • For example, if a particular router is considered to be a critical control point, then the auditor should test controls related to the router itself, its operating system and the infrastructure applications that are used to manage the router. Access to any of these could lead to access to the control point. ◙ Test Effectiveness of Information System Controls • Testing the effectiveness of IS controls should be done on tiered basis, starting with general controls at entity-wide and systems level, followed by the general controls at the business process application level and concluding with tests of business process application, interface and database controls at the business process application level. • Such a testing strategy is used because ineffective IS controls at higher tier generally results in ineffective controls at the subsequent tier.
Entity level – General System level – General controls Business process level – General controls Business process level – Application Specific controls ◙ Test of General Controls at the Entity-wide and System Levels • The auditor may test general controls through a combination of procedures, including observations, inquiry and inspection. Although sampling is generally not used to test general controls, the auditor may use sampling to test certain controls such as those involving approvals. • If general controls at the entity-wide and system level are not effectively designed and operating as intended, the auditor will generally be unable to obtain satisfaction that business process application level controls are effective. In such a case, the auditor should: (i) Determine and document the nature and extent of risks resulting from ineffective general controls and (ii) Identify and test any manual controls that achieve the control objectives that the IS controls were to achieve. • If the manual controls do not achieve the control objective, the auditor should determine whether any specific IS controls are designed to achieve the objectives. If not, the auditor should report appropriate findings together with the recommendations. ◙ Test of General Controls at the Business Process-Application Level • If the auditor reaches a favorable conclusion on general controls at the entity-wide and system levels, then the he should evaluate and test the effectiveness of general controls at business process-application level (also known as application security controls) • If general controls are not operating effectively within the business process application, business process application controls and user controls will be generally ineffective.
CA Clues
Nikhil Gupta
◙ Test of Business Process Application Controls and User Controls • The auditor should generally perform tests of those business process application controls and user controls where the entity-wide, system and application-level general controls were determined to be effective. • If IS controls are not likely to be effective, the auditor should obtain a sufficient understanding of control risk arising from information systems to identify the impact on the audit objectives. The auditor should also consider whether manual controls archive the control objectives in such a situation. • Auditor should develop audit procedures accordingly and report appropriate findings together with the recommendations. • IS controls that are not effective in design do not need to be tested. ◙ Appropriateness of Control Tests For evaluating the IS controls, the auditor should perform appropriate mix of audit procedures. Such procedures can include the following: • Inquiries • Interview • Questionnaires • Observations • Document review • Inspection of approvals • Analysis of system information (e.g. configuration settings, access control list etc.) • Use of CAAT’s • Re-performance using dummy data After control evaluation is done the auditor can identify those controls which are not properly designed to achieve the control objectives and results in potential weakness. For such potential weakness, the auditor should look for any compensating controls or other factors that could mitigate the risk and achieve the control objectives. Otherwise the auditor should report the weakness, together with the recommendation to the entity. ◙ Multiyear Testing Plans • In case of recurring IS control audit, the auditor may prepare a multiyear plan for performing IS audit. • Such plan should not cover more than three year period. • The auditor should re-evaluate these plans annually and adjust them in light of the new findings and significant changes in IT environment such as installation of new systems. • Under such plan, all the areas are not tested each year, but are spread during the multiyear period. E.g. a multiyear plan for an entity having five major business process applications might include comprehensive tests of two or three applications annually, thus covering all the applications in a two or three year period. For systems with high risk, the auditor generally performs annual testing. • Such multiyear plan may not be appropriate in following situations - First-time audits - Where business process applications or controls have not been tested within a sufficient recent period - Entities where entity-wide general controls are poor. ◙ Documentation of Control Testing Phase The auditor should document the following: • An understanding of information systems that are relevant to the audit objective • IS control objectives and activities relevant to the audit objectives • Description of control techniques used by the entity at different levels • Specific tests performed at different levels and related documents that describe the nature, timing and extent of such tests. • In case where a control is ineffective, then any compensating control or other factor present to achieve the control objective and its justification. • Material weaknesses and significant deficiencies.
CA Clues
Nikhil Gupta
Phase III: Audit Reporting ◙ Audit Reporting • After completing the testing phase, - the auditor summarizes the results of audit, - draws conclusion on the individual and aggregate effect of identified IS control weaknesses on audit risk and audit objectives and - report the result of the audit. • When IS control audit is performed as part of a broader financial or performance audit, the IS auditor should coordinate with the financial auditor to determine whether significant controls are dependent on IT processing. Audit Objectives • Determine which IS control techniques are relevant to the audit objectives. • For each relevant IS control technique, determine whether it is suitably designed to achieve the control objective. • Perform tests to determine whether such control techniques are operating effectively. Report Audit Results For this, • Evaluate the effect of identified IS control weaknesses • Financial audits, attestation engagements and performance audits • Consider other audit reporting requirements and related reporting responsibilities Substantive Testing • Where controls are determined not to be effective, then, substantive testing may be required to determine whether there is a material issue with the resulting financial information. • In an IT audit, substantive testing is used to determine the accuracy of information being generated by a process or application. • The auditor uses computer aided audit tools (CAAT’s) to gather information and conduct the audit tests. Documenting Results The final step involves evaluating the results of the work and preparing a report on the findings. The audit results should include the findings, conclusions and recommendations. Audit Findings • Audit findings should be formally documented and include the process area audited, the objective of the process, the control objectives, the result of the test of control and a recommendation in case of control deficiency. • An audit finding form can be used to document both control strengths and weaknesses. • The information can then be used to prepare the formal audit report. Analysis • Analysis is the most important factor in converting raw data into a finished product ready for inclusion in an audit report. Complete analysis of test information should provide the auditor with all the necessary information to write an audit report. • Most of the analysis is done when the auditor sits down to write the audit report. But, if analysis is done during the testing and evidence collection phase itself, then further testing can be done where necessary and allows everyone have more time to do corrective actions. • One of the purpose of current working paper guidelines is to provide documentation of this analysis process.
CA Clues
Nikhil Gupta
•
Four steps in analysis are: - Re-examine the standards and facts - Determine the causes of deviations - Determine the materiality and exposure of the deviation - Determine possible recommendations for the corrective actions
•
Let us discuss these four steps further: -
-
-
-
-
-
Re-examination: This is the most important step in doing analysis. The two factors under consideration are ‘standard’ (for comparison to the facts) and the ‘facts’ (to compare to the standards) Standards Compliance: Standards are the procedures, operating guidelines, regulations, best practices or other pre-defined methodologies that define how an operation under audit should function. Standards should be identified and evaluated at the beginning of the audit, and decisions on the appropriateness of standards should be addressed at the time the audit tests are created. Four situations may occur while evaluating standards i) No standard exists (this implies high degree of risk) ii) A standard exist but is not formal iii) The standard is formal and published but is redundant, expensive, no longer necessary/appropriate iv) The standard is formal and appropriate for evaluating the work performed Facts: After reviewing the standards, the auditor must evaluate the gathered facts. These facts should be adequately supported by photocopies or hard evidence and auditor should get the agreement of the client that deviations exist. To ensure that findings are accurate the sample should be: i) Large enough to reflect the behavior of the population and ii) Representative of the population Verification: Finally, the auditor must again compare the findings to the re-examined standards to determine if a valid discrepancy still exists. If not, there is no issue and nothing to report. If the discrepancy is still apparent, then the analysis of the finding continues. Cause: Once the auditor has gained the understanding of the standards, the next step is to identify the causes of the deviations. Determining the causes of deviations is done by answering the “who, what, why, where and when” of a particular asset, process or transaction. Determining the causes also helps to identify the exposure and in formulating the recommendations. Exposure and Materiality: This step examines the potential consequences of deviations and the need for correction. For this, the auditor must understand exposure and materiality. Exposure results from subjecting an asset to potential loss, harm, damage, theft, improper use or neglect. Assets can be tangible, intangible or human. The risk is posed by people or by environment. The degree of exposure is related to the proximity and severity of the risk. Proximity of risk refers to the availability or nearness of assets to the risk causing factors (person or environmental). Severity of risk refers to the potential amount of loss for each deviation. Materiality is a quantitative judgment about whether a deviation’s frequency of occurrence and degree of exposure are significant enough for the deviation to be corrected and included in the final audit report.
****
****
****
****
****
CA Clues
Nikhil Gupta
◙ Concurrent or continuous audit and embedded audit modules: a) Concurrent audit is a technique in which audit evidence is collected at the same time as an application system undertakes processing of data or immediately after the processing is completed. b) This techniques works in a paperless environment. c) In online systems, the transactions are being generated by various users and processed continuously by the system. The auditor cannot stop the processing to apply his audit test on the transactions or on the process. In such a situation auditor uses concurrent audit techniques also called continuous audit modules or embedded audit modules. Let us discuss some of the concurrent audit techniques: Concurrent audit techniques Snapshots
Integrated test facility (ITF)
System control audit review file (SCARF)
Continuous and intermittent simulation (CIS)
I. Snapshots: In this audit module the audit software takes screen shots of the transaction as it flows through the system. These screen shots can be taken for those areas where materiality is high. After this step these screen shots can be utilized to check the authenticity, accuracy and completeness of the processing done on the transactions. Important considerations in this technique are: -
To locate the screen shots points in the system based on the materiality. Timing of the screen shot. Examining and reporting mechanism of these screen shots.
II. Integrated test facility (ITF): In this technique the ITF module creates dummy entities in the system. The auditor uses these dummy entities to process dummy data and check the results for authenticity, accuracy and completeness. This is done in live environment together with regular processing. Important considerations in this technique are: -
-
The ITF should tag dummy data so that the system can recognize it and remove it later. In some cases instead of dummy data ITF can tag live data and apply test on it. This technique has the advantage that the data is not required to be removed later on. But in this case test data cannot represent extreme testing conditions sine it is actual live data and also this kind of technique can interfere with the routine system processing. It is important to remove dummy data that has been introduced in the system by ITF. This can be done by a) tagging dummy transaction and removing them or b) by reversing the transactions c) using negligible value financial transaction as dummy so that they do not create any financial implication and are not required to be removed at all.
CA Clues
Nikhil Gupta
III. System control audit review file (SCARF): -
This technique involves embedding audit software modules within the host application system to provide continuous monitoring of system’s transactions. These audit modules are placed at predetermined points to gather information about those transactions which the auditors deem to be material. The information collected is written onto a special audit file, the SCARF master file, which the auditors examine for audit purposes.
Auditor might use the SCARF technique to collect the following information: i) Application systems errors ii) Policies and procedures variances iii) Exception transactions iv) Statistical samples v) Snapshots and extended records vi) Profiling data vii) Performance measurement IV. Continuous and intermittent simulation (CIS): This is a variation of SCARF method, and can be used when application system uses database management system. This method uses the database management system to trap exceptions that are of interest to the auditors. -
-
First, a transaction is selected on the basis of sampling or its unusual characteristic. The database management system provides CIS with all data required by the application system to process the selected transaction. CIS now process the transaction by replicating the application system processing by way of parallel simulation. Every update to the database that arises from processing the selected transaction will be checked by CIS to determine whether discrepancies exist between the results produced by the two methods. Exceptions identified are then written to a exception log file (like SCARF). The advantage of CIS is that it does not require modification to the application system.
Advantage of concurrent audit techniques: -
Timely audit: Audit is done as the transaction is being processed or just after that. Comprehensive and detailed testing: Audit can be done in more comprehensive manner, extent of checking can be up to 100%. Evaluating the system: These audit techniques also evaluate the performance of system as per the design objectives of the system. Effective where audit trail is missing: This technique does not require any audit trail. Surprise test capability: The evidence is collected directly from the system so the staff is not aware about timing of evidence collection. Can be used as training tool for new users: Techniques like ITF can be used to train new staff since data can be processed without effecting the actual system.
Disadvantage of concurrent audit techniques: -
More resources are required for functioning of these audit modules. Involvement of auditor in all stages of system development should be there. Auditor should have expert knowledge of information system working. Such techniques can only work in stable application system.
CA Clues
Nikhil Gupta
◙ Hardware testing and review: Hardware testing is done to check whether all kind of computer hardware meets the systems requirement specification. Normally hardware testing includes the following testing: -
Functional testing Performance testing Memory capacity testing Security testing Compatibility testing Capacity testing Recovery testing Accessibility testing.
The auditor needs to review hardware in following areas: Hardware acquisition: -
There should be a well documented policy regarding H/W acquisition. Specific criteria should be laid down before acquiring new H/W. Review purchasing procedure. Check approvals for new purchases. Check whether request for new H/W is supported by cost-benefit analysis. Check whether documentation regarding H/W specifications, installation, warranties etc is properly maintained.
Hardware change management: -
There should be a well documented policy regarding H/W change management. Every change should have proper approval. Review change procedure. Review procedure for requesting change or updation. Check whether operation documentation is also updated when there is a change in H/W. Check that there is proper coordination during change management between IS staff, application programmers and end-users.
Hardware preventive maintenance: -
Check the frequency of preventive maintenance. Check whether service report is generated on every visit of service engineer. Review annual maintenance contracts (AMC). Check that preventive maintenance does not obstruct production environment.
Hardware general review: -
Check service level agreements for any H/W service taken from vendors. Check control procedures for safeguarding of H/W. Check performance and problem logs.
CA Clues
Nikhil Gupta
◙ Operating system review: While reviewing operating system the auditor should consider the following issues: - Approval procedure for purchasing OS. - OS change management policies. - Selection procedure followed at the time of acquiring OS. - Cost-benefit analysis done at the time of selection procedure. - Test procedures followed at the time of implementation. - Access control at operating system level. - User authorization level and control at OS level - Operational documentation of OS. - Staff training required for operating system. - OS maintenance and vendor support. - OS updating and patch mechanism. - Problem log generated by OS - Service reports of vendor’s engineer. - Audit trail generated by operating system. - Interface with database. - Interface with network operating system. - Application support. ◙ Network review: In client-server technology all nodes are connected to the server through LAN or WAN. Networking helps the organization in pooling of resources. But networking also raises many security issues. The unique nature of each LAN makes it difficult to define standard testing procedures to effectively perform a review. The reviewer should identify the following: - LAN topology (Bus, Ring, Star, Line, Mesh) - Major LAN components (Servers, Switches, Routers, Modems etc.) - LAN uses, major applications over LAN - LAN administrator - Major group of LAN users While examining LAN the auditor should review the following: Physical control: - Check LAN documentation and LAN operating manual. - Check the LAN diagrams for any redundant nodes or empty jacks. - Check LAN cabling. Structured cabling with proper casing should be in place. - LAN cable and electricity cable should not be installed in the same casing. - LAN switch should be physically protected by installing it in a locked cabinet. Logical control: - LAN nodes should be password protected. - Data encryption can be used for additional security. - Use of network monitoring tools. - Firewall should be used to protect LAN from external network. - Nodes get disabled after a short period of inactivity. - Review network logs. Environmental control: - Proper temperature and humidity. - LAN switch gets power from UPS. - Use of fire extinguishers. - Fire and smoke detectors. - Static electricity guards are in place.
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 6
May 2012 6
Nov 2011 4
May 2011 4
Nov 2010 8
May 2010 10
Nov 2009 5
June 2009 10
Nov 2008 5
Nov 2012: (6 Marks) Q: During the review of hardware, how will you review the change in the management controls? MAY 2012 (6 Marks) Q: The unique nature of each LAN makes it difficult to define standard testing procedures to effectively perform a review. So, what information a reviewer / IS Auditor should identify and understand prior to commencing a LAN review? Nov 2011: (4 Marks) Q: Describe the advantages and disadvantage of continuous auditing techniques in brief. May 2011: (4 Marks) Q: As an IS auditor, explain the types of information collected for auditing by using System Control Audit Review File (SCARF) technique. Nov 2010: (4 Marks) Q: As an IS Auditor, suggest a method to test the correctness of a particular module of source code and justify your answer. Nov 2010: (4 Marks) Q: Writ short note on: Regression Testing May 2010: (5 Marks) Q: Describe some of the advantages of continuous audit techniques. May 2010: (5 Marks) Q: Discuss the benefits and limitations of unit testing. Nov 2009: (5 Marks) Q: Briefly discuss Black Box Testing. June 2009: (5 Marks) Q: While testing a software, how will you involve the people working in the system areas? June 2009: (5 Marks) Q: Write short notes on the following: White Box Testing. Nov 2008: (5 Marks) Q: Explain software testing and state its objectives.
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta CHAPTER 5
RISK ASSESSMENT METHODOLOGIES AND APPLICATIONS ◙ Risk Assessment: -
-
-
In Risk assessment an organization tries to identify • which business processes and related resources are critical to the business • what threats or exposures exists, that can cause an unplanned interruption of business processes • what costs increase due to an interruption Analytical procedures that are used to determine various risks, threats, and exposures faced by an organization are known by various names, such as Business Impact Analysis (BIA), Risk Impact Analysis (RIA) and so on Risk assessment consists of two basic components, namely data collection and its analysis The purpose of risk analysis involves threat identification, risk assessment and risk mitigation.
◙ Related Terms (Basic terms used in risk assessment) Asset: Asset can be defined as something of value to the organization; e.g., information in electronic or physical form, software systems, employees. Characteristics of assets – • Assets are valuable to the organization • Assets cannot be easily replaced without cost, skill, time, resources • Assets are part of the organization’s corporate identity • Assets are classified according to their criticality Vulnerability: Vulnerability is the weakness in the information system that exposes the system to threats. Vulnerabilities “allow” a threat to harm or exploit the system. For example, vulnerability could be a poor access control method allowing dishonest employees (the threat) to exploit the system to adjust their own records. Some examples of vulnerabilities are given as follows: • Leaving the front door unlocked makes the house vulnerable to unwanted visitors. • Short passwords (less than 6 characters) make the system vulnerable to password cracking. Normally, vulnerability is a state in a computing system, which must have at least one condition, out of the following: • Allows an attacker to execute commands as another user • Allows an attacker to access data that is contrary to the specified access restrictions for that data • Allows an attacker to pose as another entity • Allows an attacker to conduct a denial of service Threat: Threat is any circumstance or event that has the potential to cause harm to the information system in the form of destruction, disclosure, modification of data or denial of service. Assets and threats are closely correlated. A threat cannot exist without a target asset. Exposure: Exposure is the extent of loss that an organization will suffer if risk actually materializes. It includes both immediate and long term loss. Likelihood: Likelihood is the probability of the materialization of risk.
CA Clues
Nikhil Gupta
Attack: Attack is an action that is meant to break the confidentiality, integrity, availability or any other desired feature of information system. Risk: A risk is the likelihood that vulnerability of an asset will be exploited by threat resulting in damage or loss to the organization. The risk increases in IT environment due to following reasons: - Widespread use of technology - Interconnectivity of systems - Elimination of distance, time and space as constraints - Unevenness of technological changes - Decentralization of management control - New trend towards electronic attacks - Week legal and regulatory requirement Countermeasure: An action, device, procedure, technique or other measure that reduces the vulnerability of a component or system is referred as countermeasure. E.g. use of strong authentication techniques, use of anti-virus etc. Residual risk: Residual risk is the risk that still remains after the organization has taken all countermeasures. Residual risk must be kept at a minimum acceptable level.
Risk and related terms ◙ Threats to computerized environment: Following are the common threats to information systems which can obstruct the normal functioning of the system and can also cause sever damage: 1. Power loss: Power loss is the major threat in any system since it can disrupt the entire functioning of the system. 2. Communication failure: In present day systems there is a key role of networking. Failure of communication lines will result in inability to transfer data as well as stop many online applications. 3. Disgruntled employees: A dissatisfied and unhappy employee can deliberately cause harm to the information system or he can leak sensitive information. 4. Errors: Errors due to technical reasons or simple mistakes can cause serious threat to information system.
CA Clues
Nikhil Gupta
5. Malicious codes: Malicious codes like virus, worms, logic bombs, Trojans etc are a serous threat for information system. 6. Abuse of access privileges: Employees can be source of threat if they abuse their access rights for doing wrong and illegal operations 7. Natural disasters: Natural disasters like earthquake, floods, lightning, tornado etc can adversely effect the organization. 8. Theft or destruction: Any theft or destruction of information systems resources can result in great loss to the organization both in terms of financial loss and loss of competitive advantage. 9. Downtime: Due to technical or any other reasons if information system is not available to the user then it can also result in direct as well as indirect loss to the organization. 10. Fire: Fire due to short circuits, negligence or any other reason can cause serious damage to the information system infrastructure. ◙ Threats due to cyber crimes: 1. Embezzlement: It is the misuse or stealing of funds or any other asset by the employee of the organization. 2. Frauds: Fraud is any unlawful or unauthorized action to deceive any other person or organization. Fraud can be committed by someone from inside or outside the organization. 3. Theft of proprietary information: It means illegally obtaining the designs, plans, blueprints, formulas, or any other secrete or sensitive information of the organization. 4. Denial of service: Denial of service means not allowing the organization to provide services to the authorized users. This may be done by various kinds of attack on the information system from outside like ping attack. 5. Sabotage: It means deliberate destruction or alteration of various information systems assets and resources like servers, database, files, hardware etc. 6. Computer virus: Virus is a self-replicating malicious code which causes destruction of programs and files etc. 7. Intrusion: Intrusion means unauthorized access into the system through network for unlawful purpose. ◙ Risk assessment: Risk assessment is a process to identify the risk factors, and then analyze and evaluate them to develop an appropriate risk mitigation plan. Risk assessment is a key step in developing business continuity plan and disaster recovery plan (BCP/DRP). Following issues needs to be considered: i) ii) iii)
iv)
Prioritization: In this step, all the components and activities of the organization are listed at one place in order of their importance. Identifying critical applications: Now the most critical components and activities are identified and further analyzed. Assessing the impact: After identifying the critical components and activities try to assess the impact of disruption of these components and activities. The impact should be assessed taking into account following points: o Legal consequences o Impact on customer services o Direct loss o Opportunity loss o Likelihood of fraud o Recovery procedure Identification of exposures and implications: The impact of disruption should be measured in financial terms. This is called the exposure. The probability of materialization of risk should be calculated in quantitative terms. The risk can then be quantified as follows: Risk = Exposure x Probability of occurrence
CA Clues v)
Nikhil Gupta
Determining recovery time: Recovery time is the time period in which the operation should resume normal functioning after disruption. Recovery time for each process should be determined so that the organization does not suffer severe loss. Assess insurance coverage: Insurance policy of the information system resources should be comprehensive policy covering all types of losses. The policy should cover: o All hardware and equipments and infrastructure. o Software reconstruction cost. o Extra expenses incurred till restoration of normal activities. o Business interruption i.e. loss of profit. o Valuable papers and records. o Loss due to errors and omissions. o Fidelity coverage for illegal acts of employees. o Loss of back-up media while in storage or transportation. Development of recovery plan: After considering all the above aspects the recovery plans should be made.
vi)
vii)
◙ Risk management: Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization and deciding what countermeasures (safeguards and controls) are required to reduce the risk to an acceptable level (i.e. residual risk). Types of risk: Risk can be classified into two categories: I. II. -
Systematic risk These are unavoidable risks They arise due to external factors which are beyond the control of the organization This risk cannot be mitigated with the use of technology but These risk can only be reduced by management policy and controls For example risk of stock out, this can only mitigate by maintaining high stock Unsystematic risk Unsystematic risks are specific risks which relate to some technology or method These risks can be mitigated by using some advanced technology or methods For example there is a risk of data loss even after keeping proper back, but it can be significantly reduced by using automatic mirroring
◙ Risk management process: The risk management process involves the following five steps: Step 1: Identification of Information Assets Step 2: Valuation of Information Assets Step 3: Identifying the potential threats Step 4: Information Risk Assessment Step 5: Developing strategies for Information Risk Management
CA Clues
Nikhil Gupta
Identification of Information Assets and categorization thereof into suitable groups as their nature & objectives
Valuation of Information Assets keeping in view their criticality for survival & success
Identifying potential threats and vulnerabilities to Information Assets
Assessing the probability of their occurrence i.e. likelihood assessment
Risk Assessment
Assessing the potential severity of loss i.e. Impact Analysis
Developing Strategies for Risk Management
Risk Avoidance Risk Mitigation / Reduction Risk Retention / Acceptance Risk Transfer
Step 1: Identification of Information Assets Identify all the information assets which are supporting critical business processes and needs to be protected. These assets can be: 1. Intangible Assets: o Data and information in various storage devices o Software applications, operating system, utility programs 2. Tangible Assets: o People o Hardware o Networking devices o Building and infrastructure o documentation Step 2: Valuation of Information Assets • • •
Not all data has the same value Classify the information systems resources according to their criticality Such classification helps in administrative convenience of implementing controls
CA Clues •
Nikhil Gupta
Information assets may be classified in following categories: - Top secret: This indicates the highest classification wherein the compromise of such information can threaten the existence of the organization. Assess to such information may be restricted to either a few named individuals in the organization - Secret: Information in this category is strategic to the survival of the organization. Unauthorized disclosure can cause severe damage to the organization. - Confidential: Information in this category also needs high levels of protection and unauthorized disclosure may cause significant loss or damage. - Sensitive: such information requires higher classification as compared to unclassified information. Disclosure may cause serious impact. - Unclassified: Information that does not fall under any of the above categories is termed as unclassified. It is general information whose disclosure would not cause any negative impact on the organization.
Step 3: Identifying the potential threats Threat can be defined as an event that contributes to the interruption or destruction of any service, product or process. Common classes of threats are: • Errors • Malicious attack • Fraud • Theft • Equipment / Software failure Threats can exploit vulnerabilities on the system and can cause loss or damage. Example of vulnerabilities can be: • Lack of user knowledge • Lack of security functionality • Poor choice of passwords • Untested technology • Transmission over unprotected network These threats could affect the confidentiality, integrity or availability of information system. Confidentiality: Confidentiality involves the protection of the organization’s sensitive information from disclosure to unauthorized persons and processes. Confidentiality threats in an IT environment include intentional as well as unintentional access to sensitive information. A few examples of exposures are given hereunder: • Improper application controls in application software may lead to sensitive information being accessed by employees not having any need to access such information e.g. a payroll clerk may get accidental access to confidential records of management employees. • Unauthorized disclosure arising from the access of confidential data on a system/network by inadvertent broadcast of data across the network, improper disposal of data etc. • Accidental access to spool files used by printers may compromise sensitive information which may otherwise be protected by stringent access controls. Integrity: Integrity requires that the business information and related processes should not suffer any intentional or accidental unauthorized modification, which may result in serious consequences to the business. Integrity violations in an IT environment are also common due to system errors which include corruption of files, power failures leading to unauthorized alteration in the values being transmitted or stored, erroneous program codes leading to alteration of values in data files etc; hence the need to prevent the processes from performing any integrity violations. A few examples of threats are given hereunder: • A bank employee not having authority to credit files may tamper with the sanctioned amount of credit facilities by bypassing the application controls and making direct
CA Clues • •
Nikhil Gupta
changes to data files or by gaining unauthorized access to the manager’s login. Computer virus may cause corruption of data/program thereby causing loss of transactions or state of integrity of such transactions. Integrity violations in mission critical systems could cause irreparable damage to the business, threats to national security or loss of lives e.g. corruption of tariff data files of Indian Railways, changes in values or parameter files of missile control systems, meteorological warning systems, corruption of program codes of autopilot systems used in flight control etc.
Availability: Availability relates to whether the information and information technology processes are available to the authorized business users when required. Availability therefore requires safeguarding the information systems and processes that are essential for supporting business processes, so as to ensure that the information systems and processes critical for conduct of business will be available to authorized users as and when required. A few examples of exposures are given hereunder: • The most common problems of availability occur due to improper capacity availability such as low bandwidth, low computer resources as against the actual requirements such as processing capacity, storage capacity, number of terminals etc. •
Failure or improper functioning of power systems can lead to the computer systems being dysfunctional and hence not available for service e.g. power failure during banking hours.
•
Intentional unavailability can also be created by hackers by launching denial-ofservice attacks.
Step 4: Information Risk Assessment Once the assets and corresponding potential threats have been identified, the systems are reviewed for weaknesses that can be exploited and the likelihood of those being exploited. Vulnerability Assessment: Vulnerability is a condition of weakness in the technical controls, physical controls or other controls that could be exploited by the threat. Sometimes the threat viewed in isolation may be misleading unless the vulnerabilities are taken into consideration. In most cases the threats attempt to exploit the vulnerabilities to cause loss or harm to the assets. For example, a hacker would look for loopholes in the architecture of the firewall to compromise the controls and gain unauthorized access to the networks. Probability or Likelihood Assessment: Likelihood is the estimation of the frequency or the chance of a threat happening. In general, historical information about many threats is weak, particularly with regard to human threats; hence the judgment and experience in this area is of relevance. Care needs to be taken in using any statistical threat data and the source of data, otherwise the analysis may be inaccurate or incomplete. In general, the greater the likelihood of a threat occurring, the greater is the risk. To some extent, the nature and value of information assets affect the likelihood of occurrence of a threat. If the asset is of high value, e.g. proprietary software packages, it is a prime target for piracy attempts. Thus, the identification and valuation of assets also assists with the identification of threats and their likelihood of occurrence. Impact Analysis: The threat that is successful in causing harm or loss to an asset results in an impact. Impact may be either in terms of direct loss of money or financial impact such as a hacker stealing a sensitive file containing all information about credit card customers that is used by the ATM access control system. Impact need not necessarily be in terms of direct impact of money; but can be, for example, disruption of operations leading to operational loss and delayed and back log processing etc. IT risks can also lead to significant losses in terms of damages (both monetary as well as to the reputation of the organization) such as a hacking attack leading to compromise of sensitive financial information of customers, which may be published by the hacker on the Internet resulting in both legal repercussions and loss of reputation.
CA Clues
Nikhil Gupta
Step 5: Developing strategies for Information Risk Management Plan 1. 2. 3. 4.
Identify Team Identify Scope Identify Method Identify tools
Collect Information 1. Identify Assets 2. Assign value to assets 3. Identify vulnerabilities & threats 4. Calculate risk 5. Cost benefit analysis
Define recommendations 1. Risk Mitigation 2. Risk Transfer 3. Risk acceptance 4. Risk Avoidance
Management Risk Avoidance • Discontinue activity
Risk Mitigation • Control selection • Implementation • Monitoring Risk Transfer • Purchasing Insurance
Risk Acceptance • Do nothing
Risk Management Strategies Once risks have been identified and assessed, appropriate corrections shall be made to the system, if required. The strategies to manage the risk fall into one or more of these four major categories:
CA Clues
Nikhil Gupta
Risk Avoidance: It means not doing an activity that involves risk. It involves losing out on the potential gain that accepting the risk might have provided. E.g. not using Internet / public network on a system connected to organization’s internal network, instead using a stand-alone PC for Internet usage. Risk Mitigation / Reduction: It involves implementing controls to protect IT infrastructure and to reduce the severity of the loss or the likelihood of the loss from occurring. E.g. using an effective anti-virus solution to protect against the risk of viruses and updating it on timely basis. Risk Transfer: It involves causing another party to accept the risk i.e. sharing risk with partners or insurance coverage. Risk Retention / Acceptance: It means formally acknowledging that the risk exists and monitoring it. In some cases it may not be possible to take immediate action to avoid/mitigate the risk. All risks that are not identified or avoided or transferred are retained by default. These risks are called residual risks. Risk management aims to identify, select and implement the controls that are necessary to reduce residual exposures to acceptable levels. ◙ Understanding the Relationships Between IS Risks and Controls -
-
-
Risks that threaten the Information Systems cannot be totally eliminated but they can be mitigated through appropriate decisions and actions Threats to information system can occur as an outcome of poor controls or absence of controls A control is a check on a system, which is designed to enhance its security. Controls can act to: o reduce a threat o reduce vulnerability to a threat o reduce impact of a threat o detect an impact, and o recover from an impact. IS Auditor should evaluate whether available controls are adequate and appropriate to mitigate the IS risks In the case of deficiency in controls, the IS auditor should report such weaknesses to the management along with appropriate recommendations Controls should be implemented after examining the cost-benefit of each new control. The following rules apply in determining the use of new controls: o If control would reduce risk more than needed, then see whether a less expensive alternative exists o If control would cost more than the risk reduction provided, then find something else o If control does not reduce risk sufficiently, then look for more controls or a different control o If control provides enough risk reduction and is cost-effective also, then use it If vulnerabilities exist but with a low probability of occurrence, then it may be wiser and more cost-effective to simply be conscious about the possibility of such losses rather than implement controls. However this depends on the risk appetite of the management.
CA Clues
Nikhil Gupta
Risk Management ◙ Risk management cycle: It is a process, involving the following steps: identifying assets, vulnerabilities and threats; assessing the risks; developing a risk management plan implementing risk management actions, and re-evaluating the risks, which is shown in Figure below1. Risk identification
6. Re-evaluate the risk
5. Implement risk management plan
2. Risk assessment
4. Develop risk mitigation and control plan
◙ Risk identification: In this step we try to locate all possible risks which are associated with various functions within the organization. This has to be done in very comprehensive manner covering all departments, processes and activities. Both internal and external risk factors should be considered. Following questions will help in risk identification: - What assets we need to protect? - What are the vulnerabilities of these assets? - What can go wrong with these assets? - What are the threats over these assets? - How can someone disrupt our operations? - Which are the most complex activities on the organization? - What is our greatest legal, financial and operational exposure? The two primary questions to be considered when evaluating the risk inherent in a business function are: 1. What is the probability that things can go wrong? 2. What is the cost/loss if that thing goes wrong?
CA Clues
Nikhil Gupta
◙ Risk evaluation: Risk evaluation is done for various risk factors to assess the probability and exposure related to these risk factors. The purpose of risk evaluation is to: a) identify the probability of failures and threats b) calculate the exposure, i.e. the damage or loss to assets c) make control recommendations keeping the cost-benefit analysis in mind Following five techniques are used for risk evaluation: i)
Judgment and intuition: In this technique the management uses the personal judgment and intuition for risk assessment. The professional knowledge and experience of the manager doing this task will help him to judge the risk in a better manner.
ii)
Delphi technique: In this technique a panel of experts is appointed to evaluate risk. Each expert gives his opinion in a written and independent manner. These written opinions are compiled together by a facilitator and an anonymous summary report is generated and provided to all experts. Now the experts again re-estimate their findings in light of this summary report. This process can continue for three to four times. Finally, the process is stopped after a pre-defined stop criterion (e.g. number of rounds, achievement of consensus, and stability of results) and the average scores of the final rounds determine the final risk estimate.
iii)
Scoring technique: In this approach each risk and exposure is assigned weight depending on the severity and cost involved. The product of risk weight and exposure weight gives the weighted score. The sum of these weighted score gives the risk and exposure score of the system. These scores can be used to rank risk and exposures.
iv)
Quantitative techniques: In this technique various quantitative tools are used to calculate the probability of the occurrence of event and the exposure associated with it. In this way the total expected loss can be calculated and cost effective solutions for preventing such losses can be designed.
v)
Qualitative techniques: In this technique probability data in not required and only estimated potential loss is used. Most qualitative risk analysis methodologies make use of a number of interrelated elements like: o Threat o Vulnerabilities o Controls
◙ Risk ranking: Risk ranking is a part of risk management process in which identified risks are ranked according to their severity. Impact of risk and probability of occurrence are assigned weights and then weighted risk factor is calculated. Weights can be assigned in following manner: Probability of occurrence High Medium Low
Weights 10 5 1
Impact No damage Low damage High damage Very high damage
Nature of disruption No interruption in work Interruption upto 8 hours Interruption between 8 to 48 hrs Interruption more than 48 hours
wgt 0 1 2 3
CA Clues
Nikhil Gupta
To obtain weighted risk rating, probability should be multiplied by impact. For example if probability of occurrence of a particular threat is medium (5) and the impact is high damage (2), then weighted risk factor will be 5 x 2 = 10. Considerations in risk analysis: i) ii) iii) iv) v)
vi) vii)
viii) ix)
Examine the past frequency of each type of threat. Determine the degree of predictability and the amount of forecasting associated with the disaster. Examine the speed of disaster e.g. sudden or gradual. Estimate the duration of disaster. Find out the impact of disaster on Critical records Persons Operating capability Assets Other infrastructure Determine the level of back-up facilities required in case of emergency to accommodate critical system including staff, hardware, software and network. Estimate potential loss including: Increased operating cost Opportunity loss Loss of assets Loss of income Loss of goodwill Legal consequences Loss of competitive edge Estimating potential losses to each business function separately. Determine the cost of contingency planning.
◙ Risk mitigation: Risk mitigation means systematic reduction of risk to an acceptable level. Risk cannot be reduced to zero in any circumstance, but it can only be reduced to a level at which management is comfortable and can tolerate that much risk. Some general risk mitigation measures are: - Self assessment of risk. - Creating environment which supports risk mitigation. - Strengthening internal controls. - Financial strength in the form of reserves. - Establishing business continuity plan and disaster recovery plan (BCP/DRP). - Creating a separate risk management department. - Proper insurance. - Outsourcing of services. Some of the risk mitigation techniques are discussed below: i)
Insurance: Through insurance the risk of one organization is transferred to other. This is also called risk sharing. It is very important to know the type of policy and the risk covered through it. Comprehensive policy should be taken for covering all types of risk in the organization.
ii)
Outsourcing: In outsourcing, some of the functions of the organization are done by some outside agency. In such a case it is important to check whether the risk associated with that
CA Clues
Nikhil Gupta
process has also been transferred to the outside agency or just the operation has been outsourced. iii)
Service level agreements: When a service is outsourced from some outside vendor then the service level can be guaranteed by SLA’s. In such a case if the service falls below the guaranteed limit then it is the risk of the vendor. Similarly the organization can have SLA’s with its customers which can exclude some of the risk factors. For example ATM service is subject to the availability of network connectivity.
◙ Balancing Risk and controls: Risk can be reduced or mitigated by implementing more and more controls. But every control involves cost to the organization. So the organization has to balance risk and control at an acceptable level. There is no sense in implementing greater controls to reduce a risk whose exposure is less then the cost of implementing the new control. Example of problems due to excessive risk and excessive control are as follows: Excessive risk results in: - Loss of assets - Poor business decisions - Non-compliance - Increased frauds - Instability Excessive controls results in: - Increased bureaucracy - Reduced productivity - Reduced efficiency - Increased complexity - Increase in cost
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta Previous examination questions
Exam marks
Nov 2012 6
May 2012 9
Nov 2011 12
May 2011 12
Nov 2010 Nil
May 2010 10
Nov 2009 10
June 2009 10
Nov 2009 20
Nov 2012: (6 Marks) Q: Threat is any circumstance or event with the potential to cause harm to an information system. What can be the threats due to cyber crimes? May 2012: (5 Marks) Q: (Case Study) Discuss risk assessment with the help of risk analysis framework in brief. May 2012: (4 Marks) Q: Short Note – Risk Mitigation Measures. Nov 2011: (8 Marks) Q: How will you define risk assessment? Briefly explain various review areas to be focused upon. Nov 2011: (4 Marks) Q: What are commonly used techniques to assess and evaluate risk? Explain each one of them. May 2011: (8 Marks) Q: Explain the common threats to the computerized environment of an organization. May 2011: (4 Marks) Q: Delphi technique for risk evaluation. May 2010: (5 Marks) Q: What are the common threats to the computerized environment other than natural disasters, fire and power failure? Ans: Following are the common threats to computerized environment other than natural disaster, fire and power failure: Communication failure, Disgruntled employees, Errors, Malicious codes, Abuse of access privileges, Theft or destruction, Downtime May 2010: (5 Marks) Q: What are the two primary questions to consider when evaluating the risk inherent in a business function in the context of the risk assessment methodologies? Give the purposes of risk evaluation. Nov 2009: (5 Marks) Q: Explain the threats due to Cyber crimes. Nov 2009: (5 Marks) Q: Describe Risk Management Process. June 2009: (5 Marks) Q: “Always, there exist some threats due to Cyber Crimes.” Explain these threats. June 2009: (5 Marks) Q: State and explain four commonly used techniques to assess and evaluate risks. Nov 2008: (20 Marks) Q: (a) Explain the following terms with reference to Information Systems (i) Risk (ii) Threat (iii) Vulnerability (iv) Exposure (v) Attack (b) “There always exist some Common threats to the computerized environment.” Explain these threats. (c) What do you understand by “Risk Assessment”? Discuss the various areas that are to be explored to determine the risk. (10 + 5 + 5 = 20 Marks)
CA Clues
Nikhil Gupta CHAPTER 6 BUSINESS CONTUNITY PLANNING AND DISASTER RECOVERY PLANNING
◙ Business continuity planning: Definition: Business continuity planning is the activity which involves designing and implementing plans that protect against business disruption in case of crises and disasters. BCP defines steps, plans and procedures for continuation of business activities irrespective of any situation. Business continuity planning covers the following areas: -
Business resumption planning: Planning to carry on critical business processes during a disaster or soon after disaster. Disaster recovery planning: Planning to recover the business operations from any disaster. Crises management: Crises management is the overall coordination and planning done by an organization to manage any crises and minimize the damage due to that crises.
Business continuity planning life cycle: The whole process of business continuity planning can be expressed in terms of BCP cycle as follows: Risk assessment
Plan testing and validation
Designing plans
Implementing recovery plans
Objectives and goals of business continuity planning: BCP has the following objectives/goals: 1. Provide safety to employees during the time of disaster. 2. Identify critical business functions. 3. Identification of weaknesses in the system 4. Resume critical business operations as soon as possible. 5. Minimize duration of disruption of critical activities. 6. Implementing disaster preventive program. 7. Minimize losses. 8. Establish key roles and emergency powers of managers. 9. Simplify recovery activities. 10. Facilitate coordination of recovery tasks.
CA Clues
Nikhil Gupta
◙ Developing a business continuity plan: Steps/Methodology to develop BCP 1. 2. 3. 4. 5. 6. 7. 8.
Pre-planning activities Vulnerability assessment Business impact analysis Requirement definitions Plan development Plan testing Plan implementation Plan maintenance
1. Pre-planning activities: Pre-planning activities provide management with a comprehensive understanding of the total efforts required to develop and maintain an effective recovery plan. This phase includes the following activities: - Understanding the present and projected system. - Defining the overall scope of BCP. - Develop a policy to support BCP. - Establishing a steering committee for overall responsibility. - Appoint a business continuity manager who coordinates with the steering committee. - Launch a BCP awareness program to educate employees. 2. Vulnerability assessment: Vulnerability assessment is done to know the weakness in the existing system. This phase includes the following activities: - Identify critical business processes. - Identifying all possible threats and vulnerabilities in the system. - Evaluate the existing security measures and controls to prevent the disaster. - Evaluate any existing emergency plans. - Document the findings and communicate this to the steering committee. 3. Business impact analysis (BIA): BIA is done to assess the degree of potential loss or impact due to various events or incidents. The BIA report should be presented to the steering committee. This phase includes the following activities: - Estimate the impact of all types of threat and disaster on the organization. - Quantify the tangible exposure (financial loss). - Quantify the intangible exposure (loss of goodwill and customers). - Identify interdependent processes and how they are affected by disruption of each other. - Determine the maximum allowable downtime for each business process. - Submit a report on the findings to the steering committee for further action. Following methodology can be used for doing business impact analysis: i) Questionnaires: Questionnaires can be framed and managers and other technical staff can be asked to fill these according to their judgment about possible losses and impact. ii) Workshop: Workshop can be conducted where managers can give suggestions and brainstorming can be done about various impacts. iii) Interviews: Interviews of different managers and staff can be conducted to know their perception about business impact due to any incident. iv) Examination of documents: Various technical documents can be examined to know the nature and extent of probable loss due to any incident. 4. Requirement definitions: This phase includes the following activities: - Identification of recovery alternatives in case of short term, medium term and long term crises. - Determining the resources required to support critical functions. - Estimating the resources required for BCP support function in terms of hardware, software, facilities and personnel. - Defining the scope, objectives and assumptions of business continuity plan.
CA Clues
Nikhil Gupta
5. Plan development: This phase includes the following activities: - To formulate overall recovery strategies for the organization as a whole. - To formulate business recovery strategies for different business functions including logistics, accounting, HR and other functions. - To formulate technical recovery strategies for hardware, software, servers, network etc. - To define and document recovery plan components. - Defining changes to user procedures and data processing procedures. - Defining roles and duties to recovery teams. - Determining changes to be made in vendor contracts to adjust with these contingency plans. 6. Plan testing: After the business continuity plan has been developed it needs to be tested thoroughly to check whether it will work in the crises situation or not. Testing is a continuous activity and the plans need to be tested before implementation and after the implementation also on regular basis to ensure their effectiveness. The objective of testing is to ensure that: - The recovery procedures are complete and workable. - Staff is adequately trained to perform recovery procedures. - Resources like hardware, software, personnel etc are adequate for performing recovery procedures. - Manual recovery and back-up procedures, wherever required, are also workable. 7. Plan implementation: Once the plan is developed and initial testing is done then it has to be implemented. Specific procedures to be done in this phase are: - Implementing individual components of the plan. - Assigning job roles and duties to the staff. - Providing emergency guideline to staff. - Scheduling test activities. 8. Plan maintenance: After implementation the BCP needs to be maintained effectively. It needs to be up-dated as per the environmental and technological changes. Specific issues related to maintenance are: - Determining the ownership and responsibility for maintaining the BCP function. - Determining the BCP maintenance process. - Continuous monitoring of the BPC to look for desired changes. - Designing change management procedures and version control for changes in BCP. ◙ Types of plan: There are four kinds of plans in BCP/DRP function: I. Emergency plan II. Back-up plan III. Recovery plan IV. Test plan I.
Emergency plan: The emergency plan specifies the action to be taken immediately after the disaster occurs. Components of an emergency plan are: (1) Who is to be notified immediately when the disaster occur e.g. management, police, fire department, hospital etc. (2) Action to be taken e.g. shutdown of equipment, termination of power, removing files etc. (3) Evacuation procedure. (4) Return and restart conditions and procedures when the site is safe again.
II.
Back-up plan: The back-up plan specifies the back-up arrangements to be made to overcome the disruption. The plan should be designed in such a manner that all the critical resources are backed up. It generally specifies the following information: (1) Personnel: Training and rotation of duties can help in achieving staff back-up. (2) Hardware: Arrangement with another company or reciprocal arrangement.
CA Clues
Nikhil Gupta
(3) Data/information: Secure storage of data and information on-site and off-site. (4) Documentation: Inventory of documentation stored securely on-site and off-site. (5) Facilities: The site where these resources can be assembled and operations restarted. (6) Application and system software: To be stored on-site, off-site or in escrow arrangement. (7) Supplies: Stock of emergency supplies to be kept on-site, off-site and list of vendors to be kept. III.
Recovery plan: The objective of a recovery plan is to restore an organizations information system to its full capabilities after a disruption. The specific issues in this plan are: (1) Creation of a recovery committee which is responsible for recovery efforts. (2) Assigning roles and responsibilities of the recovery committee members. (3) Documenting a recovery guideline. (4) Deciding the priority in which different processes and functions need to be recovered. (5) If a committee member leaves then appointing a new member in his place. (6) Periodic review of recovery procedures and guideline by the committee.
IV.
Test plan: This plan outline the testing procedures of emergency, back-up and recovery plans. Without test plan all the above three plans can prove to be ineffective at the time of disaster. Test plan includes: (1) Paper walkthrough test, in which the plans are checked for their logical steps. This is also called desk-checking. (2) Specific component test, in which individual components of a plan are checked. (3) Full simulation test, in which complete BCP/DRP is checked by simulating a disaster by giving a prior notice to the persons being affected by it. (4) Acid test, in which plan is checked by simulating a disaster without warning anyone.
◙ Threats and risk management: Various threats and risks to computer systems and suggested control measures are as follows: Human error Outsourcing Environmental conditions
Equipment failure Technology Internet
Utility outage
Supply chain
Fire
strike
Organizational infrastructure Water leaks
Outage
Third parties
Vendors
Viruses
Terrorism
hackers
1. Lack of integrity: It means there are unauthorized changes in the information and it looses its correctness. Control measures to ensure integrity includes: Implementation of security policies, procedures and standards Use of encryption techniques and digital signature Data validation controls Logical and physical access controls Security awareness and training program for employees Maintenance of audit logs and audit trails Use of antivirus software, etc 2. Lack of confidentiality: It means the confidential information is disclosed to unauthorized persons. Control measures to ensure confidentiality are: Developing a security policy, procedures and standards Use of encryption techniques and digital signature Employees awareness and training program Requiring employees to sign a non-disclosure undertaking Use of password and other authentication techniques Secure storage of media and data file
CA Clues
Nikhil Gupta
3. Lack of availability: It means information and system is not available on timely basis to the authorized user. Control measures to ensure availability are: Implementation of software configuration controls Fault tolerant hardware and software System backup procedures Incident logging and report procedure Backup power supply 4. Unauthorized access: It means unauthorized users attempt to gain access into the system and resources. Control measures to stop unauthorized access are: Boundary control (identification, authentication and authorization) Use of passwords, biometrics, smart cards etc. Firewall and intrusion detection system Encryption techniques 5. Hostile software: It means malicious codes like virus, Trojans and worms etc. Controls to protect such malicious software includes: Using updated anti-virus and anti-spyware software Using firewall Cryptographic checksums 6. Disgruntled employees: It means frustrated, unhappy and dissatisfied employees. Controls for such employees can be: Physical and logical access controls Training and Security awareness programs for employees Motivation of employees Job enrichment and job rotation 7. Hackers and computer crimes: Hackers are the person who tries to get unauthorized access in the computer system or try to modify the system. Control can be: Use of firewall and intrusion detection system Change of passwords frequently Use of encryption techniques Logging features and audit trail of systems 8. Terrorism and industrial espionage: Industrial espionage means spying done by one company over the other. Controls to prevent such risk are: Use of encryption techniques Traffic padding and flooding techniques to confuse intruders Intrusion detection system Single point failure analysis (Technology risk assessment): -
-
-
Single point of failure means any single factor which can cause an entire system to fail. For example, this could be an individual hardware component that causes an entire system to fail, or it could be a single line of faulty code that causes an entire program to quit working. Thus it is very important to identify single point failure components. In single point failure analysis each component of information system is examined to determine the effect of its failure on the entire system. Thus, this analysis can find out those components whose failure can bring down the entire system. Effective controls need to be in place to avoid situation of single point of failures. Resilient technology should be used at such points and further back-up arrangements should also be in place.
CA Clues
Nikhil Gupta
Benefits of technological risk assessment: i) Identify, quantify and manage risk ii) Future improvement in technical delivery iii) Provides a framework to select correct technology iv) Reduction of risk to an acceptable level v) Single point of failure are not built in the overall systems architecture ◙ Software and data back-up techniques: Data is the most critical component of any information system. Backing up files can protect against accidental loss of user data, database corruption, hardware failures, and even natural disasters. When the back-up of whole system is taken including software and user data then it is called system back-up. Types of back-up techniques: I.
Full back-up: This is the simplest back-up technique in which all the data files are taken to back-up file regardless of the previous backup. For restoration also only one full back-up file has to be restored, thus it makes the restoration simple. However this back-up requires lots of time and memory space.
II.
Differential back-up: A differential back-up create back-up copies of files that have changed since the last full backup. This back-up requires less time and memory space as compared to full back-up. For restoration, a full back-up file together with the latest differential back-up file is required.
III.
Incremental back-up: An incremental back-up creates back-up of files that have changed since the most recent full back-up or incremental backup. This back-up requires least time and memory space. But this back-up is most difficult to restore, since for restoration a full back-up file together will all the incremental back-up files are required.
IV.
Mirror back-up: In this back-up technique a mirror image of all the files is automatically generated and kept by a mirroring server. Every updation in the original file is immediately reflected in the back-up file. It is the most advanced form of back-up technique. In Remote mirroring technique the mirroring of data is done at a site which is at a geographical distance from the main site. The mirroring server at the main site is linked to the other server through WAN link. This has the additional advantage of automatic off-site back-up.
◙ Alternate processing facility arrangement: In case of disaster like fire, earthquake, floods etc the physical facilities are damaged and the information system cannot work from there. Thus off-site processing alternatives are required in such cases. Such alternatives can be: 1. Cold site: A cold site is an off-site location which has all the facilities like power, network, air-conditioning etc but not the computer servers and PC’s. When the disaster occurs then this site is made fully operational. This site is helpful only when the organization can tolerate some downtime. 2. Hot site: A hot site is an off-site location which is fully equipped with all the facilities including all the computer hardware. A hot site is expensive to maintain so generally they are shared with other organizations. 3. Warm site: A warm site is a site having facilities in between cold and hot site. Thus, it has all infrastructure together with essential hardware also. This takes less time to function then cold site. 4. Reciprocal arrangement: It means two or more organizations agree to provide back-up facilities to each other in the event of one suffering from disaster.
CA Clues
Nikhil Gupta
Important considerations while using third party location: If a third party site is used as off-site location then there are additional considerations which should be taken care of. There should be a written contract covering the following issues: - The facilities available at the site. - How soon the site will be made available after the disaster occurs. - Number of organizations that will be using the site concurrently. - The period during which the site will be available. - The conditions in which the site can be used. - The security measures and controls available at the site. ◙ Back-up redundancy: Back-up redundancy means that back-up should be done in more that one way, because if it is not done properly, it can be one of the single point of failure. Following points should be taken care of while doing back-up: 1) Multiple back-up media: Back-up should be taken in more than one back-up media e.g. in CD and tape. 2) Off-site back-up: Back-up should be kept at two places. One in the organization and the other at some different off-site location also. This is to ensure that if some disaster occur then the back-up will be safe at the other location. 3) Where to keep the back-up: Back-up media should be kept safely in some fire retardant (fire proof) vaults under physical security of lock and key. 4) Media rotation: It is important to rotate the back-up media i.e. every time back-up should not be taken in the same CD or tape. Similarly off-site media should also be rotated. Type of back-up media: 1) Floppy disk: A floppy disk is a storage medium that is composed of a thin disk of flexible magnetic storage medium encased in a square plastic shell and has capacity of 1.44 MB 2) Compact disk (CD): A Compact Disc is an optical disc storage media used to store data upto 700 MB. It is more fast and reliable then floppy disk. 3) Tap drives: A tape drive is a data storage device that reads and writes data stored on a magnetic tape. It has a capacity of 4 GB to 10 GB. Tape drives are very slow as compared to disk drive, since tape drive provides sequential access storage. 4) Hard disk drive (HDD): Hard disk drive records data on fast rotating disks of magnetic surface in a sealed compartment. These have very fast storage and retrieval mechanism but are relatively expensive. HDD have storage capacity of 160 GB to 2 TB. 5) Removable disk: These are external hard disk or zip drives which are connected to the computer with USB port and thus are very convenient to use. 6) DAT (Digital Audio Tape) drives: DAT drive is similar to tape drive but with a high storage capacity of 160 GB to 260 GB. 7) Optical jukebox: An optical jukebox is a robotic data storage device which can automatically load and unload 2000 optical discs, such as CD and DVD’s thus giving a storage capacity of 35 TB to 500 TB. 8) Autoloader system: This system uses 10 to 20 DAT cassettes which are automatically loaded in the system. It can give a capacity of 500 GB to 1TB. 9) USB flash drive: A USB flash drive consists of flash memory data storage device integrated with a USB plug. It has a capacity of 16 GB to 256 GB and is very convenient. 10) Zip drive: Zip drive is magnetic storage media similar to floppy disk but has a higher storage capacity then floppy disk drive. It has storage capacity of 100 MB. This has also become obsolete like floppy disk due to limited storage capacity. 11) DVD: DVD, also known as Digital Versatile Disk or Digital Video Disk, is an optical disc storage media similar to CD but with a storage capacity of 4 GB to 8 GB. 12) Blu-ray disk: Blu-ray disk is an optical disk storage media similar to DVD but with a storage capacity of 25 GB to 50 GB.
CA Clues
Nikhil Gupta
How to select back-up media: Following factors can be considered while considering 1) Speed: How fast the data can be stored and retrieved. 2) Reliability: How reliable is the data retention capacity. 3) Capacity: Is the media has enough capacity for back-up load. 4) Extensibility: If the back-up load increases in future, then can it support this demand. 5) Cost: Is the media cost effective and fits the IT budget. Back-up tips: 1) Draw a simple and easy to understand back-up plan. 2) Create a step by step guideline for back-up and restoration process. 3) Keep a record of back-up media. 4) Put proper labels on back-up media. 5) Use software utilities for automatic back-up scheduling. 6) Verify back-up files after taking back-up. 7) Right of restoration should be limited to administrator. 8) Use multiple back-up media. 9) Always keep off-site backup also. 10) Keep back-up media in fire retardant vaults. ◙ Disaster recovery procedural plan: Disaster: The term disaster can be defined as an incident which exposes business operations and human life to risk. It could be due to human causes (i.e. sabotage) or natural causes. Disaster recovery procedural plan (also called DRP manual) is a detailed document containing all the steps that are to be taken to recover from a disaster situation. Generally it contains: 1) 2) 3) 4)
Conditions for activating the DRP process. Emergency procedures to be taken at the time of disaster. Evacuation procedure. Fallback procedure which describe the actions to be taken to move essential business activities to some other location. 5) Resumption procedure which describes the action to be taken for returning to normal business operations. 6) Procedures for testing and updation of DRP. 7) DRP awareness and education programs for employees. 8) Assigning roles and responsibility for DRP activities to individuals. 9) Location of DRP manual and its distribution list. 10) List of emergency contact numbers of employees. 11) List of emergency contact numbers of police / fire / medical emergency department. 12) List of vendors and their contact numbers for emergency purpose supplies. 13) Medical procedure to be followed in case of injury. 14) Back-up location agreement. 15) Insurance papers and claim forms. ◙ Insurance: Insurance is a mechanism of risk sharing. Adequate insurance is very important to recover from any disaster. Following losses can be generally covered in an insurance policy: 1) Equipments: Covers the damage of hardware and equipments. 2) Facilities: Covers the loss to buildings, furniture and other infrastructure. 3) Storage media: Covers cost of replacement / reprogramming of data and software. 4) Business interruption: Covers loss of profit due to business interruption. 5) Extra expenses: Covers additional costs incurred due to disruption and relocation. 6) Valuable papers: Covers loss of source documents, pre-printed stationery etc. 7) Accounts receivable: Covers cash-flow problems from debtors. 8) Third party losses: Covers loss from damages claimed by customers, suppliers etc.
CA Clues
Nikhil Gupta
Kinds of insurance: Generally insurance are of two kinds – “First party insurance” and “Third party insurance”. Types of insurance First party – Property damage
Third party – General liability
First party – Business interruption
Third party – Errors & omissions
First party insurance: In first party insurance policy, an insured person (i.e. the first party) is paid by his insurer (i.e. the second party) in the event of an accident, injury, or loss. There can be two types of first party insurance: a) Property Damage: It covers loss or destruction of property of any kind. The cause of destruction can be due to any reason, but if a particular cause has been excluded in the policy then loss due to that particular cause will not be covered. b) Business interruption: In case of disaster the organization suffers some losses that are directly visible upon the assets of the organization. But organization also suffers loss in the form of additional cost which it has to incur due to continuation of business during the disruption period. Such cost can be in the form of relocating the operations, maintenance of off-site facilities etc. These additional losses can also be covered in insurance policy. Third party insurance: A third party insurance policy is a policy under which the insurance company (i.e. the second party) agrees to indemnify the insured person (i.e. the first party), if he is sued or held legally liable for injuries or damage done to a third party. There can be two types of third party insurance: a) General liability: This policy covers the losses due to claims made by third party on the organization due to various reasons. For example a company owning an industrial unit may buy pollution insurance to cover lawsuits resulting from environmental accidents. But the damages caused intentionally by the organization to the third party are not covered in this policy. b) Errors and omissions: This policy covers professional errors and omissions on the part of directors and officers. Professional liability insurance protects from litigation resulting from charges of professional negligence or failure to perform professional duties. Covered incidents may include errors and omissions that result in the loss of client data, software or system failure, claims of non-performance, or negligent overselling of services. ◙ Testing methodology and checklist: Checking DRP is an important activity in the whole DRP process. Only when the DRP is thoroughly tested it can be effective at the time of disaster. Following are the components of DRP testing: (i) (ii)
(iii)
Hypothetical testing: It is a theoretical test involving logical examination of all the steps of a plan. It can be done through paper walkthrough or desk checking. Component testing: A component is the smallest set of instruction of the DRP which aims to achieve specific object. Several components working together makes a module and several modules working together makes whole DRP. Component testing is designed to check the detail and accuracy of individual procedures like backup procedure, storage of backup media procedure etc. Module testing: A module is a combination of several components. In module testing all the components are tested together to check that they are logically connected and will function as planned. Examples of DRP modules can be evacuation procedure, alternate site activation, system recovery procedure, network recovery procedure etc.
CA Clues (iv)
Nikhil Gupta
Full testing: Full testing is done to check that all the modules will work as desired in case of disaster. The test also verifies the interdependencies of different modules with each other. The two objectives of full testing are: Total recovery time is within limits. Smooth flow of recovery procedure.
Steps in testing: 1) Setting objectives: Before testing a DRP it is essential to set the objectives of DRP testing. The testing should be aimed to recovery from worst possible disaster. Further the objective can be set for each component testing and module testing. 2) Defining the boundaries: A disaster can impact an organization in several ways. But for practical reasons it is not possible to test a DRP for its far reaching effects. Boundaries are the limits to which test can be extended. For example a test can influence several internal departments and their response can be checked, but it cannot be extended to cover vendor response. 3) Scenarios: The scenario is the description of disaster and its possible consequences. Various scenarios can be simulated for different disasters like fire, earthquake, floods etc and possible aftereffects of such disasters can be visualized. 4) Test criteria: These are the test conditions and their benchmarks which are to be tested. 5) Assumptions: Certain assumptions are to be made in DRP testing which may relate to conditions existing outside the test boundaries. For example Backup media kept at offsite will be in usable condition. Purchases from vendor can be made in the specified lead time. Flood and fire will not occur together etc. 6) Test prerequisites: Test prerequisite describes the resources, conditions and the test team required before starting the test activity. 7) Briefing sessions: Before starting the testing activity it is very important to discuss the test modality and implications with the test team. The test team should clearly understand the nature and criticality of test which they are about to perform so that they are not taken by surprise. Briefing should be done on the following issues: Nature of test Disaster scenario Time and location Prerequisites Assumptions Restrictions 8) Checklists: Checklist provides the minimum issues to be tested and verified during test activity. Checklist is related to specific points and as the test progresses these points are covered and reported in the checklist. 9) Analyzing the test: The test output is analyzed to see the effectiveness of the plan and scope for further improvement. 10) Debriefing sessions: After the test has been conducted a meeting of team leaders can be called by the DRP incharge for discussing the following issues: Overall performance Specific team performance Observations Areas of concern Planning for next test Test reports Test logs 11) Test report: The test report will be made consisting of the following: Executive summery Objectives Overall team List of actions Results conclusions
CA Clues
Nikhil Gupta
◙ Audit tools and techniques: The best audit tool and technique is a periodic simulation of a disaster. Other audit techniques would include observations, interviews, checklists, inquiries, meetings, questionnaires and documentation reviews. These are categorized as follows: 1) Automated tools: These tools can be used to find out vulnerabilities in logical access controls, weak passwords and lack of integrity in application software. 2) Internal control auditing: This covers general and automated control evaluation and testing. 3) Disaster and security checklist: Checklist approach is used in testing several pre-defined check points. 4) Penetration testing: Penetration testing is done to check network vulnerabilities. It can be done for both LAN and WAN network. Various software tools are available to scan the network for vulnerabilities. ◙ Audit of the disaster recovery/business plan: Audit of BCP/DRP covers the following issues: 1) Audit of BCP/DRP development phase: Is there a well documented business continuity plan/disaster recovery plan. What steps were taken to prepare these plans. How business impact analysis was done. Check the level of participation of various functional managers in plan development phase. Check the validity of various assumptions taken during plan development phase. 2) Audit of backup and recovery procedure: Are the backup procedures sufficient. Check the resources available under backup arrangements. Backup arrangements are latest and updated. Check the data backup procedures. Review alternate processing arrangements. Check the network and telecommunication backup lines. Review the locations where BCP/DRP manual is kept. 3) Audit of test plan: Review the test plan. Check the extent to which BCP/DRP has been tested. Check the test logs. Review the BCP/DRP test report 4) Audit of administrative procedures: Review the team composition of BCP/DRP function. Review the training mechanism for team members. Is there a designated emergency operation center where the incident can be reported. Review the emergency contact person list and their roles and responsibilities.
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 10
May 2012 5
Nov 2011 27
May 2011 12
Nov 2010 12
May 2010 5
Nov 2009 10
June 2009 5
Nov 2008 25
Nov 2012: (6 Marks) Q: What are the elements to be included in the methodology for the development of disaster recovery/business resumption plan? Nov 2012: (4 Marks) Q: What are the goals of business continuity plan? May 2012: (5 Marks) Q: Out of various types of plans used in business continuity planning, discuss recovery plan in brief. Nov 2011: (5 Marks) Q: What are various backup techniques? Which backup technique you will recommend and why? Nov 2011: (6 Marks) Q: Explain the various general components of Disaster Recovery Plan. Nov 2011: (8 Marks) Q: As a system auditor, what control measures will you check to minimize threats, risk and exposures to a computerized system? Nov 2011: (8 Marks) Q: What is the significance of Business Impact Analysis? Enumerate the task to be undertaken in this analysis. In what ways the information can be obtained for this analysis? May 2011: (4 Marks) Q: Describe the benefits of performing technology risk assessment. May 2011: (4 Marks) Q: Discuss the various back-up options considered by a security administrator when arranging alternate processing facility. May 2011: (4 Marks) Q: What are the audit tools and techniques used by an IS auditor to ensure that disaster recovery plan is in order? Briefly explain them. Nov 2010: (8 Marks) Q: “The information system insurance policy should be a multiperil policy designed to provide various types of coverage.” Discuss the comprehensive list of items considered for coverage. Nov 2010: (4 Marks) Q: “Technology risk assessment needs to be a mandatory requirement for any project to identify single point failures.” – Justify. May 2010: (5 Marks) Q: A company has decided to outsource a third party site for its alternate back-up and recovery process. What are the issues to be considered by the security administrator while drafting the contract.
Nov 2009: (10 Marks) Q: What analysis should be done for understanding the degree of potential loss (such as reputation damage, regulation effects) of an organization? Enumerate the tasks to be undertaken in this analysis. In what ways the information can be obtained for this analysis?
June 2009: (5 Marks) Q: What are the audit tools and techniques used by a system auditor to ensure that disaster recovery plan is in order? Briefly explain them.
May 2008: (5 Marks) Q: Discuss the objectives and goals of Business Continuity planning.
CA Clues
Nikhil Gupta
May 2008: (20 Marks) Q: (a) What do you understand by the term Disaster? What procedural plan do you suggest for disaster recovery? (b) Describe the methodology of developing a Business Continuity Plan. (c) Briefly explain the various types of system’s back-up for the system and data together. (10 + 5 + 5 = 20 Marks)
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta CHAPTER 7
AN OVERVIEW OF ENTERPRISE RESOURCE PLANNING
◙ ERP – Definition: -
-
-
Enterprise resource planning (ERP) is an integrated computer-based system used to manage internal and external resources including assets, financial resources, materials, and human resources. ERP is a software architecture whose purpose is to facilitate the flow of information between all business functions inside the boundaries of the organization and manage the connections to outside stakeholders. ERP system is built on a centralized database and normally utilizing a common computing platform. It consolidates all business operations into a uniform and enterprise wide system environment.
FRM Financial Resource Management
MRP Manufacturing Resource Planning
SCM Supply Chain Management ERP SYSTEM
CRM Customer Relationship Management
HRM Human Resource Management
The Components of an ERP System: The components of an ERP system are the common components of a Management Information System (MIS). ERP Components
I. ERP Software
II. Business Processes
III. ERP Users
IV. Hardware and Operating systems
CA Clues
Nikhil Gupta
I. ERP Software - Module based ERP software is the core of an ERP system. Each software module automates business activities of a functional area within an organization. Common ERP software modules include product planning, parts purchasing, inventory control, product distribution, order tracking, finance, accounting and human resources. II. Business Processes - Business processes within an organization falls into three levels strategic planning, management control and operational control. ERP has been promoted as solutions for supporting or streamlining business processes at all levels. Much of ERP success, however, has been limited to the integration of various functional departments. III. ERP Users - The users of ERP systems are employees of the organization at all levels, from workers, supervisors, mid-level managers to executives. IV. Hardware and Operating Systems - Many large ERP systems are UNIX based. Windows and Linux are other popular operating systems to run ERP software. Evolution of ERP: Timeline 1960s
System Inventory Management & Control
Description Inventory Management and control is the combination of information technology and business processes of maintaining the appropriate level of stock in a warehouse. The activities of inventory management include identifying inventory requirements, setting targets, providing replenishment techniques and options, monitoring item usages, reconciling the inventory balances, and reporting inventory status.
1970s
Material Requirement Planning (MRP)
Materials Requirement Planning (MRP) utilizes software applications for scheduling production processes. MRP generates schedules for the operations and raw material purchases based on the production requirements of finished goods, the structure of the production system, the current inventories levels and the lot sizing procedure for each operation.
1980s
Manufacturing Requirements Planning (MRP II)
Manufacturing Requirements Planning or MRP utilizes software applications for coordinating manufacturing processes, from product planning, parts purchasing, inventory control to final product distribution.
1990s
Enterprise Resource Planning (ERP)
Enterprise Resource Planning or ERP uses multi-module application software for improving the performance of the internal business processes. ERP systems often integrates business activities across functional departments, from product planning, parts purchasing, inventory control, product distribution, fulfillment, to order tracking. ERP software systems may include application modules for supporting marketing, finance, accounting and human resources.
CA Clues
Nikhil Gupta
Enabling technologies: Most of the ERP systems are based on three-tier client-server architecture. Three logical tiers of ERP system are: I. Client – i.e. the user interface tier II. Application server – i.e. the business logic tier III. Database – i.e. the data storing tier
In this type of system, the user interface tier communicates only with the business logic tier, never directly with the database access tier. The business logic tier communicates both with the user interface tier and the database access tier. ERP characteristics: Some of the characteristics of a good ERP system are: 1) Flexibility: Desired changes in the ERP can be made as the business requirement changes. 2) Modular & open: Any module can be introduced or removed without affecting the other modules. The ERP should support multiple hardware platforms, operating systems and third party add-on software. 3) Comprehensive: ERP should support all types of business functions like accounting, finance, HR, sales, production, material management etc. 4) Beyond the company: ERP should support connectivity with vendors and customers. 5) Best business practices: Best business methodologies and practices should be mapped in ERP. Features of ERP: Following are the features of an effective ERP system: 1) 2) 3) 4) 5) 6) 7) 8) 9)
Supports both strategic and functional planning. Supports multi-currency accounting. Supports end-to-end supply chain management. Integrates all functional areas like finance, production, sales, marketing, MM, HR etc. Integrate companies under the same management. Increases customer service and support. Reduces information gap across organization. Supports new technologies like EFT, EDI, internet and e-commerce. Supports tools like DSS (decision support system)and EIS(executive information system)
CA Clues
Nikhil Gupta
Why companies undertake ERP: Following are the five reasons for implementing ERP in a business: 1) Integrated Financial Information: Financial reports relating to each function as well as consolidated reports are accurately generated. 2) Integrated supply Chain Information (Customer Order Information): End to end supply chain management can be done and order tracking becomes simpler. 3) Standardize and speed up manufacturing operation: With better synchronization of various manufacturing activities the overall speed of manufacturing operation increases. 4) Reduce Inventory: With efficient material management techniques the stock levels of raw material, WIP and finished goods decreases thereby improving working capital management. 5) Standardize HR Information: The HR policies can be uniformly implemented even in case of multiple business units. Benefits of ERP: Following are the benefits of implementing ERP: 1) Facilitates day-to-day management 2) Improves productivity 3) Reduce inventory levels 4) Improves financial controls 5) Helps in reducing operating costs 6) Supports strategic planning 7) Fast generation of reports 8) More accuracy in reports 9) Less requirement of workforce 10) Faster tracking of customer orders 11) Suitable for global operations 12) Helps in complying with requirements such as IFRS, Sarbanes-Oxley, or Basel II. ◙ Business process reengineering (BPR): -
-
-
-
-
Business process reengineering is a fundamental rethinking and radical redesign of business processes to achieve dramatic improvements in cost, quality, speed, and service. BPR combines a strategy of promoting business innovation with a strategy of making major improvements to business processes so that a company can become much stronger and more successful competitor in the marketplace. Information technology plays an important role in BPR concept due to the following reasons: o Enables Product & Service Innovations o Improve Operational Efficiency o Coordinate Vendors & Customers in the Process Chain BPR seeks improvements of o Cost o Quality o Service o Speed BPR is one of the fundamental steps undertaken prior to ERP implementation. Business process reengineering analyses and suggests the structural changes. This is regarded to be very important because it helps in knowing how the organization should be customized in order to become ERP friendly.
CA Clues
Nikhil Gupta
Business engineering: When BPR and information technology are combined together then it is called business engineering. Business engineering combines the benefits of both these concepts to give improved results.
BPR + IT Tools • • •
Business Engineering
Business Engineering is the rethinking of Business Processes to improve speed, quality and output of materials or services. The emphasis of business engineering is the concept of Process Oriented Business Solutions enhanced by the Client-Server computing in Information Technology. The main point in business engineering is the efficient redesigning of company’s value added chains. Value added chains are a series of connected steps running through a business which when efficiently completed add value to enterprise and customers. Information technology helps to develop business models, which assist in redesigning of business processes.
Business modeling: Business modeling involves the use of quantitative and computer methods for planning the efficient allocation of resources in business. - The ability to utilize advanced computing technology to model, analyses and simulate various aspects of ever-changing businesses has made a significant impact on the way businesses are designed and run these days. Business model: Business model is a diagrammatical representation of business. With the help of tables and flowchart all the business activities and processes are depicted in a sequential manner. ◙ ERP Implementation: -
ERP implementation can be defined as the installation of a software package that integrates all data and processes of an organization into a unified system. Successful ERP implementation depends upon the combined efforts of implementation team, users and the vendors.
Key planning and implementation decisions: Before taking up the ERP implementation task, the organization has to decide on various issues: 1) ERP or no ERP? – Using ERP in an organization depends upon the nature of business and its complexity. Feasibility study should be done before starting ERP implementation. Cost benefit analysis is also to be done before deciding on ERP implementation. 2) Follow software’s processes or customize? – Organization can follow the process flow of the ERP software or it can customize the ERP as per its existing process flow. The process flow of ERP software are industries best practices so the organization will benefit from following them. If the organization does not want to disturb its existing process flows then it can customize the ERP as per its existing process flows. 3) In-house or outsource? – ERP implementation can be done by in-house team or it can be outsourced. In-house team has the advantage of better understanding of the internal business processes but it can lack the required expertise. 4) Big-bang or phased implementation? – In big-bang implementation approach the complete ERP system is installed at the same time while in phased implementation one module at a time is implemented and the existing system is also continued till the complete new system is implemented. One other strategy can be parallel implementation. In this scheme the new ERP system is implemented but the old system also continues to work for some time until the new system becomes completely reliable.
CA Clues
Nikhil Gupta
ERP implementation methodology: The steps involved in implementing ERP are as follows: 1) Identifying the needs: The first step in ERP implementation is to understand how it will help the organization to fulfill its existing needs. Some questions which need to be answered are: - Will ERP improve efficiency? - Will it reduce delivery time of products? - Will it improve customer satisfaction? - Will it reduce cost? - Will it help to generate quick information? - Will it reduce manual working? 2) Evaluating the present processes: The existing processes should be thoroughly studied to find out: - Time taken by particular process. - Number of departments and business processes in each department. - The flow of information between departments. - The reporting points in each department. 3) Deciding the desired situation: In this step we try to set the goals for ERP. Various benchmarks are set for different factors like quality, cost, service, customer satisfaction, delivery time. 4) Business process reengineering: BPR is done to make the structural changes in any process to make it more efficient and cost effective. 5) Evaluation of various ERP packages: Various ERP packages are evaluated as per the following criteria: - Flexibility: ERP should be flexible enough to change as per the change in business environment. - Comprehensiveness: It should cover all departments and should be able to process all kind of transactions. - Integrated: It should be able to combine all functional departments of the business as a whole so that flow of information is smooth between the departments. - Beyond the company: It should be able to establish connectivity with the external stakeholders like suppliers and customers. - Best business practices: It should follow best business practices so that the business becomes more efficient by adopting these practices. - New technology: It should include the latest technology and ensure inter-operability with emerging technologies. - Price of package and implementation: It should be cost effective. - Ease of implementation: It should be simple to implement. 6) Finalization of ERP package: After considering all the above points the ERP packages available in the market should be compared and analyzed and the best possible option should be selected. 7) Finalization of implementation consultant: ERP consultant should be selected on following criteria: - Skill set - Industry specific experience - Cost of hiring 8) Installation of hardware and network: The new hardware and network for the new ERP has to be installed and tested.
CA Clues
Nikhil Gupta
9) Implementation of ERP package: This step involves: - Formulation of team - Preparation of plan - Mapping of business processes to package - Gap analysis - Customization - Test run - Data migration - User documentation - Post-implementation support - Monitoring Guidelines for successful ERP implementation: 1) Understanding the business needs and culture of the organization and matching the implementation with these factors. 2) Doing BPR and gap analysis before implementing ERP. 3) Establishing a good communication network across the organization. 4) Motivating employees to accept the new ERP system so that later on problems of internal resistance and non-cooperation from employees does not arise. 5) Creating a balanced team for implementation consisting of software personnel and business managers so as to ensure perfection, accountability and transparency. 6) Training end users for the new system. ◙ Post implementation: Some post implementation problems in ERP relate to wrong expectations and fears about ERP which people have in their mind. Some of the popular expectations are: - Improvement in processes - Increased productivity - Total automation - Improvement of all key performance indicators - Real time information is available to all people - Total integration of all operations Some fears that relate to ERP are: - Loss of job or change in job profile - Increased stress due to greater transparency - Individual fear of loss of authority - Difficulty to implement proper controls ◙ Risk and governance issue in an ERP: Organizations may face new kind of risk when they implement ERP system in their business. These risks can be: 1) Single point of failure: The organization depends on one large ERP software for all kinds of processing and if that software stops functioning then all work will be held-up. This results in risk of single point of failure. 2) Structural changes: Organizational structure changes due to business process reengineering and ERP implementation. 3) Job role changes: Job role of employees changes due to change in processes and working methodologies. 4) Online, real-time: The role of employees becomes more critical in online real-time mode of processing, since the system is updated as soon as the transaction is punched in the system.
CA Clues
Nikhil Gupta
If some data cannot be entered due to technical reasons then there should be provision for re-entry of that data. 5) Change management: New system brings new roles and responsibilities for the employees which they may not be able to accept readily. End users don’t want change in the system since they are accustomed with the old system. Therefore training of employees is also required together with ERP implementation. 6) Distributed computing experience: Inexperience with implementing and managing distributed computing technology may pose significant challenges. 7) Broad system access: Increased remote access by users and outsiders and high integration among application functions allow increased access to applications and data. 8) Dependency on external assistance: Using ERP software creates external dependency on ERP vendor and implementing consultant. This results in new risks for the organization. 9) Program interface and data conversion: Data migration from old system to new system is again a big issue to deal with during ERP implementation. Also program interface between existing software and the new ERP is also to be considered. 10) Audit expertise: Specialist expertise is required to effectively audit and control an ERP environment. 11) Single sign-on: It reduces the security administration effort associated with administering web-based access to multiple systems, but simultaneously introduces additional risk since incorrect access may result in inappropriate access to multiple systems. 12) Data content quality: As enterprise applications are opened to external suppliers and customers, the need for integrity in enterprise data becomes very important. 13) Privacy and confidentiality: Since ERP has external connectivity there is a risk of discloser of personal information to unauthorized person. Why do ERP projects fail? 1) Lack of education in end-users about what the new 'system' is designed to achieve 2) Lack of top management commitment i.e. management being involved but not dedicated 3) Inadequate requirements definition i.e. current processes are not adequately addressed 4) Poor ERP package Selection which does not address the basic business functions. 5) Inadequate resources employed by the organization 6) Internal resistance to changing the old processes 7) A Poor fit between the software and users procedures 8) Unrealistic expectations of the benefits and the ROI 9) Inadequate training, users do not properly now how to use the new tool 10) Unrealistic time frame expectations ◙ How does ERP fit with e-commerce? -
-
-
During the early development phase of ERP it was confined to internal users only. But as the interconnectivity increased there was a need to integrate ERP with external users also, like vendors and customers, so that they can directly connect with the organization through e-commerce channel. The end-user inside the organization was accustomed to the complex menus of the ERP, but for the external user it was difficult to understand the menu options available in the ERP. To overcome this problem the ERP vendors developed simple web-applications for the ERP which the customers and vendors can use for conducting e-commerce transactions like order booking, tracking their order, making payments etc.
CA Clues
Nikhil Gupta
◙ Life after implementation: -
-
-
For efficient and effective ERP performance it is necessary to have a sound implementation methodology in place. If the implementation has been done in a systematic manner then there is greater probability of effective ERP performance. User training and awareness is also important factor in success of ERP. Organization should make a list of critical success factors (CSF) and their corresponding key performance indicators (KPI). KPI measures the performance of CSF CSF are those factors which are very important for the success of the organization. For example some CSF can be: • Product delivery time • Service delivery time • Transaction processing time • Quality of product • Energy efficient products • Low product cost ERP helps an organization to work towards improving their KPI for various CSF.
Some specific tasks to be done after implementing ERP are: 1) 2) 3) 4)
Develop new job description and organizational structure to suite the new ERP system Determine the skill gap between the existing jobs and the new jobs Assess training requirement and conduct such training Develop new HR, finance and operations policies as required by the ERP.
Post implementation problems in ERP which needs some correction: 1) 2) 3) 4)
Ever changing business environment requires reconfiguration in ERP Change in business process requires change in ERP configuration. Change in technology requires change in ERP infrastructure. New additions to business may require extra functionality in ERP
◙ Sample list of ERP vendors: 1) Baan Corporation – Baan: • Used by major aircraft company ‘Boeing’. • Suitable for all manufacturing companies. • Broad functional scope. • Tools for business process analysis. 2) Business Planning and Control System (BPCS): • Developed by SSA Global Techonologies • Targets manufacturing companies • Good for Kanban (JIT) Manufacturing • Problem of slow development schedule 3) Marcam Corporation – Mapics XA: • 40 modules with good functionality • Robust and easy to implement • Value for money 4) MFG Pro (QAD): • Originally designed for MRP II • Reliable manufacturing functionality • Simple implementation
CA Clues
Nikhil Gupta
5) Oracle Applications (Oracle Corporation): • Internet-enabled computing • One-stop-shop, i.e. it offers database, tools, applications and implementation • Can run on wide range of hardware 6) Marcam Corporation – Prism: • Specialist ERP for process manufacturing solutions • Operates on IBM AS/400 platform • Outdated now 7) R/3 SAP: • Market leader • Matching business process to Modules • Offers wide range of functions • It is complex 8) System 21 (JBA): • Less expensive • Does not offers leading-edge technology • Reliable for manufacturing solution
◙ ERP software package – SAP: -
SAP stands for – Systems Applications and Products SAP is an ERP application software developed by SAP AG Germany. The SAP application provides support for more than 25 industries with industry-specific features that enable organizations to leverage industry-wide best practices. SAP R/3 (12 Major modules) 1) Finance (Financial Accounting) 2) Controlling 3) Investment Management 4) Treasury 5) Enterprise Controlling 6) Product Data Management (PDM) 7) Sales and Distribution 8) Production Planning 9) Material Management 10) Human Resource Management 11) Payroll Accounting 12) Internet and Intranet
1) -
Finance (Financial Accounting) General Ledger Accounts Receivable Accounts Payable Fixed Assets Accounting
2) -
Controlling Overhead Cost Control Cost Centre Accounting Activity Based Costing Product Cost Control Cost Object Controlling Profitability Analysis
CA Clues 3) -
Investment Management Corporate wide budgeting Appropriation requests Automatic settlement to fixed assets Depreciation forecast
4) -
Treasury Cash Management Market Risk Management Funds Management
5) -
Enterprise Controlling (Holding Subsidiary Accounting) EC-CS (Consolidations) EC-PCA (Profit Center Accounting) EC-EIS (Executive Information System)
Nikhil Gupta
6) Product Data Management (PDM) - Product data management is part of product life cycle management, and is primarily used by engineers - Keeps track of all master data related to a product (e.g. Part number, Part description, Supplier/vendor, Vendor part number and description, Unit of measure, Cost/price, Schematic or CAD drawing, Material data sheets etc.)
-
Supports Document Management System Quickly gives product structure information BOM (Bill of Material) Management
7) -
Sales and Distribution Shipping Management System (Picking, Packing, Loading and Delivery) Transport Module Foreign Trade Processing Billing Sales Information System
8) -
Production Planning Sales and Operations Planning Production Control Module Quality Management Project System Project Information System
9) -
Material Management Purchasing Inventory Management Warehouse Management Invoice Verification Inventory Control using Purchase Information System Quality Management Plant Maintenance Service Management
10) Human Resource Management - Personnel Administration - Employee master data - Recruitment management - Selection and hiring - Travel management - Benefits administration - Personnel cost planning
CA Clues
Nikhil Gupta
11) Payroll Accounting - Payroll processing - Integration - Global solutions - Time management - Time management review - Shift planning - Qualification matching with available positions - Training 12) Internet and Intranet - This allows SAP to be accessed over internet ◙ Case study: 1) Videocon: See module 2) Airtouch cellular: See module
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 10
May 2012 12
Nov 2011 5
May 2011 9
Nov 2010 12
May 2010 15
Nov 2009 15
June 2009 20
May 2008 10
Nov 2012: (6 Marks) Q: Any system has to possess few key characteristics to qualify for a true ERP solution. What are they? Nov 2012: (4 Marks) Q: Short note – Business Engineering MAY 2012 (6 Marks) Q: What are the guidelines to be followed before starting the implementation of an ERP package? MAY 2012 (6 Marks) Q: List any six ERP vendors and describe the ERP packages offered by them. NOV 2011: (5 Marks) Q: (Case Study) Will you suggest ERP solution to overcome the problems? If yes, explain why. MAY 2011 (5 Marks) Q: What are the business risks that an organization faces when migrating to real time integrated ERP system? MAY 2011 (4 Marks) Q: What are the task for which the company should be ready for post implementation period of an ERP system NOV 2010: (4 Marks) Q: You are entrusted with the duty of implementing an ERP in your office. You have taken care of all the preparations during the implementation. However, during post implementation, there will be a need for course correction many a times. What can be the reasons for them? NOV 2010: (4 Marks) Q: Why does an organization implement an ERP package and evaluate the various available ERP packages for assessing suitability? Mention the various evaluation criteria that are required to assess the suitability of an ERP package on implementation. NOV 2010: (4 Marks) Q: Short note on “Business Engineering” MAY 2010: (10 Marks) Q: How will you get over the impediments for the successful implementation of ERP? Mention any five. Ans hint: Guidelines for successful ERP implementation: 1) Understanding the business needs and culture of the organization and matching the implementation with these factors. 2) Doing BPR and gap analysis before implementing ERP. 3) Establishing a good communication network across the organization. 4) Motivating employees to accept the new ERP system so that later on problems of internal resistance and non-cooperation from employees does not arise. 5) Creating a balanced team for implementation consisting of software personnel and business managers so as to ensure perfection, accountability and transparency. 6) Training end users for the new system. May 2010: (5 Marks) Q: If you are the CEO of a company, what factors would be considered before undertaking implementation of an ERP system?
Nov 2009: (5 Marks) Q: ABC Limited has recently migrated to real-time Integrated ERP System. As an IS Auditor, advice the company as to what kinds of businesses risks it can face?
CA Clues
Nikhil Gupta
June 2009: (20 Marks) Q: (Case study) XYZ Company, engaged in the manufacturing of several types of electronic goods is having its branches all over the World. The company wishes to centralize and consolidate the information flowing from its branches in a uniform manner across various levels of the Organization. The factories are already working on legacy systems using an intranet and collating information. But each factory and branch is using different software and varied platforms, which do not communicate with each other. This not only results in huge inflow of data which could not be consolidated for analysis but also the duplication of data. Even one percent change in any data entry or analysis translates into millions of Rupees and can sometimes wipe out the profits of the organization. So the company needs a system that would help them to be responsive and act fast. Read the above carefully and answer the following with justifications: (a) What are the problems that the company is facing now? (b) Should the company go for ERP solution? If yes, will the company be able to share a common platform with its dealers to access servers and database to update the information of issues of mutual interest? (c) For the selection of ERP package, state the issues to be considered. (d) Suggest how to go about the implementation of ERP package. (5+5+5+5) Ans hint: (a) XYZ company, having its branches all over the world, is engaged in manufacturing of several types of electronic goods. The company is facing the following problems: • It is confronted with the problem of centralizing and consolidating the information flowing in from its various branches in uniform manner across various levels of the organization. • The factories are working on legacy systems using an intranet and collating information. As each factory is using different type of software on varied platforms, therefore, they are not able to communicate with each other. • There is a huge inflow of data which could not be consolidated for analysis. • Lack of communication among factories has not only resulted into duplication of the data entry which is not only costly, slight change in data entry and analysis may translate into millions of rupees that can sometimes wipe out the profits of the organization. Hence, there is an urgent need of a system that would help the branches to be responsive and to act fast. (b) Yes, the company should go for ERP solutions. ERP will give the following benefits: • ERP implementation brings different business functions, personalities, procedures, ideologies and philosophies on one platform, with an aim to pool knowledge base to effectively integrate and bring worthwhile and beneficial changes throughout the organization. • Some of the major features of ERP are that it provides the support to multi platform, multi facility, multi mode, multi currency, multi lingual facilities. • It supports strategic and business planning activities, operational planning and execution activities. • All these functions are effectively integrated for flow and updation of information immediately upon entry of any information, thereby providing a companywide Integrated Information System. In case, the company decides to include a module for dealers which provides limited/restricted access to company databases and server, dealers will be able to update the information relating to issues of mutual interest.
Nov 2008: (10 Marks) Q: Briefly explain Enterprise Resource Planning (ERP) and describe five of its characteristics.
CA Clues
Nikhil Gupta
CHAPTER 8 INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, BEST PRACTICES ◙ IS audit standards: IS audit standards provide audit professionals a clear idea of the minimum level of acceptable performance essential to discharge their responsibilities effectively. Some of the IS audit standards are: • • • • • • • • •
ISO 27001 CMM COBIT 4.1 COSO COCO ITIL Systrust / Webtrust HIPAA SAS 70
The common features of IT standards are: 1. Every organization that uses IT, uses a set of controls 2. The choice of controls depends upon business objectives, budgets and organizational culture 3. Control objectives are same for every organization, actual controls can differ 4. Organizations can use same control frame work to meet constant control objectives ◙ Standard on Auditing issued by ICAI: 1. SA 315: Identifying and assessing the risk of material misstatement through understanding the entity and its environment 2. SA 330: The auditors response to assessed risk
ISO 27001 - Information Security Management Standard: -
ISO 27001 is the international best practice and standard for an Information Security Management System (ISMS). An ISMS is a systematic approach to managing confidential or sensitive information so that it remains secure It covers people, processes and IT systems. ISO 27001 defines how to organise information security in any kind of organization, profit or non-profit, private or state-owned, small or large. An organization can get ISO 27001 certified if it complies with this standard. ISO 27001 is divided into two parts:
ISO 27001 I. Four phases of ISMS
II. Ten focus Areas of ISMS
CA Clues
Nikhil Gupta
Four phases of ISMS: ISO 27001 prescribes ‘how to manage information security through a system of information security management’. Such a management system consists of four phases that should be continuously implemented in order to minimize risk to the information system.
Plan
Do
Check
Act
These phases are given as follows: 1. Plan Phase – This phase serves to plan the basic organization of information security, set objectives for information security and choose the appropriate security controls (the standard contains a catalogue of 133 possible controls) The Plan phase consists of the following steps: - Determining the scope of the ISMS - Writing an ISMS Policy - Risk assessment - Identification of assets, vulnerabilities and threats - Evaluating the size of risks - Identification and assessment of risk treatment options - Selection of controls for risk treatment - Obtaining management approval for residual risks - Obtaining management approval for implementation of the ISMS - Writing a Statement of applicability 2. Do Phase – This phase includes carrying out everything that was planned during the previous phase This phase consists of the following activities: - Writing a risk treatment plan – describes who, how, when and with what budget applicable controls should be implemented - Implementing the risk treatment plan - Implementing applicable security controls - Determining how to measure the effectiveness of controls - Carrying out awareness programs and training of employees - Management of the normal operation of the ISMS - Management of ISMS resources - Implementation of procedures for detecting and managing security incidents. 3. Check Phase – The purpose of this phase is to monitor the functioning of the ISMS and check whether the results meet the set objectives This phase includes the following: - Implementation of procedures for monitoring and reviewing the security activities - Regular reviews of the effectiveness of the ISMS - Measuring the effectiveness of controls - Reviewing risk assessment at regular intervals - Internal audits at planned intervals - Management reviews over ISMS - Updating security plans - Keeping records of activities and incidents relating to ISMS. 4. Act Phase – The purpose of this phase is to improve everything that was identified as noncompliant in the previous phase. This phase includes the following: - Implementation of identified improvements in the ISMS - Taking corrective and preventive action - Communicating activities and improvements to all stakeholders - Ensuring that improvements achieve the desired objectives.
CA Clues
Nikhil Gupta
Ten Areas of focus of ISMS: Ten areas of focus of ISMS: ISO 27002 (BS 7799 Part – I)
1 2 3 4 5 6 7 8 9 10
Security policy Organizational security Asset classification and control Personnel security Physical and environmental security Communications and operations management Access control Systems development and maintenance Business continuity management Compliance
1. Security policy: Developing a security policy is an extremely important task and should convey total commitment of top management. The policy should not be a theoretical exercise but should reflect the needs of actual users. It should be easy to implement and understand and must balance the level of protection with productivity. The policy should cover:(i) Definition of Information security (ii) A statement of management intention supporting the policy (iii) Allocation of responsibility for policy implementation (iv) An explanation of security standards and compliance requirements (v) A well defined review process for maintaining the policy document (vi) Means of assessing the effectiveness of the policy (cost / technological changes) (vii) Nominating a policy owner 2. Organizational security: This section facilitates information security management and explains how the organization manages information security. Control objectives are:(i) Information security infrastructure: The management framework and infrastructure to manage information security within the organization. (ii) Security of third-party access: To maintain the security of organizational information processing facilities and information assets which are accessed by third parties like vendors and customers. (iii) Outsourcing: To maintain the security of information when the responsibility for information processing has been outsourced to another BPO organization. 3. Asset classification and control: This section considers information and information processing equipment as valuable assets to be managed and accounted properly. Control objectives are:(i) Accountability for assets: To maintain appropriate protection of organizational assets by setting ownership and accountability for each asset. Focus areas can be Inventory of assets Ownership of assets Acceptable use of assets (ii) Information classification: To ensure that information assets receive an appropriate level of protection through classification of each information/report generated, received or processed in the organization. Classification guidelines Information labeling and handling
CA Clues
Nikhil Gupta
Information Asset Register (IAR) IAR should be created detailing every information asset within the organization. For example: - Databases - Personnel records - Scale models - Prototypes - Test samples - Contracts - Software licenses - Publicity material The Information Asset Register (IAR) should also describe who is responsible for each information asset and whether there is any special requirement for confidentiality, integrity or availability. For administrative convenience, separate register may be maintained under the subject head of IAR e.g. Media Register, contract register etc.
4. Personnel security: This section deals with minimizing the risks of human error, theft, fraud or the abusive use of equipment. Personnel issues such as training, responsibilities, selection procedures, and how staff responded to security incidents are covered here. Control objectives are:(i)
(ii) (iii)
Security in job definition and employees resourcing. E.g. - Employees selection and Screening - Terms and conditions of employments - Roles and responsibilities of employees User training. Responding to security incidents and malfunctions.
5. Physical and environmental security: This section deals with physical aspects of security including protection of equipment and information from physical harm, as well as physical control of access to information and equipment. Control objectives are:(i) Secure areas: To prevent unauthorized physical access (ii) Equipment security: To prevent loss, damage and interruption to business activities (iii) General control: To prevent compromise or theft of information/assets 6. Communications and operations management: This section ensures correct management and secure operation of information processing facilities during day-to-day activities. Control objectives are:(i) Operational procedures and responsibilities. E.g. - Documented operating procedures - Change management - Segregation of duties - Separation of development and operations environment (ii) System planning and acceptance. E.g. - Capacity management - Systems acceptance (iii) Protection against malicious software. (iv) Housekeeping. E.g. - Backup - Operators logs - Fault logs (v) Network management. (vi) Media handling and security. E.g. - Management of removable media - Disposal of media (vii) Exchanges of information and software. E.g. - Information exchange policies and procedures - Exchange agreements - Control over physical media in transit
CA Clues
Nikhil Gupta
7. Access control: This section deals with control of access to information and systems on the basis of business and security needs. Control objectives are:(i) Business requirement for access control. (ii) User access management. (iii) User responsibilities. (iv) Network access control. (v) Operating system access control. (vi) Application access control. (vii) Monitoring system access and use. (viii) Mobile computing and teleworking. 8. Systems development and maintenance: This section deals with design and maintenance of systems so that they are secure and maintain data integrity. Control objectives are:(i) Security requirements of systems. (ii) Security in application systems. (iii) Cryptographic controls. (iv) Security of system file. (v) Security in development and support processes. 9. Business continuity management: This section covers the maintenance of essential business activities during adverse conditions, from coping with major disasters to minor local issues. Control objectives are:(i) Business continuity management process: BCP/DRP plans 10. Compliance: This section covers business compliance with relevant national and international laws, professional standards and any processes mandated by the Information Security Management System (ISMS). Control objectives are:(i) Compliance with legal requirements. (ii) Reviews of security policy and technical compliance. (iii) System audit considerations.
CMM – Capability Maturity Model: -
The Capability Maturity Model (CMM) is a widely accepted set of guidelines for software developing organizations which was developed by software engineering institute (SEI) of US. The CMM is a framework representing a path of improvements recommended for software organizations that want to increase their software process capability. The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. The quality of an application software is directly related to the quality of the process used to develop it. CMM helps to build a sound development process which results in high quality software development.
Fundamental concepts underlying process maturity: A software process is a set of activities, methods and practices that people uses to develop software. As an organization matures, the software process becomes better defined and more consistently implemented throughout the organization. 1) Software process capabilities: It describes the range of expected results that can be achieved by following a software process. 2) Software process performance: It represents the actual results achieved by following a software process. 3) Software process maturity: It is the extent to which a specific process is clearly defined, managed, measured, controlled and effective.
CA Clues
Nikhil Gupta
Level 1 – Initial: - Processes are adhoc and localized. - Processes are disorganized and poorly controlled. - Processes are not sufficiently defined and documented - Success depends on individual efforts. - Success may not be repeated. - IT Security considerations are adhoc and localized. - Little or no adherence to existing Standards. Level 2 – Repeatable: - A stable environment is established. - Basic project management techniques are established. - Success could be repeated. - Specific processes implemented by the projects may differ. - Tracking of projects is done for cost and schedule. Level 3 – Defined: - The standard process for software development is documented. - Processes are used to help the managers and development team members perform more effectively. - An organization-wide training program is implemented to ensure that the staff and managers have the knowledge and skills required to fulfill their assigned roles. - Roles and responsibilities are clearly defined and understood - Project cost, schedule, and requirements are under control, and product quality is tracked. Level 4 – Managed: - Set quantitative goals for software products and processes. - Productivity and quality are measured. - Processes are well defined and consistently measure. - Reduction in variations to acceptable level. - Organization can predict trends in process and product quality. Level 5 – Optimizing: - Focus on continuous process improvement. - Improvement in products by innovations and use of advance technology. - Removal of inefficiencies.
CA Clues
Nikhil Gupta
COBIT - Control Objectives for information and related technology -
COBIT is an IT governance framework that allows managers to bridge the gap between control requirements, technical issues and business risks COBIT enables clear policy development and good practice for IT control throughout the organizations COBIT emphasizes regulatory compliance and helps organizations to increase the value attained from IT COBIT is developed by “Information System Audit and Control Association” (ISACA) Latest version – COBIT 5 (April 2012)
Benefits of COBIT 5: - maintain high-quality information to support business decisions - achieve strategic goals and realize business benefits through the effective use of IT - achieve operational excellence through reliable, efficient application of technology - maintain IT-related risk at an acceptable level - optimize the cost of IT services and technology - support compliance with relevant laws, regulations, contractual agreements and policies. Integrating COBIT 5 with Other Frameworks: COBIT 5 is a comprehensive framework and is based on overall enterprise view and is aligned with enterprise governance best practices such as - GEIT (Governance of Enterprise IT) - ITIL - TOGAF (The Open Group Architecture Framework) - ISO 27000 - ISO 38500 - Val IT - Risk IT Thus COBIT 5 acts as the single primary framework which serves as a consistent and integrated source of guidance in a non-technical common language. The framework can be aligned with: - Enterprise policies, strategies, governance and business plans, and audit approaches - Enterprise risk management framework - Existing enterprise governance organisation, structures and processes Customising COBIT as Per Need: COBIT 5 can be tailored to meet an enterprise’s specific business model, technology environment, industry, location and corporate culture. Because of its open design, it can be applied to meet needs related to: - Information security - Risk management - Governance and management of enterprise IT - Assurance activities - Legislative and regulatory compliance - Financial processing or CSR reporting
CA Clues
Nikhil Gupta
Five Principles of COBIT 5:
Principle 1: Meeting Stakeholder Needs - Enterprises has to create value for their stakeholders by maintaining a balance between risk and profits - COBIT 5 provides all of the required processes and other enablers to support business value creation through the use of IT - Every enterprise has different objectives, an enterprise can customise COBIT 5 to suit its own objectives Principle 2: Covering the Enterprise End-to-End - COBIT 5 integrates IT governance of enterprise into enterprise governance. It covers all functions and processes within the enterprise - It considers all IT related governance and management enablers to be enterprise-wide and end-to-end, i.e., inclusive of everything and everyone—internal and external—that is relevant to governance and management of enterprise information and related IT. The end-to-end governance approach that is the foundation of COBIT 5 is depicted below, showing the key components of a governance system.
Principle 3: Applying a Single Integrated Framework - There are many IT-related standards and best practices, each providing guidance on a subset of IT activities - COBIT 5 is a single and integrated framework as it aligns with other latest relevant standards and frameworks, and thus, allows the enterprise to use COBIT 5 as the primary governance and management framework integrator Principle 4: Enabling a Holistic Approach - Efficient and effective governance and management of enterprise IT require a holistic approach, taking into account several interacting components - COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT - Enablers are broadly defined as anything that can help achieve the objectives of the enterprise.
CA Clues
Nikhil Gupta
Principle 5: Separating Governance from Management - The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organisational structures and serve different purposes - Governance: ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. In most enterprises, overall governance is the responsibility of the board of directors under the leadership of the chairperson. Specific governance responsibilities may be delegated to special organizational structures at an appropriate level, particularly in larger, complex enterprises - Management: plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. In most enterprises, management is the responsibility of the executive management under the leadership of the chief executive officer. COBIT 5 Enablers: Enablers are factors that, individually and collectively, influence whether something will work— in this case, governance and management over enterprise IT. Enablers are driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve. The COBIT 5 framework describes seven categories of enablers: 1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management 2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals 3. Organizational structures are the key decision-making entities in an enterprise 4. Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities 5. Information is widespread throughout any organization and includes all information produced and used by the enterprise 6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services 7. People, skills and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions ◙ COCO: Criteria of Control -
CoCo was published in 1995 by the Canadian Institute of Chartered Accountants (CICA) CoCo control criteria does not cover any aspect of information assurance as such, but is concerned with controls in general. CoCo is a superset of COSO, i.e. it is more general and wider in scope that COSO.
CoCo model identifies three objectives: 1. Effectiveness and efficiency of operations 2. Reliability of internal and external reporting, and 3. Compliance with applicable laws and regulations and internal policies CoCo model recognizes four interrelated elements of internal control: 1. Purpose – The objective to be achieved 2. Capability – Supported by capabilities like information, resources, supplies and skill 3. Commitment – The organization needs a sense of commitment 4. Monitoring and learning – The organization must monitor controls to improve
CA Clues
Nikhil Gupta
Four important concepts about “control” as per CoCo are as follows: 1. Control is affected by people throughout the organization, including the board of directors (or its equivalent), management and all other staff 2. People who are accountable, as individuals or teams, for achieving objectives should also be accountable for the effectiveness of control that supports achievement of those objectives 3. Organizations are constantly interacting and adapting 4. Control can be expected to provide only reasonable assurance, not absolute assurance. ◙ ITIL (Information Technology Infrastructure library): -
ITIL is a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business ITIL describes procedures, tasks and checklists, used by any organization for establishing a minimum level of competency in its IT services Developed by UK Government ITIL consist of set of five books, each covering a specific issue related to IT service management. Initially there were 30 books which where consolidated to 8 books in version 2 and further reduced to 5 books in version 3. ITIL V1 – 30 books ITIL V2 – 8 books ITIL V3 – 5 books ITIL V3 is a set of following 5 publications: 1. 2. 3. 4. 5.
Service Strategy Service Design Service Transition Service Operation, and Continual Service Improvement
1.Service Strategy: -
-
This book deals with the strategic management approach in respect of IT Service Management It provides guidance on leveraging service management capabilities to effectively deliver value to customers and illustrate value for service providers This book also provides guidance on the design, development, and implementation of service management It provides guidance on the principles behind the practice of service management to aid the development of service management policies, guidelines, and processes across the ITIL Service Lifecycle Topics include the development of markets, internal and external, service assets, service catalog, and implementation of strategy through the Service Lifecycle; setting objectives and expectations of performance towards serving customers and market spaces, and to identify, select, and prioritize opportunities
2. Service Design: -
Service Design translates strategic plans and objectives and creates the designs and specifications for execution through service transition and operations It provides guidance on combining infrastructure, applications, systems, and processes, along with suppliers and partners, to present feasible service offerings
CA Clues -
-
Nikhil Gupta
The Service Design volume provides guidance on the design and development of services. It includes design principles and methods for converting strategic objectives into portfolios of services and service assets Service Design is not limited to new services and includes the changes and improvements required to maintain or increase value to customers over the lifecycle of services, taking into account the continuity of services, conformance to standards and regulations and achievement of service levels
3. Service Transition: -
-
-
-
Service Transition provides guidance on the service design and implementation, ensuring that the service delivers the intended strategy and that it can be operated and maintained effectively The Service Transition book provides guidance on the development and improvement of capabilities for switching new and changed services into operations Guidance is provided on how the requirements of Service Strategy encoded in Service Design are effectively realized in Service Operation, whilst controlling the risks of failure and disruption It combines the processes in Release, Program and Risk Management and sets them in the practical context of Service Management Service Transition provides guidance on managing the complexity of changes to services and service management processes to prevent undesired consequences whilst permitting for innovation It provides guidance on transferring the control of services between customers and service providers.
4. Service Operation: -
-
-
-
Service Operation provides guidance on the day-to-day management of IT service It also provides guidance on supporting operations by means of new models and architectures such as shared services, utility computing, web services, and mobile commerce This volume presents practices in the management of service operations and includes guidance on achieving efficiency and effectiveness in the delivery and support of services to ensure value for the customer and the service provider Service operations ultimately fulfill the strategic objectives, which make it a critical capability. Guidance is provided on techniques to maintain service operations stability whilst allowing for changes in design, scope, scale, and service levels Service Operation provides detailed guidelines on processes, methods, and tools in addressing the proactive and reactive control perspectives. Managers and practitioners are provided with knowledge; enabling them to make better informed decisions in areas such as managing the availability of services, controlling demand, optimizing capacity utilization, scheduling of operations, and fixing problems.
5. Continual Service Improvement: -
-
-
Continual Service Improvement provides guidance on the measurement of service performance through the service life-cycle, suggesting improvements to ensure that a service delivers the maximum benefit This volume provides guidance on creating and maintaining value for customers through improved design, introduction, and operation of services It combines principles, practices, and methods from change management, quality management, and capability improvement to achieve incremental and significant improvements in service quality, operational efficiency, and business continuity It provides guidance on linking improvement efforts and outcomes with service strategy, design, and transition, focusing on increasing the efficiency, maximizing the effectiveness and optimizing the cost of services and the underlying IT Service Management processes.
CA Clues
Nikhil Gupta
◙ Systrust and Webtrust: -
-
-
Systrust and Webtrust are attestation services developed jointly by American Institute of Certified Public Accountant (AICPA) and the Canadian Institute of Chartered Accountants (CICA). These certifications provide assurance about the effectiveness of system’s controls to the third parties, i.e. customers, business partners or vendors. CPAs, Chartered Accountants, and their equivalents world wide are recognized as trusted, independent third parties who can evaluate the system and issues Systrust or Webtrust report. Systrust certification is meant for any business system whereas Webtrust certification is meant for e-commerce system. A web site that has met the Webtrust principles and criteria is eligible to display the Webtrust Seal on the site.
Control criteria of trust services: Trust Services are based on predefined principles and criteria, which have been developed specifically to address five key business needs: 1. Security: The system is protected against unauthorized access (both physical and logical). 2. Online privacy: Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed. 3. Availability: The system is available for operation and use as committed or agreed. 4. Confidentiality: Information designated as confidential is protected as committed or agreed. 5. Processing integrity: System processing is complete, accurate, timely, and authorized. Each of the above control criteria is examined under four areas: a) Policies: The entity has defined and documented its policies relevant to the particular principle. b) Communications: The entity has communicated its defined policies to authorized users. c) Procedures: The entity uses procedures to achieve its objectives in accordance with its defined policies. d) Monitoring: The entity monitors the system and takes action to maintain compliance with its defined policies. ◙ HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. It has two main segments: • •
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for health service providers, health insurance plans, and employers.
HIPAA Security rules: The HIPAA security rules lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these safeguards, the rule identifies various security standards and the required implementation specifications. Required specifications must be adopted and administered as dictated by the Rule.
CA Clues
Nikhil Gupta
The three types of security safeguards are: a) Administrative Safeguards: Policies and procedures designed to clearly show how the entity will comply with the act. It covers: - The covered entities should have documented privacy policy - A privacy officer should be appointed for developing and implementing the privacy policy - Authorization procedure to access protected health information (PHI) should be in place. - Ongoing training regarding the handling of PHI - Covered entities that outsource their business processes to a third party must ensure that their vendor also have sufficient controls to comply with HIPAA requirements - Contingency plan - Internal audit b) Physical Safeguards: Controlling physical access to protect against inappropriate access to protected data. It covers: - Physical protection of systems and access over them. - Control over introduction and removal of hardware and software. - Securing workstations and the monitor screen should not be in direct view of the public - User training on their physical access responsibility - Visitor sign-in and escorts. - Control over contactors or agents entry and exit. c) Technical Safeguards: Controlling access to computer systems and enabling covered entities to protect communications containing Protected Health Information (PHI) transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. - Documentation control - Access control - Authorization control - Protecting data integrity - Protection from intrusion - Data protection and encryption techniques, check-sum and digital signature. - Risk analysis and risk management programs ◙ SA 402: -
Issued by ICAI Audit considerations relating to an entity using service organization Type I and Type II reports W.e.f. 1 April 2010
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 10
May 2012 14
Nov 2011 4
May 2011 16
Nov 2010 12
May 2010 10
Nov 2009 5
June 2009 15
Nov 2008 10
Nov 2012: (6 Marks) Q: Access to information and business process should be controlled on the business and security requirements. In that case, what can be the detailed control and objectives with respect to Information Security Management Standard? Nov 2012: (4 Marks) Q: Short notes – Domains of COBIT MAY 2012 (6 Marks) Q: What is IT Infrastructure Library? Discuss the configuration management under ITIL framework. MAY 2012 (4 Marks) Q: What are the two types of Service Auditor’s Report under SAS 70? Describe the content of each type of report. MAY 2012 (4 Marks) Q: Short Note – Software Process Maturity. Nov 2011: (4 Marks) Q: Short note on HIPAA May 2011: (4 Marks) Q: Why do you think a separate standard (SAS 70) is useful for auditing a service organization especially with respect to examination of general controls over information technology and related processes? May 2011: (8 Marks) Q: An organization is audited for the effective implementation of ISO 27001-(BS 7799: part II)-Information Security Management Standard. What are the factors verified under. (i) Establishing Management Framework (ii) Implementation (iii) Documentation May 2011: (4 Marks) Q: Short note – CMM Nov 2010: (4 Marks) Q: What do you understand from Type I and Type II reports from a service auditor? Nov 2010: (4 Marks) Q: How will you define a software process? What do you mean by its capability, performance and maturity? Nov 2010: (4 Marks) Q: Write short note on “SysTrust and WebTrust services” May 2010: (5 Marks) Q: (Case Study): To achieve their objective, what are the points BS 7799 has to ensure. May 2010: (5 Marks) Q: What is COBIT? Give three vantage points from which the issue of control can be addressed by this framework. Nov 2009: (20 Marks) Q: (Case Study) Worldwide, a global telecom company is serving to more than 10 million customers in the area of communications through fixed land lines, mobiles, internet services, digital TV and satellite system etc. The financial analysts of the company are located in different functional groups in six geographical regions. These analysts are missing the access to the same data, as well as timely access to the information. Dated budget and actual numbers for each business unit reside in seven different systems, separating critical components of the Profit and Loss account and
CA Clues
Nikhil Gupta
inhibiting analyst’s ability to assess results. The problem gets further complicated as the field analysts are not able to go to one universal place to retrieve the data themselves and they have to rely upon the home office for the same. The objective of the company is to set some critical financial goals so that the company could remain competitive and increase market share. Read the above carefully and answer the following with justifications: (a) To overcome the problems which the financial analysts are facing, what kind of software the company should select? (10 Marks) (b) The company is advised that the adoption of BS7799 International Standard will help in overcoming the problems and achieving its goals. Discuss. (5 Marks) (c) How should the human resources be enriched for effective utilization of the proposed new systems and standards? (5 Marks) June 2009: (10 Marks) Q: When an organization is audited for the effective implementation of ISO 27001-(BS 7799: part II)-Information Security Management System, what are to be verified under. (iv) Establishing Management Framework (v) Implementation (vi) Documentation June 2009: (5 Marks) Q: Write short note on: Control Objectives for Information related Technology (COBIT) Nov 2008: (10 Marks) Q: What do you understand by Software Process Maturity? Discuss five levels of Software Process Maturity of Capability Maturity Model (CMM).
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta CHAPTER 9 DRAFTING OF I.S. SECURITY POLICY, AUDIT POLICY, I.S. AUDIT REPORTING – A PRACTICAL PERSPECTIVE
◙ Why is information system security important: As the use of information systems is growing in the business so is the risk and threats associated with it is increasing. These risks have created a gap between the “required degree of protection” and the “actual degree of protection applied” to the information system. This gap is caused due to the following factors: • • • • • • •
Widespread use of technology Interconnectivity of systems Elimination of distance, time and space as constraints Unevenness of technological changes Decentralization of management control New trend towards electronic attacks Week legal and regulatory requirement
Threats to information systems may arise from: • • • • • •
Technical reasons: Program errors, bugs and crashes etc Natural disasters: Floods, earthquake, thunderbolts etc. Environmental conditions: Power failure, brown-out, surge, pests etc Human factors: Negligence, lack of awareness, lack of training etc. Unauthorized access: Hacking, intrusion, virus, Trojan horse, worms etc. Business dependencies: Loss of management control over outsourced activities.
◙ What is information system security? • •
Information systems security relates to the protection of valuable information systems assets against loss, disclosure, or damage. Security includes both physical security like doors, locks, fences, insurance etc and logical security like user ID, password, firewalls etc.
Security objective: The objective of information systems security is to protect the interest of the user of information systems who use the information generated by the information system in some or the other form. This objective is met when following three criteria’s relating to information are met: 1. Confidentiality: Data and information is disclosed only to those who have the right to know it. 2. Integrity: Data and information is protected against unauthorized modification. 3. Availability: Information system is available and usable when required.
CA Clues
Nikhil Gupta
What information is sensitive? In any organization following types of information is generally sensitive information which needs to be protected carefully: •
•
•
Strategic plans: Strategic plans are the company’s crucial plans which determine the organizations competitive edge. If such information is somehow acquired by the competitors then the organization can suffer heavy financial loss as well as loss of competitive edge. E.g. if marketing strategy of a new product is disclosed early then other organizations can respond to it in a better manner. Business operations: Certain business processes and operations are proprietary in nature and are designed by the organization after doing much R & D over them. Such processes and operations should not be reveled to outsiders in any case. If such information is disclosed then the company can loose its competitive edge. Similarly a companies list of customers and vendors and the price charged to/from them is also critical information which needs to be protected. Finances: Precise financial information like specific salary structure of employees is sensitive in nature since if this information is disclosed to the competitors then they can also design similar salary structure and the company can loose its cost advantage.
Establishing better information protection: As discussed above, a business has large amount of sensitive information which needs to be protected. Following points needs to be considered before designing information protection mechanism: (a)
(b)
(c)
(d)
(e)
Not all data has the same value: All data and information should be classified according to its criticality and then security measures should be designed accordingly. For example information can be classified as follows: a) Top secret b) Highly confidential c) Proprietary d) Internal use only e) Public document Know where the critical data resides: In today’s world information system is becoming more and more wide and complex. Networking has further increased the complexity of the systems environment. In such a case it is important to know exactly where the data resides so that different level of protection can be applied over it. Develop an access control methodology: The organization has to develop access control mechanism to protect its data. The access control should be wide enough to cover every terminal, network and servers including application software and systems software. For important data access controls and the related logs should extend to file level. Protect information stored on media: Use of computer media like floppy disk, CD and USB drives should be controlled since any employee can use such media to copy and transfer sensitive data outside the organization. Also, when migrating from one system to another or while disposing the old systems, the status of hard drives should be checked and controlled. Review hardcopy output: The hardcopy (printouts) of employees’ routine work is also required to be reviewed and controlled. Generally the final form of any strategic plan is adequately protected but the rough drafts are left unattended and dumped in dustbins. Wherever necessary paper shredder should be used to destroy such hardcopy of redundant working papers.
CA Clues
Nikhil Gupta
◙ Protecting computer-held information system: Basic rules for information protection: Rule 1: We need to know what the information systems are and where these are located. Rule 2: We need to know the value of the information held and how difficult it would be to recreate if it were damaged or lost. Rule 3: We need to know who is authorized to access the information and what they are permitted to do with the information. Rule 4: We need to know how quickly information needs should be made available if it become unavailable for whatever reason. There are two types of information protection that an organization can use: Information protection
I. Preventive information protection
I.
II. Restorative information protection
Preventive information protection: In this type of protection, security controls are implemented for the protection of information against unauthorized access, modification or deletion. These controls are grouped as: o Physical control: E.g. doors, locks, guards, CCTV, paper shredders, fire extinguishers o Logical control: E.g. access control system, user ID’s, passwords, access control list, account privileges o Administrative controls: E.g. security awareness, user account maintenance and revocation, security policies.
II.
Restorative information protection: Events that damage the information system will happen, therefore it is necessary to have an effective and timely information back-up and recovery procedure. The main requirement of any restorative information protection plan is that information lost can be recovered. There should be a well documented back-up policy and accordingly back-up procedures should be designed. The following factors needs to be considered: o Has the recovery procedures been tested recently. o How long does it take to recovery the destroyed data by using data back-up. Is this time acceptable? o How much productivity is lost during back-up and restoration procedure. Is this within acceptable limit?
Holistic protection: (Whole, complete, overall Protection) Protection should be done in such a way that gives business appropriate level of security at a cost acceptable to business. One must plan for unexpected, unknown and worst event to happen and immediately recover from these events, if they occur.
CA Clues
Nikhil Gupta
◙ Information security policy: • • •
The security policy is a set of laws, rules and practices that regulates how assets including sensitive information are managed, protected and distributed within the organization. An information security policy addresses many issues related to information such as disclosure, integrity and availability. Issues related to access of information i.e. who can access what information and in what manner, and also roles and responsibilities of various stakeholders are defined in the security policy.
Issues to be addressed in information policy: i) ii) iii) iv) v) vi)
A definition of information security i.e. what is covered under information security. Why information security is important to the organization. Goals and principles of information security. Brief description of various information security standards. Defining all relevant information security responsibilities. Reference to any supporting document or standard.
Auditor’s role regarding information security policy: • • •
The auditor should ensure that the policy is readily accessible to all employees and that all employees are aware of its existence and understand its contents. Auditor should review the responsibilities of employees in relation to information security and any declaration to the contrary with care. The auditor should also ensure that the policy has an owner who is responsible for its maintenance and that it is updated as required.
Members of security policy: Security is an organization wide concept and covers managerial, technological and legal aspects. Security policy comprises the following three groups of organization: I.
II. III.
Management experts: These are the members who have budget and authority to evaluate various issues and decide over the economical feasibility of security policies and control measures Technical experts: These are the members who know the technical feasibility of security measures and controls Legal experts: These are the members who understand the legal consequences of various rules, contracts and service level agreements
◙ Types of information security policies and their hierarchy: Information security policy
User security policy
Acceptable usage policy
Organizational information security policy
Information classification policy
Conditions of connections
Network & systems security policy
CA Clues
Nikhil Gupta
Following are some of the common information security policies and their hierarchical relationship: 1) Information security policy: It is a wide policy covering all broader aspects of information security in an organization. This policy provides a definition of information security, its overall objectives and its importance to all the users. 2) User security policy: This policy sets out the responsibilities and requirements for all IT systems users. It provides security terms of reference for users, line managers and systems owners which they should follow in their day-to-day working. 3) Acceptable usage policy: This policy defines rules for the use of email and internet services by the employees. (e.g. games/songs should not be downloaded) 4) Organizational information security policy: This policy consists of group of policies for the security of information assets and information systems in the whole organization. It is the main IT security policy covering all aspects of information security. 5) Network and systems security policy: This policy defines the rules for network and data communication and related security issues. It covers security over firewalls, IDS, VPN, VoIP, routers, switches, LAN/WAN links, etc. 6) Information classification policy: This policy defines the rules for classification of information. For example information can be classified on the basis of some rules as follows: a. Top secret − Highly sensitive − Relating to strategic issues b. Highly confidential − Sensitive information − Cannot be made public or even shared in the organization unnecessarily c. Proprietary − Internal information about operations − Strictly for the use by authorized employee of the organization d. Internal use only − Information not for general public circulation − If disclosed to public then it will not result in serious damage but can create difficulty for the management. e. Public document − Information is for general public 7) Conditions of connections: This policy defines the rules and terms & conditions for giving access to outside entities like vendors and distributer into the organizations network. Components/contents of security policy: A good security policy usually contains/covers: (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix) (x) (xi)
Purpose and scope of the policy and its audience. Security organization structure. Classification and inventory of information assets. Systems development and maintenance controls. IT operations and communication management. Identity management and access control. Physical and environmental security. Incident reporting mechanism. Business continuity planning. Legal compliance. Monitoring and auditing requirement.
CA Clues
Nikhil Gupta
Now let us discuss some of the components/contents of security policy in details. 1. Purpose and scope: Purpose defines what the organization is trying to achieve through the policy and scope defines its applicability and audience. The primary objective of the policy is to ensure confidentiality, integrity and availability of information and systems. Further, the policy is designed to: (a) (b) (c)
Deny unauthorized access to any IT resource. Allow authorized users to access resources as per their access authorization. The scope also defines the period for which the policy will be applicable and to whom it will be applicable.
2. Security organization structure: The organizational structure of IT department should be defined and accordingly their responsibilities and line of reporting should be defined. Following team/group is generally found in IT department: a) Group security officer (GSO): The GSO will have overall responsibility for security within the group. This includes the security of all information assets, network and physical and personnel security. b) Assistant group security officer (AGSO): The AGSO reports to the GSO and the “Information security forum”. He is responsible for the coordination of information security implementation and management across the group. c) Information security forum (ISF): This forum is chaired by the GSO and includes senior representatives from each of the divisions within the group, together with the AGSO. The role of this forum is to ensure clear direction and visible management support towards security initiatives within the organization. Information security forum (ISF) Chairman: Group security officer (GSO) Assistant group security officer (AGSO)
d) Information security management group (ISGM): This cross functional group is chaired by the AGSO and comprises of a Divisional System Security Officer (DSSO) from each of the divisions within the Group, together with the IT Security Officer (ITSO), and the Personnel security officer (PSO) and Facilities Management Security Officer (FMSO). Its role is to coordinate the implementation and management of information security controls across all of the divisions and sites.
CA Clues
Nikhil Gupta Information security management group (ISMG)
Chairman: Assistant group security officer (AGSO)
Divisional System Security Officer (DSSO)
IT Security Officer (ITSO)
Personnel security officer (PSO)
Facilities Management Security Officer (FMSO)
e) IT management: IT Management has overall responsibility for security of the IT infrastructure. This is discharged mainly through Installation Security Officers (ISOs) and the IT Security Officer (ITSO) who will report directly to the IS Service Manager. f) IT security officer (ITSO): The IT Security Officer reports to the ISMG on IT security matters. The ITSO is responsible for managing IT security programs and IT security incidents. The ITSO will chair regular meetings of the ISO’s. g) Installation security officer (ISO): An ISO will be appointed for each IT environment (including Network and Desktop) from the IT Team Leaders. ISOs will be responsible for all security matters related to their system/installation and/or network and will meet regularly with the IT Security Officer. h) Personnel security officer (PSO): The Personnel Security Officer (PSO) will report directly to Personnel Management and the ISMG on all security matters relating to personnel. The role involves ensuring the controls set out are implemented, adhered to and reviewed as necessary. i) Facilities management security officer (FMSO): The Facilities Management Security Officer (FMSO) will report directly to Facilities Management on all security matters relating to personnel. The role involves ensuring the controls are implemented, adhered to and reviewed as necessary. j) Divisional system security officer (DSSO): A System Security Officer (SSO) from each division will be appointed as a DSSO. The DSSO carries the same responsibilities as a SSO and in addition is responsible for representing the SSOs in their division at the ISMG and for communicating requirements and issues to/from this group. k) Systems security officer (SSO): A senior user will be appointed to fulfill the role of System Security Officer (SSO) for each major application system or group of systems. SSO responsibilities focus on business aspects of security thus ensuring that the information security of the system meets all relevant business control objectives. l) Systems owners: System Owners carry the overall responsibility for the information security of their own systems. Much of the day to day operational aspects of live systems may be delegated across a range of user defined roles and technical roles including their systems accreditation process. System Owners are responsible for allocation of protective markings to their systems and data according to the Information Classification policy, and all staff for treating protectively marked material accordingly. m) Line managers: All Line Managers with any responsibility for live or developing IT systems must take appropriate steps to ensure compliance with the aims and objectives of this policy. As part of this process they will ensure that all required security measures are understood and in force. n) Users: All users of live IT systems are required to comply with the security procedures for their system and any applicable general IT security guidance.
CA Clues
Nikhil Gupta
3. Responsibility allocation: The responsibilities for the management of Information Security should be set out in this policy. (i) (ii) (iii) (iv) (v) (vi)
(vii)
An owner should be appointed for each information asset. All staff should be aware of the need for Information Security and should be aware of their responsibilities. All new network communications links must be approved before connecting them to the organizations network. A contact list of vendors/external agencies that may be required in the event of a security incident to be maintained. Risk assessments for all third party access to the information assets and the IT Network must be carried out. Access by third parties to the IT Network and infrastructure must be strictly limited and controlled. There should be a Conditions of Connection agreement in place for all third party connections. All outsourcing contracts must include detail provisions for information security.
4. Asset classification and security classification: (i) (ii) (iii)
(iv) (v)
(vi) (vii)
An inventory of assets must be maintained. This must include physical, software and information assets. A formal, documented classification scheme (as set out in the Information Classification Policy) should be in place and all staff must comply with it. The originator or 'owner' of an item of information (e.g. a document, file, diskette, printed report, screen display, e-mail, etc.) should provide a security classification, where appropriate. The handling of information, which is protectively marked as CONFIDENTIAL or RESTRICTED must be specifically approved. Exchanges of data and software between organizations must be controlled. Organizations to whom information is to be sent must be informed of the protective marking associated with that information, in order to establish that it will be handled by personnel with a suitable clearance corresponding to the protective marking. Appropriate procedures for information labeling and handling must be agreed and put into practice. Classified waste must be disposed of appropriately and securely.
5. Logical access control: In Access Control, the following points need to be taken into consideration: (i) (ii)
(iii)
(iv) (v) (vi) (vii)
Access controls must be in place to prevent unauthorized access to information systems and computer applications. Access must only be granted in response to a business requirement. Formal processes must be in place to provide individuals with access. The requirement for access must be reviewed regularly. System Owners are responsible for approving access to systems and they must maintain records of who has access to a particular system and at what level. The actual access controls in place must be audited against this record on a regular basis. Users should be granted access to systems only up to the level required to perform their normal business functions. The registration and de-registration of users must be formally managed. Access rights must be deleted for individuals who leave or change jobs. Each individual user of an information system or computer application will be provided with a unique user identifier (user id)
CA Clues (viii) (ix)
(x)
(xi)
Nikhil Gupta It should not be permitted for an individual to use another person's user id. PCs and terminals should never be left unattended while they are connected to applications or the network. Someone may use the equipment to access confidential information or make unauthorized changes. Passwords Policy should be defined and the structure of passwords and the duration of the passwords should be specified. Passwords must be kept confidential and never disclosed to others. Mobile computing - When using mobile computing facilities, such as laptops, notebooks, etc., special care should be taken to ensure that business information is not compromised, particularly when the equipment is used in public places.
6. Incident handling: For incident handling, following are the major points: (i)
(ii)
Security incident reporting time and approach must be consistent at all times. Specific procedures must be introduced to ensure that incidents are recorded and any recurrence is analyzed to identify weaknesses or trends. Procedures for the collection of evidence relating to security incidents should be standardized. All staff must be made aware of the process. Adequate records must be maintained and should be inspected to enable the investigation of security breaches or intensive attempts by third parties to identify security weaknesses.
7. Physical and environmental security: For the proper implementation of Physical and Environment Security, the following points need to taken into account: (i) (ii) (iii) (iv) (v) (vi) (vii) (viii)
(ix)
Physical security should be maintained and checks must be performed to identify all vulnerable areas within each site. The IT infrastructure must be physically protected. Access to secure areas must remain limited to authorized staff only. Confidential and sensitive information and valuable assets must always be securely locked away when not in use. Computers must never be left unattended while displaying confidential or sensitive information or while logged on to systems. Supplies and equipment must be delivered and loaded in an isolated area to prevent any unauthorized access to key facilities Equipment, information or software must not be taken off-site without proper authorization. Wherever practical, building having computer equipment and data should be located away from, and protected against threats of deliberate or accidental damage such as fire and natural disaster. The location of the equipment/server rooms must not be obvious.
8. Business continuity management: In Business Continuity planning, following points should be addressed: (i) (ii) (iii)
A Business Continuity Plan (BCP) must be maintained, tested and updated if necessary. All staff must be made aware of it. A Business Continuity and Impact Assessment must be conducted annually. Suppliers of network services must be contractually obliged to provide a predetermined minimum service level.
CA Clues
Nikhil Gupta
9. System development and maintenance control: These controls are given as follows: (i)
(ii)
System development or enhancements must have appropriate security controls included to safeguard their availability and ensure the integrity and confidentiality of the information they process. All security requirements and controls must be identified and agreed prior to the development of information systems.
◙ Audit policy: Purpose of audit policy:
Purpose of the audit policy is to provide the guidelines to the audit team to conduct an audit on IT based infrastructure system.
Audits may be conducted to ensure integrity, confidentiality and availability of information and resources. The Audit is done to protect entire system from the most common security threats which includes the following: (i) (ii) (iii) (iv) (v) (vi) (vii)
Unauthorized access to confidential data Unauthorized access of the computer department Password disclosure Virus infections Denial of service attacks Unnecessary open ports, which may be accessed by outsiders Unrestricted modems
Objectives of IS audit: (i) (ii) (iii) (iv) (v)
Safeguard the Information System Assets/Resources Maintain the Data Integrity Maintain the System Effectiveness Ensure System Efficiency, and Comply with Information System related policies, guidelines, circulars, and any other instructions requiring compliance in whatever name called.
Scope of IS audit: The scope of information system auditing should include the examination and evaluation of the adequacy and effectiveness of the system of internal control and the quality of performance by the information system. Scope of IS audit
General scope: To check adequacy and effectiveness of the system of internal control
Additional scope: To check quality of performance by the information system
CA Clues
Nikhil Gupta
The scope of the audit will also include the evaluation of internal control system related to: (i) (ii) (iii) (iv) (v)
Data – Data/Information/Reports in whichever form. Application systems – Business software/ERP and other support S/W Technology – Network/Servers/Devices Facilities – Infrastructure/Building/Server room etc People – Employees/Contract workers/Vendors/Customers
The information system auditor will examine, among others, the following: (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix) (x) (xi) (xii) (xiii)
Information system mission statement, goals and objectives. Assessment of the risks associated with the use of the information systems and approach to managing those risks. Information system strategic plans and monitoring their progress. Information system budgets and monitoring of variances. High level policies for information system use and the protection, and monitoring of compliance with these policies. Major contract approval and monitoring of performance of the supplier. Monitoring of performance against service level agreements. Acquisition of major information systems. Impact of external influences on information system such as internet, merger of suppliers or liquidation etc. Review of self-assessment reports, internal and external audit reports, quality assurance reports or other reports on Information System. Business Continuity Planning, Testing thereof and Test results. Compliance with legal and regulatory requirements. Appointment, performance monitoring and succession planning for senior information system staff including internal information system audit management and business process owners.
What audit policy should do? The Audit Policy should lay down the responsibility of audit. The audit may be conducted by internal auditors or external auditors. Information System Auditors should be independent of the activities they audit. Independence permits the auditors to render impartial and unbiased judgment essential to the proper conduct of audits. The audit policy should lay down the audit responsibility as follows: (i) (ii) (iii) (iv)
(v)
The Policy should lay out the periodicity of reporting and the authority to whom the reporting is to be made A statement of professional proficiency may be included to state the minimum qualification and experience requirements of the auditors. All information system auditors will sign a declaration of fidelity and secrecy before commencing the audit work in a form that the inspection department may design. The policy may lay out the extent of testing to be done under the various phases of the audit − Planning − Compliance Testing − Substantive Testing A documented audit program would be developed including the following: − Documentation of the information system auditor's procedures for collecting, analyzing, interpreting, and documenting information during the audit. − Objectives of the audit. − Scope, nature, and degree of testing required to achieve the audit objectives in each phase of the audit. − Identification of technical aspects, risks, processes, and transactions which should be examined.
CA Clues
Nikhil Gupta
−
(vi)
(vii)
(viii)
(ix)
Procedures for audit will be prepared prior to the commencement of audit work and modified, as appropriate, during the course of the audit. The policy should determine when and to whom the audit results would be reported and communicated. It would define the access rights to be given to the auditors. This access may include: − User level and/or system level access to any computing or communications device − Access to information (electronic, hardcopy, etc.) that may be produced transmitted or stored on respective Dept. equipment or premises − Access to work areas (labs, offices, cubicles, storage areas, etc.) − Access to reports / documents created during internal audit. − Access to interactively monitor and log traffic on networks. The Policy should outline the compliance testing areas e.g. − Organizational and Operational Controls − Security Management Controls − System development and Documentation Controls − Application Controls − Physical and Environmental Controls − Access Controls − Business Continuity Controls, etc. The auditor will carry out substantive testing wherever the auditor observes weakness in internal control or where risk exposure is high. The auditor may also carry out such tests to gather additional information necessary to form an audit opinion. The Audit Policy would define the compulsory audit working papers to be maintained and their formats.
◙ Audit working papers and documentation: Working papers should record the audit plan, the nature, timing and extent of auditing procedures performed, and the conclusions drawn from the evidence obtained. All significant matters which require the exercise of judgment, together with the auditor’s conclusion thereon, should be included in the working papers. The form and content of the working papers are affected by matters such as: • • • •
The nature of the engagement, The form of the auditor’s report, The nature and complexity of client’s business, and The nature and condition of client’s records and degree of reliance on internal controls.
In case of recurring audits, some working paper files may be classified as permanent audit files which are updated currently with information of continuing importance to succeeding audits, as distinct from the current audit files which contain information relating primarily to audit of a single period. Permanent audit file normally includes: (i) (ii) (iii) (iv) (v) (vi) (vii)
The organization structure of the entity The IS policies of the organization The historical background of the information system in the organization Extracts of copies of important legal documents relevant to audit A record of the study and evaluation of the internal controls Copies of audit reports and observations of earlier years Copies of management letters issued by the auditor, if any
CA Clues
Nikhil Gupta
Current file normally includes: (i) (ii) (iii) (iv) (v) (vi)
(vii)
Correspondence relating to the acceptance of appointment and the scope of the work Evidence of the planning process of the audit and audit program A record of the nature, timing, and extent of auditing procedures performed, and the results of such procedures Copies of letters and notes concerning audit matters communicated to or discussed with the client, including material weaknesses in relevant internal controls Letters of representation and confirmation received from the client Conclusions reached by the auditor concerning significant aspects of the audit, including the manner in which the exceptions and unusual matters, disclosed by the auditor’s procedures were resolved and treated Copies on the data and system being reported on and the related audit reports.
Working papers are the property of the auditor. The auditor may, at his discretion, make portions of, or extracts from his working papers available to the client. The auditor should adopt reasonable procedures for custody and confidentiality of his working papers and should retain them for a period of time sufficient to meet the needs of his practice and satisfy any legal requirement. Planning the documentation: It is important to plan the audit documentation. The following three parameters would help in planning a documentation process: (i)
The importance of planning and understanding the planning process requires identifying three planning questions: a) Knowing Your Resources: The three basic resources: time, people, money. One has to check for their availability and affordability b) Defining the Scope and Audience: The same report may undergo significant changes depending on the character of report and nature of audience. Presentation on Balance Sheet made to bankers and to investors would be quite different in content and focus. c) Using a Scope Definition Report: It is critical to know how to complete a Scope Definition Report. This report helps in developing a workable schedule for completing the project.
(ii)
The Documentation Writer: The qualities and skills that the documentation writer would need should be judged. The requirement may often be legal in nature.
(iii)
Rules to guide documentation writing: The four rules of writing good documentation are a) Writing in Active Voice: Using active voice in documentation. b) Giving the Consequences: Giving the consequences of the reader's action. c) Writing from General to Specific: Designing the documentation from general to specific. d) Consistency: Using of style, order and format consistently.
Gathering information: To be able to have a good documentation, it is necessary to get information about the reader and the requirement of the document. (i)
About the Reader: Finding information about the reader by doing a task analysis. Three parts of the reader’s task: viz. input, process, output will have to be identified before one could develop an understanding of a reader.
(ii)
About the Subject: The three sources of information about a subject are people, paper, and the object of the report.
CA Clues
Nikhil Gupta
Organizing information: Organizing information involves deciding what information to include and how to sequence it. The documentation should be organized in such a manner that the reader can easily understand it and the various outcomes flowing from it should be clearly visible. Following are the point to be considered for organizing a good document: (i) (ii) (iii) (iv)
Selecting Information: Selecting ‘what the reader needs to know’. Organizing the information into a useful sequence. Organizing the Documentation: The sequence of document can be according to:subject, difficulty, chronological, importance and analytical. Dividing Into Sections: Dividing documentation into chapters or sections. Dividing Into Subsections: Dividing sections or chapters into subsections.
Writing Online Documentation: Guidelines for writing online documentation should be laid down. Appropriate techniques to highlight the text can be used. Finalizing documents: This section identifies the tasks involved in reviewing and testing the document, generating the glossary and index and formatting the document for final production. (i)
Reviewing and Testing: Selection of reviewer of the documentation involves identification of subject and communication skill. The reviewer must be provided with adequate information regarding the audience and object of the report. In order to ensure objectivity It is recommended that the reviewer be a person who has not been involved in the documentation process. Generating the Glossary and Index: Compilation of a glossary and generation of an index are two major tasks for a complete documentation. In order to achieve this task it is necessary to mark the Index and glossary entries at the stage of documentation itself. Word processing software comes with an inbuilt ability of creating an index from the identified text in the body of the document. Formatting and Production: The idea of creating a good document is not possible without first deciding on a good design for the same. This involves choosing effective formatting options for headings, sub-headings, section breaks, formatting, and allied. It is also important to select an appropriate binding style that would aid filing and ease of consultation.
(ii)
(iii)
◙ IS audit report: Structure: Audit reports broadly include the following sections: title page, table of contents, summary (including the recommendations), introduction, findings and appendices. These components of an audit report are discussed below: (i)
(ii) (iii) (iv)
Cover and Title Page: Audit reports should use a standard cover, with a window showing the title: "Information System Audit" or "Data Audit", the department's name and the report's date of issue (month and year). These items are repeated at the bottom of each page. The title page may also indicate the names of the audit team members. Table of Contents: The table lists the sections and sub-sections with page numbers including summary. Executive Summary: The executive summary gives a quick overview of the audit report. It should not normally exceed three pages, including the recommendations. Introduction: It should include the following elements: o Context: This sub-section briefly describes conditions in the audit entity during the period under review, for instance, the entity's role, size and organization structure, especially with regard to information system management, significant pressures on information system management, unusual events, organizational changes, IT
CA Clues
(v)
(vi) (vii)
Nikhil Gupta
disruptions, changes in roles and programs, results of internal audits or follow-up to previous audits. o Purpose: This sub-section is a short description of what functions and special programs were audited. o Scope: The scope lists the period under review, the issues covered in each function and program, the locations visited and the on-site dates. o Methodology: This section briefly describes sampling, data collection techniques and the basis for auditors' opinions. It also identifies any weaknesses in the methodology to allow the client and auditee to make informed decisions as a result of the report. Findings: Findings constitute the main part of an audit report. If the auditor is using any standard grading standard like InfoSecGrade (Information security grade), risk matrix or others, the arrived value should also be stated. Opinion: If the audit assignment requires the auditor to express an audit opinion, the auditor shall do so in consonance to the requirement. Appendices: Appendices include comprehensive statistics, quotes from publications, documents, and references.
Level of Detail: The depth of coverage for issues should normally reflect the significance of the findings. Situations representing a high degree of risk or indicating shortcomings that are serious enough to justify a recommendation should be treated extensively. Specific initiatives that the auditors wish to mention as examples should be described in detail, while issues where the department meets the expectations and there is nothing specific to mention should be dealt with briefly. Commentary: Where a recommendation and a compliment are made under the same issue, they should be in separate paragraphs; otherwise, they may confuse the reader and reduce the impact of one or the other. Statistics need to be used consistently throughout the report. Sample size and error rate mean more when they are given in context. The size of the population, the number of transactions and the period of time provide that context. Percentages should not be used when referring to small samples (less than one hundred). Graphics should be used when they add to the understanding of the text. Sample IS security policy: See module
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 19
May 2012 13
Nov 2011 4
May 2011 8
Nov 2010 12
May 2010 5
Nov 2009 15
June 2009 15
Nov 2008 5
Nov 2012: (5 Marks) Q: Suggest some points that may be considered for establishing better information protection. Nov 2012: (4 Marks) Q: What are the points to be included when the documented audit program is developed? Nov 2012: (6 Marks) Q: What is the scope of IS audit process? Explain the categories of IS audit Nov 2012: (4 Marks) Q: Short note – Basic ground rules for protecting computer held information system. May 2012: (5 Marks) Q: (Case Study) What should be the major components of a good information security policy, as per your opinion? May 2012: (4 Marks) Q: Discuss the parameters that would help in planning a documentation process of IS audit. May 2012: (4 Marks) Q: Short Note – Preventive and Restorative Information Protection. Nov 2011: (4 Marks) Q: Give the hierarchy of Information Security Policies and discuss each one of them. May 2011: (8 Marks) Q: As an IS auditor, discuss the various contents in brief to be included in a standard audit report. Nov 2010: (4 Marks) Q: What are the aspects to be included when a documented audit program is developed. Nov 2010: (8 Marks) Q: To get a good documentation of the working papers of an auditor, what are the points to be considered while gathering and organizing information and also mention the principles to be followed for the writing the document. May 2010: (5 Marks) Q: (Part of case study) Suppose an audit policy is required, how will you lay down the responsibility of audit? Nov 2009: (15 Marks) Q: (a) You have been asked to conduct an I.S. Audit for a bank. (i) How will you develop a documented audit program? (ii) What kind of working papers and documentation you will prepare? (10 Marks) (b) Explain the basic types of Information Protection that an Organization can use. (5 Marks) June 2009: (5 Marks) Q: The Information Security Policy of an organization has been defined and documented as given below: “Our organization is committed to ensure Information Security through established goals and principles. Responsibilities for implementing every aspect of specific applicable proprietary and general principles, standards and compliance requirements have been defined. This is reviewed at least once a year for continued suitability with regard to cost and technological changes.” Identify the salient components that have not been covered in the above policy.
CA Clues
Nikhil Gupta
Ans Hint: In the stated scenario of the question, the ISMS Policy of the given organization does not address the following issues: (i) Definition of information security (ii) Reasons why information security is important to the organization (iii) A brief explanation of the security policies, principles, standards and compliance (iv) Reference to supporting documents June 2009: (10 Marks) Q: What purpose the information system audit policy will serve? Briefly describe the scope of information system audit. Nov 2008: (5 Marks) Q: Discuss various types of Information Security polices and their hierarchy.
Logon to -
www.cafinal.com
for exam oriented QRP (quick revision points) of this chapter
CA Clues
Nikhil Gupta CHAPTER 10
INFORMATION TECHNOLOGY (AMENDMENT) ACT 2008 ◙ Objectives of the Act are: 1) To grant legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication commonly referred to as “electronic commerce” in place of paper based methods of communication. 2) To give legal recognition to Digital signatures for authentication of any information or matter which requires authentication under any law. 3) To facilitate electronic filing of documents with Government departments. 4) To facilitate electronic storage of data. 5) To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions. 6) To give legal recognition for keeping of books of accounts by banker’s in electronic form. 7) To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Banker’s Book Evidence Act, 1891, and the Reserve Bank of India Act, 1934.
DOCUMENTS OR TRANSACTIONS TO WHICH THE ACT SHALL NOT APPLY 1. 2. 3. 4. 5.
A negotiable instrument other than a cheque. A power-of-attorney. A trust. A will or any other document of testamentary nature. Any contract for the sale or conveyance of immovable property or any interest in such property.
◙ CHAPTER-I: PRELIMINARY Section 1: Short Title, Extent, Commencement and Application Section 2: Definitions (1) In this Act, unless the context otherwise requires, (a) "Access" with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network; (b) "Addressee" means a person who is intended by the originator to receive the electronic record but does not include any intermediary; (c) "Adjudicating Officer" means adjudicating officer appointed under subsection (1) of section 46; (d) "Affixing Electronic Signature" with its grammatical variations and cognate expressions means adoption of any methodology or procedure by a person for the purpose of authenticating an electronic record by means of Electronic Signature; (e) "Appropriate Government" means as respects any matter (i) enumerated in List II of the Seventh Schedule to the Constitution;
CA Clues (ii)
Nikhil Gupta
relating to any State law enacted under List III of the Seventh Schedule to the Constitution, the State Government and in any other case, the Central Government;
(f) "Asymmetric Crypto System" means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature; (g) "Certifying Authority" means a person who has been granted a license to issue a Electronic Signature Certificate under section 24; (h) "Certification Practice Statement" means a statement issued by a Certifying Authority to specify the practices that the Certifying Authority employs in issuing Electronic Signature Certificates; (ha) "Communication Device" means Cell Phones, Personal Digital Assistance, or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image. (Inserted Vide ITAA 2008) (i) "Computer" means any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network; (j) (Substituted vide ITAA-2008) "Computer Network" means the interconnection of one or more Computers or Computer systems or Communication device through (i) the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained; (k) "Computer Resource" means computer, communication device, computer system, computer network, data, computer database or software; (l) "Computer System" means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programs, electronic instructions, input data, and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions; (m) "Controller" means the Controller of Certifying Authorities appointed under subsection (7) of section 17; (n) "Cyber Appellate Tribunal" means the Cyber Appellate * Tribunal established under subsection (1) of section 48 (* "Regulations" omitted) (na) (Inserted vide IT AA-2008) “Cyber Café” means any facility from where access to the internet is offered by any person in the ordinary course of business to the members of the public. (nb) (Inserted Vide ITAA 2008) "Cyber Security" means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction. (o) "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer
CA Clues
Nikhil Gupta
network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer; (p) "Digital Signature" means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3; (q) "Digital Signature Certificate" means a Digital Signature Certificate issued under sub-section (4) of section 35; (r) "Electronic Form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device; (s) "Electronic Gazette" means official Gazette published in the electronic form; (t) "Electronic Record" means data, record or data generated, image or sound stored, received or sent in an electronic form or micro film or computer generated micro fiche; (ta) (Inserted vide ITAA-2006) "Electronic signature" means authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature (tb) (Inserted vide ITAA-2006) "Electronic Signature Certificate" means an Electronic Signature Certificate issued under section 35 and includes Digital Signature Certificate" (u) "Function", in relation to a computer, includes logic, control, arithmetical process, deletion, storage and retrieval and communication or telecommunication from or within a computer; (ua) "Indian Computer Emergency Response Team" means an agency established under subsection (1) of section 70 B (v) "Information" includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche; (Amended vide ITAA-2008) (w) (Substituted vide ITAA-2008) "Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes. (x) "Key Pair", in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key; (y) "Law" includes any Act of Parliament or of a State Legislature, Ordinances promulgated by the President or a Governor, as the case may be. Regulations made by the President under article 240, Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the Constitution and includes rules, regulations, bye-laws and orders issued or made there under (z) "License" means a license granted to a Certifying Authority under section 24; (za) Originator" means a person who sends, generates, stores or transmits any electronic message or causes any electronic message to be sent, generated, stored or transmitted to any other person but does not include an intermediary; (zb) Prescribed" means prescribed by rules made under this Act;
CA Clues
Nikhil Gupta
(zc) Private Key" means the key of a key pair used to create a digital signature; (zd) Public Key" means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate; (ze) Secure System" means computer hardware, software, and procedure that -: (a) are reasonably secure from unauthorized access and misuse; (b) provide a reasonable level of reliability and correct operation; (c) are reasonably suited to performing the intended functions; and (d) adhere to generally accepted security procedures; (zf) "Security Procedure" means the security procedure prescribed under section 16 by the Central Government; (zg) "Subscriber" means a person in whose name the Electronic Signature Certificate is issued; (zh) "Verify" in relation to a digital signature, electronic record or public key, with its grammatical variations and cognate expressions means to determine whether (a) the initial electronic record was affixed with the digital signature by the use of private key corresponding to the public key of the subscriber; (b) the initial electronic record is retained intact or has been altered since such electronic record was so affixed with the digital signature.
◙ CHAPTER-II: DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE This chapter gives legal recognition to electronic records and digital signatures. It contains two sections, sec 3 and sec 3A. Section 3 deals with digital signature and a new section 3A has been inserted to make the digital signature process technology neutral. Section 3: Authentication of Electronic Records: 3(1) Subject to the provisions of this section any subscriber may authenticate an electronic record by affixing his Digital Signature. 3(2) The authentication of the electronic record shall be effected by the use of asymmetric crypto system and hash function which envelop and transform the initial electronic record into another electronic record. Explanation – For the purposes of this sub-section, "Hash function" means an algorithm mapping or translation of one sequence of bits into another, generally smaller, set known as "Hash Result" such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record as its input, making it computationally infeasible (a) to derive or reconstruct the original electronic record from the hash result produced by the algorithm; (b) that two electronic records can produce the same hash result using the algorithm. 3(3) Any person by the use of a public key of the subscriber can verify the electronic record. 3(4) The private key and the public key are unique to the subscriber and constitute a functioning key pair.
CA Clues
Nikhil Gupta
Section 3A: Electronic Signature (Inserted vide ITAA 2008): 3A(1) Notwithstanding anything contained in section 3, but subject to the provisions of subsection (2) a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which – (a) is considered reliable ; and (b) may be specified in the Second Schedule 3A(2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if (a) the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or , as the case may be, the authenticator and of no other person; (b) the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person; (c) any alteration to the electronic signature made after affixing such signature is detectable (d) any alteration to the information made after its authentication by electronic signature is detectable; and (e) it fulfills such other conditions which may be prescribed. 3A(3) The Central Government may prescribe the procedure for the purpose of ascertaining whether electronic signature is that of the person by whom it is purported to have been affixed or authenticated 3A(4) The Central Government may, by notification in the Official Gazette, add to or omit any electronic signature or electronic authentication technique and the procedure for affixing such signature from the second schedule; Provided that no electronic signature or authentication technique shall be specified in the Second Schedule unless such signature or technique is reliable 3A(5) Every notification issued under sub-section (4) shall be laid before each House of Parliament ◙ CHAPTER-III: ELECTRONIC GOVERNANCE This chapter is one of the most important chapters. It specifies the procedures to be followed for sending and receiving of electronic records. Section 4: Legal Recognition of Electronic Records: Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is – (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference Section 5: Legal recognition of Electronic Signature: Where any law provides that information or any other matter shall be authenticated by affixing the signature or any document should be signed or bear the signature of any person then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied, if such information or matter is authenticated by means of digital signature affixed in such manner as may be prescribed by the Central Government. Explanation – For the purposes of this section, "Signed", with its grammatical variations and cognate expressions, shall, with reference to a person, mean affixing of his hand written signature or any mark on any document and the expression "Signature" shall be construed accordingly.
CA Clues
Nikhil Gupta
Section 6: Use of Electronic Records and Electronic Signature in Government and its agencies: 6(1) Where any law provides for – (a) the filing of any form, application or any other document with any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner; (b) the issue or grant of any license, permit, sanction or approval by whatever name called in a particular manner; (c) the receipt or payment of money in a particular manner, then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such filing, issue, grant, receipt or payment, as the case may be, is effected by means of such electronic form as may be prescribed by the appropriate Government. 6(2) The appropriate Government may prescribe rules for the purposes of sub-section (1)(a) the manner and format in which such electronic records shall be filed, created or issued; (b) the manner or method of payment of any fee or charges for filing, creation or issue any electronic record under clause (a). Section 6A: Delivery of Services by Service Provider (Inserted vide ITAA-2008): 6A(1) The appropriate Government may, for the purposes of this Chapter and for efficient delivery of services to the public through electronic means authorize, by order, any service provider to set up, maintain and upgrade the computerized facilities and perform such other services as it may specify, by notification in the Official Gazette. Explanation – For the purposes of this section, service provider so authorized includes any individual, private agency, private company, partnership firm, sole proprietor firm or any such other body or agency which has been granted permission by the appropriate Government to offer services through electronic means in accordance with the policy governing such service sector. 6A(2) The appropriate Government may also authorize any service provider authorized under sub-section (1) to collect, retain and appropriate service charges, as may be prescribed by the appropriate Government for the purpose of providing such services, from the person availing such service. 6A(3) Subject to the provisions of sub-section (2), the appropriate Government may authorize the service providers to collect, retain and appropriate service charges under this section notwithstanding the fact that there is no express provision under the Act, rule, regulation or notification under which the service is provided to collect, retain and appropriate eservice charges by the service providers. 6A(4) Appropriate Government shall, by notification in the Official Gazette, specify the scale of service charges which may be charged and collected by the service providers under this section Provided that the appropriate Government may specify different scale of service charges for different types of services. Section 7: Retention of Electronic Records: 7(1) Where any law provides that documents, records or information shall be retained for any specific period, then, that requirement shall be deemed to have been satisfied if such documents, records or information are retained in the electronic form, (a) the information contained therein remains accessible so as to be usable for a subsequent reference; (b) the electronic record is retained in the format in which it was originally generated, sent or received or in a format which can be demonstrated to represent accurately the information originally generated, sent or received; (c) the details which will facilitate the identification of the origin, destination, date and time of dispatch or receipt of such electronic record are available in the electronic record:
CA Clues
Nikhil Gupta
However, this clause does not apply to any information which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received. 7(2) Nothing in this section shall apply to any law that expressly provides for the retention of documents, records or information in the form of electronic records. Section 7A: Audit of Documents etc in Electronic form (Inserted vide ITAA-2008): Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in electronic form. Section 8: Publication of rules, regulation, etc, in Electronic Gazette: Where any law provides that any rule, regulation, order, bye-law, notification or any other matter shall be published in the Official Gazette, then, such requirement shall be deemed to have been satisfied if such rule, regulation, order, bye-law, notification or any other matter is published in the Official Gazette or Electronic Gazette: However, where any rule, regulation, order, bye-law, notification or any other matters published in the Official Gazette or Electronic Gazette, the date of publication shall be deemed to be the date of the Gazette which was first published in any form. Section 9: Sections 6, 7 and 8 Not to Confer Right to insist document should be accepted in electronic form: Nothing contained in sections 6, 7 and 8 shall confer a right upon any person to insist that any Ministry or Department of the Central Government or the State Government or any authority or body established by or under any law or controlled or funded by the Central or State Government should accept, issue, create, retain and preserve any document in the form of electronic records or effect any monetary transaction in the electronic form. Section 10: Power to make rules by Central Government in respect of Electronic Signature: The Central Government may, for the purposes of this Act, by rules, prescribe (a) the type of Electronic Signature; (b) the manner and format in which the Electronic Signature shall be affixed; (c) the manner or procedure which facilitates identification of the person affixing the Electronic Signature; (d) control processes and procedures to ensure adequate integrity, security and confidentiality of electronic records or payments; and (e) any other matter which is necessary to give legal effect to Electronic Signature. Section 10A: Validity of contracts formed through electronic means (Inserted by ITAA 2008): Where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances, as the case may be, are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose.
CA Clues
Nikhil Gupta
◙ CHAPTER-IV: ATTRIBUTION, ACKNOWLEDGMENT AND DISPATCH OF ELECTRONIC RECORDS This chapter deals with attribution, receipt and dispatch of electronic records. ‘Attribution’ means ‘to consider it to be written or made by someone’. Hence, this section lays down how an electronic record is to be attributed to the person who originated it. Section 11: Attribution of Electronic Records: An electronic record shall be attributed to the originator (a) if it was sent by the originator himself; (b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or (c) by an information system programmed by or on behalf of the originator to operate automatically. Section 12: Acknowledgement of Receipt (Modified by ITAA 2008): 12(1) Where the originator has not stipulated that the acknowledgment of receipt of electronic record be given in a particular form or by a particular method, an acknowledgment may be given by (a) any communication by the addressee, automated or otherwise; or (b) any conduct of the addressee, sufficient to indicate to the originator that the electronic record has been received. 12(2) Where the originator has stipulated that the electronic record shall be binding only on receipt of an acknowledgment of such electronic record by him, then unless acknowledgment has been so received, the electronic record shall be deemed to have been never sent by the originator. 12(3) Where the originator has not stipulated that the electronic record shall be binding only on receipt of such acknowledgment, and the acknowledgment has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed to within a reasonable time, then the originator may give notice to the addressee stating that no acknowledgment has been received by him and specifying a reasonable time by which the acknowledgment must be received by him and if no acknowledgment is received within the aforesaid time limit he may after giving notice to the addressee, treat the electronic record as though it has never been sent. Section 13: Time and place of dispatch and receipt of electronic record: 13(1) Save as otherwise agreed to between the originator and the addressee, the dispatch of an electronic record occurs when it enters a computer resource outside the control of the originator. 13(2) Save as otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows, namely – (a) if the addressee has designated a computer resource for the purpose of receiving electronic records (i) receipt occurs at the time when the electronic record enters the designated computer resource; or (ii) if the electronic record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee (b) if the addressee has not designated a computer resource along with specified timings, if any, receipt occurs when the electronic record enters the computer resource of the addressee.
CA Clues
Nikhil Gupta
13(3) Save as otherwise agreed between the originator and the addressee, an electronic record is deemed to "be dispatched at the place where the originator has his place of business, and is deemed to be received at the place where the addressee has his place of business. 13(4) The provisions of sub-section (2) shall apply notwithstanding that the place where the computer resource is located may be different from the place where the electronic record is deemed to have been received under sub-section (3). 13(5) For the purposes of this section (a) if the originator or the addressee has more than one place of business, the principal place of business shall be the place of business; (b) if the originator or the addressee does not have a place of business, his usual place of residence shall be deemed to be the place of business; (c) "Usual Place of Residence", in relation to a body corporate, means the place where it is registered. ◙ CHAPTER-V: SIGNATURES
SECURE
ELECTRONIC
RECORDS
AND
SECURE
ELECTRONIC
Section 14: Secure Electronic Record: Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification. Section 15: Secure Electronic Signature (Substituted vide ITAA 2008): An electronic signature shall be deemed to be a secure electronic signature if(i) the signature creation data, at the time of affixing signature, was under the exclusive control of signatory and no other person; and (ii) the signature creation data was stored and affixed in such exclusive manner as may be prescribed Explanation – In case of digital signature, the "signature creation data" means the private key of the subscriber Section 16: Security procedures and Practices (Amended vide ITAA 2008): The Central Government may for the purposes of sections 14 and 15 prescribe the security procedures and practices Provided that in prescribing such security procedures and practices, the Central Government shall have regard to the commercial circumstances, nature of transactions and such other related factors as it may consider appropriate. ◙ CHAPTER-VI: REGULATION OF CERTIFYING AUTHORITIES Chapter VI contains detailed provisions relating to the appointment and powers of the Controller and Certifying Authorities. It contains sections 17 to 34. Section 17: Appointment of Controller and other officers (Amended Vide ITAA 2008): Section 17 provides for the appointment of Controller and other officers to regulate the Certifying Authorities.
CA Clues
Nikhil Gupta
Section 18: Functions of Controller: The Controller may perform all or any of the following functions, namely: (a) exercising supervision over the activities of the Certifying Authorities; (b) certifying public keys of the Certifying Authorities (c) laying down the standards to be maintained by the Certifying Authorities; (d) specifying the qualifications and experience which employees of the Certifying Authorities should possess; (e) specifying the conditions subject to which the Certifying Authorities shall conduct their business; (f) specifying the content of written, printed or visual material and advertisements that may be distributed or used in respect of a Electronic Signature Certificate and the Public Key; (g) specifying the form and content of a Electronic Signature Certificate and the key; (h) specifying the form and manner in which accounts shall be maintained by the Certifying Authorities; (i) specifying the terms and conditions subject to which auditors may be appointed and the remuneration to be paid to them; (j) facilitating the establishment of any electronic system by a Certifying Authority either solely or jointly with other Certifying Authorities and regulation of such systems; (k) specifying the manner in which the Certifying Authorities shall conduct their dealings with the subscribers; (l) resolving any conflict of interests between the Certifying Authorities and the subscribers; (m) laying down the duties of the Certifying Authorities; (n) maintaining a data-base containing the disclosure record of every Certifying Authority containing such particulars as may be specified by regulations, which shall be accessible to public. Section 19: Recognition of foreign Certifying Authorities: Section 19 provides for the power of the Controller with the previous approval of the Central Government to grant recognition to foreign Certifying Authorities subject to such conditions and restrictions as may be imposed by regulations. Section 20 : (Omitted vide ITA 2008) Section 21: License to issue electronic signature certificates: Section 21 provides that a licence to be issued to a Certifying Authority to issue Digital Signature Certificates by the Controller shall be in such form and shall be accompanied with such fees and other documents as may be prescribed by the Central Government. Further, the Controller after considering the application may either grant the licence or reject the application after giving reasonable opportunity of being heard. Section 22: Application for license: Section 22 provides that the application for licence shall be accompanied by a certification practice statement and statement including the procedure with respect to identification of the applicant. It shall be further accompanied by a fee not exceeding Rs.25,000 and other documents as may be prescribed by the Central Government. Section 23: Renewal of license: Section 23 provides that the application for renewal of a licence shall be in such form and accompanied by such fees not exceeding Rs.5,000 which may be prescribed by the Central Government.
CA Clues
Nikhil Gupta
Section 24: Procedure for grant or rejection of license: Section 24 deals with the procedure for grant or rejection of license by the controller on certain grounds. No application shall be rejected under this section unless the applicant has been given a reasonable opportunity of presenting his case. Section 25: Suspension of License: Section 25 provides that the Controller may revoke a license on grounds such as incorrect or false material particulars being mentioned in the application and also on the ground of contravention of any provisions of the Act, rule, regulation or order made there under. However, no license shall be revoked unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed revocation. Also, no license shall be suspended for a period exceeding ten days unless the Certifying Authority has been given a reasonable opportunity of showing cause against the proposed suspension. Section 26: Notice of suspension or revocation of license: The Controller shall publish a notice of suspension or revocation of license as the case may be in the database maintained by him. Further, the database containing the notice of such suspension or revocation, as the case may be, shall be made available through a web site which shall be accessible round the clock. It is also provided that the Controller may, if he considers necessary, publicize the contents of database in such electronic or other media, as he may consider appropriate. Section 27: Power to delegate: The Controller may, in writing, authorize the Deputy Controller, Assistant Controller or any officer to exercise any of the powers of the Controller under this Chapter. Section 28: Power to investigate contraventions: The Controller or any officer authorized by him in this behalf shall take up for investigation any contravention of the provisions of this Act, rules or regulations made there under. Section 29: Access to computers and data: The controller or any person authorized by him, shall have access to any computer system, data or any other material connected with such system if he has reasonable cause to suspect that any contravention of the provisions of this chapter has been committed. Section 30: Duties of Certifying Authorities: Every Certifying Authority shall – (a) make use of hardware, software, and procedures that are secure from intrusion and misuse: (b) provide a reasonable level of reliability in its services which are reasonably suited to the performance of intended functions; (c) adhere to security procedures to ensure that the secrecy and privacy of the Electronic Signature are assured (ca) be the repository of all Electronic Signature Certificates issued under this Act (cb) publish information regarding its practices, Electronic Signature Certificates and current status of such certificates; and (d) observe such other standards as may be specified by regulations. Section 31: Certifying Authority to ensure compliance of the Act, etc.: Section 32: Display of license: Section 33: Surrender of license:
CA Clues
Nikhil Gupta
Section 34: Disclosure: (1) Every Certifying Authority shall disclose in the manner specified by regulations – (a) its Electronic Signature Certificate (b) any certification practice statement relevant thereto; (c) notice of revocation or suspension of its own digital certificate, if any; and (d) any other fact that materially and adversely affects either the reliability of a Electronic Signature Certificate, which that Authority has issued, or the Authority's ability to perform its services (2) Where in the opinion of the Certifying Authority any event has occurred or any situation has arisen which may materially and adversely affect the integrity of its computer system or the conditions subject to which a Electronic Signature Certificate was granted, then, the Certifying Authority shall – (a) use reasonable efforts to notify any person who is likely to be affected by that occurrence; or (b) act in accordance with the procedure specified in its certification practice statement to deal with such event or situation. ◙ CHAPTER-VII: ELECTRONIC SIGNATURE CERTIFICATES Chapter VII of the Act contains Sections 35 to 39. Section 35: Certifying authority to issue electronic signature certificate: Section 35 lays down the procedure for issuance of a Digital Signature Certificate. It provides that an application for such certificate shall be made in the prescribed form and shall be accompanied by a fee not exceeding Rs.25,000. The fee shall be prescribed by the Central Government, and different fees may be prescribed for different classes of applicants. The section also provides that no Digital Signature Certificate shall be granted unless the Certifying Authority is satisfied that – (a) the applicant holds the private key corresponding to the public key to be listed in the Digital Signature Certificate; (b) the applicant holds a private key, which is capable of creating a digital signature; (c) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the applicant. Section 36 : Representations upon issuance of Digital Signature Certificate Section 36 required that while issuing a Digital Signature Certificate, the Certifying Authority should certify that it has complied with the provisions of the Act, the rules and regulations made there under and also with other conditions mentioned in the Digital Signature Certificate. Section 37: Suspension of Digital Signature Certificate: The Certifying Authority may suspend such certificate if it is of the opinion that such a step needs to be taken in public interest. Such certificate shall not be suspended for a period exceeding 15 days unless the subscriber has been given an opportunity of being heard. Section 38: Revocation of digital signature certificate: Section 38 provides for the revocation of Digital Signature Certificates under certain circumstances. Such revocation shall not be done unless the subscriber has been given an opportunity of being heard in the matter. Upon revocation or suspension the certifying Authority shall publish the notice of suspension or revocation of a Digital Signature Certificate.
CA Clues
Nikhil Gupta
Section 39: Notice of suspension or revocation: (1) Where a Digital Signature Certificate is suspended or revoked under section 37 or section 38, the Certifying Authority shall publish a notice of such suspension or revocation, as the case may be, in the repository specified in the Digital Signature Certificate for publication of such notice. (2) Where one or more repositories are specified, the Certifying Authority shall publish notices of such suspension or revocation, as the case may be, in all such repositories. ◙ CHAPTER-VIII: DUTIES OF SUBSCRIBERS This Chapter contains sections 40 to 42. It specifies duties of subscribers. Section 40: Generating Key Pair: Where any Digital Signature Certificate, the public key of which corresponds to the private key of that subscriber which is to be listed in the Digital Signature Certificate has been accepted by a subscriber, the subscriber shall generate that key pair by applying the security procedure. Section 40A: Duties of subscriber of Electronic Signature Certificate: In respect of Electronic Signature Certificate the subscriber shall perform such duties as may be prescribed. Section 41: Acceptance of Digital Signature Certificate: (1) A subscriber shall be deemed to have accepted a Digital Signature Certificate if he publishes or authorizes the publication of a Digital Signature Certificate 1. to one or more persons; 2. in a repository, or otherwise demonstrates his approval of the Digital Signature Certificate in any manner. (2) By accepting a Digital Signature Certificate the subscriber certifies to all who reasonably rely on the information contained in the Digital Signature Certificate that – (a) the subscriber holds the private key corresponding to the public key listed in the Digital Signature Certificate and is entitled to hold the same; (b) all representations made by the subscriber to the Certifying Authority and all material relevant to the information contained in the Digital Signature Certificate are true; (c) all information in the Digital Signature Certificate that is within the knowledge of the subscriber is true. Section 42: Control of Private key: (1) Every subscriber shall exercise reasonable care to retain control of the private key corresponding to the public key listed in his Digital Signature Certificate and take all steps to prevent its disclosure. (2) If the private key corresponding to the public key listed in the Digital Signature Certificate has been compromised, then, the subscriber shall communicate the same without any delay to the Certifying Authority in such manner as may be specified by the regulations. Explanation – For the removal of doubts, it is hereby declared that the subscriber shall be liable till he has informed the Certifying Authority that the private key has been compromised.
CA Clues
Nikhil Gupta
◙ CHAPTER-IX: PENALTIES AND ADJUDICATION Section 43: Penalty and Compensation for damage to computer, computer system, etc A person shall be liable to pay compensation If he, without permission of the owner, (a) accesses computer system (b) downloads, copies or extracts any data from such system or network (c) introduces computer contaminant or computer virus into the system or network (d) damages data or computer system or network (e) disrupts computer system or network (f) denies access to any authorized person to access any computer system or network (g) wrongly charges the services availed of by a person to the another person (h) destroys, deletes or alters any information residing in a computer resource (i) Steals, conceals, destroys or alters source code Explanation - for the purposes of this section (i) "Computer Contaminant" means any set of computer instructions that are designed (a) to modify, destroy, record, transmit data or programme residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network; (ii) "Computer Database" means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network; (iii) "Computer Virus" means any computer instruction, information, data or programme that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource; (iv) "Damage" means to destroy, alter, delete, add, modify or re-arrange any computer resource by any means. (v) "Computer Source code" means the listing of programmes, computer commands, design and layout and programme analysis of computer resource in any form Section 43A: Compensation for failure to protect data If an organization possess, deal or handle any sensitive personal data or information in its computer resource, then if it is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes loss to any person, then such organization shall be liable to pay damages by way of compensation, to the person so affected. Section 44: Penalty for failure to furnish information, return, etc If any person who is required under this Act or any rules or regulations made there under: (a) Does not furnish any document, return or report: he shall be liable to a penalty not exceeding one lakh and fifty thousand rupees for each such failure (b) Does not file any return or furnish any information, books or other documents within the time specified: he shall be liable to a penalty not exceeding five thousand rupees for every day during which such failure continues (c) Does not maintain books of account or records: he shall be liable to a penalty not exceeding ten thousand rupees for every day during which the failure continues. Section 45: Residuary Penalty: Section 45 provides for residuary penalty. Whoever contravenes any rules or regulations made under this Act, for the contravention of which no penalty has been separately provided, shall be liable to pay a compensation/penalty not exceeding twenty-five thousand rupees.
CA Clues
Nikhil Gupta
Section 46: Power to Adjudicate: This section relates to the appointment of adjudicating officer and his decision powers: − The central government shall appoint an adjudicating officer for deciding the matters relating to penalty and compensation. Such person should have experience in the field of Information Technology and Legal or Judicial experience. − The adjudicating officer will decide on matters in which claim does not exceed rupees five crores. − When the claim exceeds rupees five crores then it will be decided by the court. − The adjudicating officer will give reasonable opportunity for making representation by the defaulting person before deciding penalty/ compensation on him. − Every adjudicating officer shall have the powers of a civil court. Section 47: Factors to be taken into account by the adjudicating officer: While adjudging the quantum of compensation the adjudicating officer shall have due regard to the following factors, namely (a) the amount of gain or unfair advantage made as a result of the default (b) the amount of loss caused to any person as a result of the default (c) the repetitive nature of the default ◙ CHAPTER-X: THE CYBER APPELLATE TRIBUNAL The “Cyber Regulations Appellate Tribunal” has appellate powers in respect of orders passed by any adjudicating officer. Civil courts have been barred from entertaining any suit or proceeding in respect of any matter which an adjudicating officer or Tribunal is empowered to handle. 1) The central government shall establish one or more Appellate Tribunals to be known as Cyber Regulations Appellate Tribunals (section 48). 2) The Cyber Appellate Tribunal shall consist of a Chairperson and judicial and non-judicial Members, as the Central Government may appoint (section 49). 3) Qualifications for appointment as Chairperson and Members of Cyber Appellate Tribunal shall be (section 50): - Chairperson: Judge of a High Court - Non-judicial members: Persons, having special knowledge and experience in, information technology, telecommunication, industry, management or consumer affairs. - Judicial Members: Persons who is or has been a member of the Indian Legal Service 4) The Chairperson or Member of the Cyber Appellate Tribunal shall hold office for a term of five years or until he attains the age of sixty-five years, whichever is earlier (section 51). 5) The salary and allowances payable to the Chairperson or a Member of Cyber Appellate Tribunal shall be such as may be prescribed (section 52). 6) The Chairperson of he Cyber Appellate Tribunal shall have powers of general supervision and directions in the conduct of the affairs of that Tribunal (section 52A). 7) The Chairperson of the Cyber Appellate Tribunal may, by order, distribute the business of that Tribunal amongst the Benches (section 52B). 8) The Chairperson of the Cyber Appellate Tribunal may transfer any case pending before one Bench, for disposal to any other Bench (section 52C). 9) Decision of the tribunal by majority of members (section 52D). 10) If any vacancy occurs in the office of the Chairperson or Member, then the Central Government shall appoint another person to fill the vacancy (section 53). 11) The Chairperson or Member can be removed by the Central Government on the ground of proved misbehavior or incapacity after an inquiry has been made by a Judge of the Supreme Court (section 54).
CA Clues
Nikhil Gupta
Section 57: Appeal to Cyber Regulations Appellate Tribunal: 1) Any person aggrieved by an order made by a Controller or an adjudicating officer may file an appeal to a Cyber Appellate Tribunal. 2) If the adjudicating officer made an order with the consent of the parties then appeal against such order cannot be filed. 3) Appeal can be filed within 45 days from the date of receipt of order of controller or adjudicating officer. Appeal can be accepted after 45 days if there is sufficient cause for the delay. 4) The appeal has to be filed in prescribed form, together with the prescribed fees. 5) After giving the parties an opportunity of being heard, the tribunal will pass such orders as it thinks fit, confirming, modifying or setting aside the order appealed against. 6) The appeal shall be decided as early as possible and an effort shall be made to finish the appeal within six months. Section 58: Procedure and Powers of the Cyber Appellate Tribunal: The Cyber Appellate Tribunal shall have the same powers as are vested in a civil court under the Code of Civil Procedure, while trying a suit, in respect of the following matters, namely (i) summoning and enforcing the attendance of any person and examining him on oath (ii) requiring the discovery and production of documents or other electronic records (iii) receiving evidence on affidavits (iv) issuing commissions for the examination of witnesses or documents (v) reviewing its decisions (vi) dismissing an application for default or deciding it ex parte (vii) any other matter which may be prescribed Section 62: Appeal to High court: Any person aggrieved by any decision or order of the Cyber Appellate Tribunal may file an appeal to the High Court within 60 days from the date of communication of the decision or order of the Cyber Appellate Tribunal to him on any question of fact or law arising out of such order. However, the High Court may, if it is satisfied that the appellant was prevented by sufficient cause from filing the appeal within the said period, allow it to be filed within a further period not exceeding sixty days. Section 63: Compounding of Contravention: Any contravention under the Act may be compounded by the Controller or adjudication officer, either before or after the institution of the adjudication proceedings subject to such conditions as he may impose. ◙ CHAPTER-XI: OFFENCES Chapter XI deals with some computer crimes and provides for penalties for these offences. It contains sections 65 to 78. Such offences include: -
Section 65: Tampering with Computer Source Documents: Imprisonment upto 3 years or fine upto 2 lacks or both.
-
Section 66: Computer Related Offences as per section 43: Imprisonment upto 3 years or fine upto 5 lacks or both.
-
Section 66A: Sending offensive messages through communication service, etc: Imprisonment upto 3 years and fine.
CA Clues
Nikhil Gupta
-
Section 66B: Dishonestly receiving stolen computer resource or communication device: Imprisonment upto 3 years or fine upto 1 lacks or both.
-
Section 66C: Identity theft: Imprisonment upto 3 years or fine upto 1 lacks or both.
-
Section 66D: Cheating by personating by using computer resource: Imprisonment upto 3 years or fine upto 1 lacks or both.
-
Section 66E: Violation of privacy: Imprisonment upto 3 years or fine upto 2 lacks or both.
-
Section 66F: Cyber terrorism: Upto life imprisonment
-
Section 67, 67A, 67B: Publishing or transmitting obscene material in electronic form: Imprisonment upto 5 years or fine upto 10 lacks or both.
Some other penalty provisions: Section 68 provides that the controller may give directions to a Certifying Authority or any employee of such authority to take such measures as specified in the order, so as to ensure compliance with this law. If any person fails to comply, he shall be liable to imprisonment upto 3 years or fine upto Rs.2 lakhs, or both. Section 69 empowers the Controller, if he is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, security of the State, friendly relation with foreign states or public order, to intercept any information transmitted through any computer system or computer network. Section 69A empowers the Controller, if he is satisfied that it is necessary or expedient so to do in the interest of sovereignty and integrity of India, security of the State, friendly relation with foreign states or public order, to block public access of any information through any computer resource Section 69B: Power to authorize to monitor and collect traffic data or information through any computer resource for Cyber Security The Central Government may, to enhance Cyber Security and for identification, analysis and prevention of any intrusion or spread of computer contaminant in the country, by notification in the official Gazette, authorize any agency of the Government to monitor and collect traffic data or information generated, transmitted, received or stored in any computer resource. For the purpose of this section "Traffic data" means any data identifying or purporting to identify any person, computer system or computer network or location to or from which the communication is or may be transmitted and includes communications origin, destination, route, time, date, size, duration or type of underlying service or any other information. Section 70 empowers the appropriate Government to declare by notification any computer, computer system or computer network to be a protected system. Any unauthorized access of such systems will be punishable with imprisonment which may extend to ten years or with fine. Section 70A National Nodal Agency: The central Government may appoint an organization of the Government as the National Nodal Agency in respect of Critical Information Infrastructure Protection. The agency shall be responsible for all measures including research and development relating to protection of critical information infrastructure. Section 71 provides that any person found misrepresenting or suppressing any material fact from the Controller or the Certifying Authority shall be punished with imprisonment for a term which may extend to two years or with fine which may extend to Rs.1 lakh or with both.
CA Clues
Nikhil Gupta
Section 72 provides a punishment for breach of confidentiality and privacy of electronic records, books, information, etc. by a person who has access to them without the consent of the person to whom they belong with imprisonment for a term which may extend to two years or with fine which may extend to Rs.1 lakh or with both. Section 73 provides punishment for publishing a Digital Signature Certificate false in material particulars or otherwise making it available to any other person with imprisonment for a term which may extend to two years or with fine which may extend to Rs.1 lakh or with both Section 75 provides for punishment for commission of any offence or contravention by a person outside India irrespective of his nationality if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India. Section 76 provides for confiscation of any computer, computer system, floppies, compact disks, tape drives or any other accessories related thereto in respect of contravention of any provision of the Act, rules, regulations or orders made there under. Indian Computer Emergency Response Team (CERT-In): CERT-In to serve as national agency for incident response (Section 70 B): − − −
The Central Government shall appoint an agency of the government to be called the Indian Computer Emergency Response Team. The Central Government shall provide the agency with a Director General and such other officers and employees as may be prescribed. The salary and allowances and terms and conditions of such officers and employees shall be such as may be prescribed. The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,(a) collection, analysis and dissemination of information on cyber incidents (b) forecast and alerts of cyber security incidents (c) emergency measures for handling cyber security incidents (d) coordination of cyber incidents response activities (e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents (f) such other functions relating to cyber security as may be prescribed − CERT may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person. − Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction, shall be punishable with imprisonment upto one year or with fine upto one lakh rupees or with both.
◙ CHAPTER-XII: INTERMEDIARIES NOT TO BE LIABLE IN CERTAIN CASES Section 79 provides that the Network Service Providers (Intermediaries) shall not be liable for any third party information or data made available by him if he proves that the offence was committed without his knowledge or consent. The above exemption shall not be applicable if - intermediary has conspired or abetted or aided or induced whether by threat or promise or otherwise in the commission of the unlawful act - upon receiving actual knowledge it fails to immediately remove the material. ◙ CHAPTER-XIIA: EXAMINER OF ELECTRONIC EVIDENCE Section 79A states that for the purposes of providing expert opinion on electronic form evidence before any court or other authority, the central government may appoint an Examiner of Electronic Evidence.
CA Clues
Nikhil Gupta
◙ CHAPTER-XIII: MISCELLANEOUS Section 80: Power of Police Officer and Other Officers to Enter, Search, etc. Section 81: Act to have Overriding effect Section 81A: Application of the Act to Electronic cheque and truncated cheque Section 87: Power of Central Government to make rules Section 89: Power of Controller to make Regulations Section 90: Power of State Government to make rules Section 85: Offences by Companies: Where a company commits any offence under this Act or any rule thereunder, every person who, at the time of the contravention, was in charge of and was responsible for the conduct of the business of the company shall be guilty of the contravention. However, he shall not be liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent the contravention. Further, where a contravention has been committed by a company, and it is proved that the contravention took place with the connivance or consent of or due to any negligence on the part of any director, manager, secretary or other officer of the company, such officer shall be deemed to be guilty and shall be liable to be proceeded against and punished accordingly. For the purposes of this section, ‘company’ includes a firm or other association of persons and ‘director’ in relation to a firm means a partner in the firm. Section 88: Cyber Regulation Advisory Committee: - Constituted by Central Government - Consist of Chairperson, Official and Non-official members - Gives advice to Central Government and Controller - Allowance will be given as prescribed
CA Clues
Nikhil Gupta Previous examination questions
Exam Marks
Nov 2012 14
May 2012 14
Nov 2011 4
May 2011 13
Nov 2010 13
May 2010 10
Nov 2009 10
June 2009 10
Nov 2008 10
Nov 2012: (4 Marks) Q: In Information Technology (Amendment) Act 2008, what do section 25 and section 26 say about suspension of license to issue electronic signature certificate? Nov 2012: (5 Marks) Q: Describe the duties of certifying authority in respect of digital signature under section 30 of IT (Amendment) act 2008. Nov 2012: (5 Marks) Q: short note – Constitution of cyber regulation advisory committee under section 88 of IT (Amendment) act 2008. MAY 2012 (4 Marks) Q: Describe the power to make rules by the Central Government in respect of Electronic Signature under Sec 10 of Information Technology (Amendment) Act 2008. MAY 2012 (6 Marks) Q: How is the term ‘Electronic Record’ defined in IT (Amendment) Act 2008? What is the provision given in the IT Act for the retention of Electronic Records? MAY 2012 (4 Marks) Q: Short Note – Objectives of Information Technology Act 2000. Nov 2011: (4 Marks) Q: Describe the composition and powers of Cyber Regulation Appellate Tribunal. May 2011: (5 Marks) Q: What is the provision given in Information Technology (Amendment) Act 2008 for the retention of electronic records. May 2011: (4 Marks) Q: Describe the duties of certifying authorities under sec 30 of information Technology (Amendment) Act 2008. May 2011: (4 Marks) Q: Authentication of electronic records in Information Technology (Amendment) Act 2008 Nov 2010: (5 Marks) Q: What is the procedure to apply for a licence to issue electronic signature certificates, under sec 22, Information Technology (Amendment) Act 2008. Nov 2010: (4 Marks) Q: What does Information Technology (Amendment) Act 2008 say about i) Attributes of electronic records in sec 11 ii) Secure electronic signature in sec 15 Nov 2010: (4 Marks) Q: Short note on: Section 41 ITAA 2008 – Acceptance of digital signature certificate May 2010: (5 Marks) Q: (Case study related qus) What are the conditions laid down by section 7, chapter III of Information Technology act, 2000 for retaining the e-documents by a company. May 2010: (5 Marks) Q: Define the following terms related to Information Technology act, 2000: (i) Computer contaminant (ii) Cyber café (iii) Electronic form (iv) Traffic data (v) Asymmetric crypto system Nov 2009: (5 Marks) Q: How does the Information Technology Act, 2000 enable the authentication of records using digital signatures?
CA Clues
Nikhil Gupta
Nov 2009: (5 Marks) Q: How does the Information Technology Act, 2000 enable the objective of the Government in spreading e-governance? And hint: In Information Technology Act 2000, chapter III is related with the objective of the government in spreading e-governance. It deals with the procedures to be followed for sending and receiving of electronic records. This chapter contains sections 4 to 10. Section 4 - This section provides the legal recognition of electronic records. Section 5 - This section provides the legal recognition of Digital Signatures. Section 6 – It lays down the foundation of Electronic Governance. It provides that the filing of any form, application or other documents, creation, retention or preservation of records, issue or grant of any license or permit or receipt or payment in Government offices and its agencies may be done through the means of electronic form. Section 7 – This section provides that the documents, records or information which is to be retained for any specified period shall be deemed to have been retained in the electronic form with the following conditions: (i) the information therein remains accessible so as to be usable subsequently, (ii) it is retained in its original format , (iii) the details such as origin, destination, dates and time of dispatch or receipt of such electronic record. Section 8- It provides for the publication of rules, regulations and notifications in the Electronic Gazette. June 2009: (10 Marks) Q: (a) State the duties of the subscriber of a digital signature as specified in Section 40 to 42 of Chapter VIII of Information Technology Act, 2000. (5 Marks) (b) What are the conditions subject to which electronic record may be authenticated by means of affixing digital signature? (5 Marks) Nov 2008: (5 Marks) Q: State the liabilities of companies under section 85 of Information Technology Act, 2000. Nov 2008: (5 Marks) Q: Write short note on “Powers of cyber appellate tribunal”
