57 Isca

Hariharan
Information Systems
Control & Audit
***
CA FinAl Study noteS

aacfyntax@gmail.com
Index
Ch. Pg.
Chapter
No. No.
1 Information System Concepts 03
2 System Development Life Cycle Methodology 19
3 Control Objectives 43
4 Testing – General & Automated Controls 69
Risk Assessment Methodologies &
5 82
Applications
Business Continuity Planning & Disaster
6 89
Recovery Planning
7 An Overview of Enterprise Resource Planning 97
Information Systems Audit Standards &
8 106
Guidelines
Drafting of IS Security Policy, Audit Policy, IS
9 119
Audit Reporting
10 Information Technology (Amended) Act, 2008 127
01 INFORMATION SYSTEM CONCEPTS
1. Definition of a System
 System is an orderly arrangement of a set of interrelated and interdependent elements that

operate collectively to accomplish some common purpose or goal.
 A system can be described by specifying its parts, the way in which they are related and the
goals which they are expected to achieve.
2. Types of System
 Abstract Systems, also known as conceptual system, are an orderly arrangement of inter-
dependent ideas or constructs. They do not display any activity or behavior. They include
design & drawings containing set of ideas or planning. They are non-working system,
ultimately converted into physical system
 Physical Systems are a set of elements operating together to accomplish an objective.

They are more than conceptual construct and display an activity or behavior. They include
all working system and contain some physical components
 Open System is a system that interacts freely with the environment by taking input and
returning output. Open systems interact with elements that exists and influence fro outside
the system boundary. They are adaptable to change and are costly to develop & maintain.
They have longer life span than closed system and require more maintenance than closed
system
 Closed System is a system that does neither interact with the environment nor changes
with the change in the environment. They are not normally developed for business
organizations. They are easy to manage & inexpensive to develop and have a shorter life
span than open system
Organizations are considered to be relatively open systems as they continuously interact
with the external environment, by process or transformation of inputs into useful output.
 Relatively Closed Systems are those systems which are relatively isolated from the
environment but not completely closed in the physical sense. They have controlled and
well-defined inputs and outputs. They minimize unwanted disturbances
 Manual Systems are the systems where data collection, manipulation, maintenance and
final reporting are carried out absolutely by human efforts.
 Automated systems are systems where computers are used to carry out all the above
mentioned tasks.
 Clustering is the main method of simplification. It is a collection of sub-systems of similar
nature.
 Deterministic System account for past data as input and provide exact output. They
operate in a predictable manner and have less chances of error in the outputs. The
interaction among parts is known with certainty
 Probabilistic System take into account expected data for future transactions and provide
expected output. They operate in a probable manner and contain a certain degree of error
exists
3. Reasons for using computers in business
 Handling huge volumes of data, that is not manageable by human efforts

 Storing enormous volume of data for indefinite period without any decay
 Quick and accurate processing of data to match the competitive environment
 Quick retrieval of information on query
 Quick and efficient transportation of data & information to distant places at almost no cost
4. System Concepts
 System Environment is the external world which is outside the system boundary. These
are the components outside the system boundary with which the system interacts. System
can accept inputs from & provide outputs to the environment.
 System Boundaries are the features that define and delineate a system. The system is
inside its boundary, while the environment is outside the boundary. Boundary represents
the periphery or limit within which system components work together.
 Subsystems are the parts of a system. A complex system is divided into various sub-
systems which help in easy development & management of the complex system. It is
derived by the process of decomposition. The use of subsystems as building blocks is
basic to analysis and development.
- The interconnections and interactions between the subsystems are termed as

Interfaces. Interfaces occur at boundaries and take the form of inputs and outputs.
- A huge system is decomposed into subsystems by the process of Decomposition. It is

needed to analyze an existing sub-system & to design & implement a new sub-system.
It is the process of dividing the system into various sub-systems. This is based on the
principles that systems should be divided into sub-systems until the overall system is
easy to manage & develop and every sub-system should have relevance to the main
system.
- Simplification is the processes of organizing subsystems with the intention to reduce

the number of inter connections, which is a potential interface for communication
among subsystems.
4
- A standard Decoupling mechanism is to reduce the need for communication and close
connection among database maintained by the administrator and allow the use of the
database without tedious and time consuming checking with other subsystems. When a
system functions independent of other systems, then that concept is known as
decoupling.
 A Supra System refers to the entity formed by a system and other equivalent systems with
which it interacts. The various functional areas (sub-systems) of an organization are
elements in the same supra system of the organization.
 Stress is a force transmitted by a system’s supra system, that causes a system to change,
so that the supra system can better achieve its goals.
 Systems accommodate the stress through a Change that can be structural change or a
change in the processes.
 Entrophy is the quantitative measure of disorder in a system. Maintenance inputs in a

system are known as negative entrophy. Open systems require more negative entrophy
than relatively closed systems. In order to avoid the system losing its value over time due
to positive entropy (natural energy leakage), it should be provided continuously with some
upgradations (negative entropy).
5. Information is processed data. The data which has some value for its receiver is information.
Information Systems are developed to process the data & provide information which help in
decision-making process.
 Attributes of Information:
- Accuracy - Adequate & purposeful

- Timeliness - May include redundancy
- Appropriate mode & format - Transparency
- Complete & up-to-date - Free from any bias
- Reliable source of information - Quality
 Types of Information
- Internal Information can be defined as information that has been generated from the
operations of the organization at various functional areas. The internal information gats
processed and summarized from junior to top most level of management.
- External Information is collected from external environment of the business

organization. It is considered to collect the organizational performance from outside.
6. Information System and its role in Management
An Information System can be considered as an arrangement of a number of elements that

provide effective information for decision making and / or control of some functionalities of an
organization. Enterprises use Information Systems to reduce costs, control wages and
generate revenue.
5
 Implications of Information Systems in business
- Information Systems help managers in effective decision making to achieve the

organizational goal
- Based on a well defined Information System, an organization will gain edge in
competitive environment
- Information Systems help take right decisions at the right time
- Innovative ideas for solving critical problems may come from a good Information System
- Knowledge gathered through Information System may be utilized by managers in
unusual situations
- Information System is viewed as a process, it can be integrated to formulate a strategy
of action or operation
7. Factors On Which Information Requirements Of Executives Depends
 The grouping or clustering of several functional units on the basis of related activities into a
subsystem is termed as Operational Function. The information requirements of different
operational functions vary not only in content but also in characteristics. The content of the
information depends upon the activities performed under an operational function.
 Types of Decisions.
- Programmed decisions refer to decisions made on problems and situations with

reference to a predetermined set of precedents, procedures, techniques and rules.
These are well structured in advance and are time tested for their validity. As a problem
or issue for decision making emerges, the relevant, prescribed rule or procedure us
applied to arrive at the decision.
- Non Programmed decisions are those which are made on situations and problems
which are novel and non repetitive and about which not much knowledge and
information are available. They are made by reference to managerial intelligence,
experience, judgment and vision to tackling problems and situations.
 Level of Management activity
- Strategic level Management is concerned with the developing of organizational

mission, objectives and strategies. Decisions made at this level of organization in order
to handle problems critical to survival and success of the organization and are called
strategic decisions.
- Tactical level decisions are made to implement strategic decisions. A single strategic
decision calls for a series of tactical decisions, which are of a relatively structured
nature. They are specific and functional, made in relatively closed setting, more easily
available and digestible and less surrounded by uncertainty and complexity.
- Operational level is the lowest level in managerial hierarchy wherein the managers
coordinate the work of others, who are not themselves managers.
6
8. Computer Based Information Systems (CBIS) are complementary networks of hardware /
software that people and organizations use to collect, filter, process, create and distribute data.
 Characteristics of CBIS
- All systems work for predetermined objectives and the systems are designed and
developed accordingly.
- A system has a number of interrelated and interdependent subsystems or components.
No subsystem can function in isolation; it depends on other systems for inputs.
- If one subsystem or component of a subsystem fails, in most cases, the whole system
does not work.
- The way a subsystem works with another subsystem is called interaction. Different
subsystems interact with each other to achieve the goal of the system.
- Work done by individual subsystems is integrated to achieve the central goal of the
system. Goal of individual subsystem if of lower priority than goal of entire system.
 Components of CBIS
- Hardware
- Software
- Data
- Procedures: Policies and rules which govern the functioning of the CBIS
- People
9. Areas of CBIS
 The main goal of Finance & Accounting subsystem is to ensure financial viability of the
organization, enforce financial discipline and plan & monitor financial budget.
 The objective of Marketing & Sales subsystem is to maximize sales and ensure customer
satisfaction. The marketing system facilitates the chances of order procurement.
 The objective of Production & Manufacturing is to optimally deploy men, machine and
material to maximize production or service. The system is used to regulate maximum and
minimum levels of stock and provide important information for production schedules.
 Human Resource Management aims to utilize human resource in most effective and
efficient manner by ensuring fewer disputes, right utilization of manpower and quiet
environment in this area.
10. Value / Dimensions of information:
 Economic dimension of information is evaluated in terms of cost & benefits. It is a difficult

task due to its intangible nature but an appropriate analysis for cost incurred and benefits to
be derived is performed.
 Business dimension. The importance of information for business continuity is determined.
7
 Technical dimension. Technical characteristics are evaluated in terms of security, access
control & availability to user when required.
11. Types Of Information System
12. Operations Support Systems
 Objective of OSS is to improve efficiency in operations of an enterprise. This system uses

internal data primarily for managers at lower levels.
 Categories
- Transaction Processing System

- Management Information System
- Enterprises Resource Planning System
13. Transaction Processing System (TPS) is used to process transactions & provide routine &
regular reports. Business activities involve transactions and these transactions are to be
organized and manipulated to generate various information products for external use. TPS
records and manipulates data into useful information.
TPS is known as basic information system & it acts as a base to other IS like MIS & EIS. It
automates the routine procedures of transaction-processing which helps to provide the
required outputs in an efficient manner. TPS is developed using SDLC Methodology & is
known as Life-cycle system.
 The four common cycles of business activities are:
- Revenue
- Expenditure
- Production
- Finance
 The standard operating procedure of TPS is:
- Entry of data
- Processing of details
- Search & presentation of data/ information
 Components used in TPS
- Input, used for capturing and classifying transactions

- Processing, used to process transaction as per business logics
- Storage, used to maintain the data of transactions in form of master file and transaction
files
- Output, used to provide required reports from TPS. It gives 2 types of reports,
operational and financial
 Features of TPS
- Large volume of data - Benefits are easily measurable

- Automation of basic operations - Source of inputs for other systems
14. Management Information System (MIS) is an integrated user machine system designed for
providing information to support operational control, management control and decision making
functions in an organization. It is an extension of TPS.
MIS provides some value-added reports by using operational database of TPS. It provides
reports based on exceptions & mathematical sign principles which help in management
decision making. It is also based on a life cycle system & it is extensively used in various
management functions.
It is designed to provide accurate, relevant and timely information to managers at different
levels and in different functional areas throughout the organization for decision making
purposes.
 Components of MIS
- Management refers to a set of functions and processes designed to initiate and

coordinate group efforts in an organized setting directed towards promotion of certain
interest, preserving certain values and pursuing certain goals.
- Information could be defined as a set of facts, figures and symbols processed for
current decision making situation.
- System is defined as a set of related components, interacting together so as to
accomplish some common objectives.
 MIS provides for:
- Identification of relevant information needs

- Collection of relevant information
- Processing of data
- Timely dissemination of processed information
 Functions of a MIS
- Determination of information needs

- Gathering, processing, evaluation & indexation of data
- Dissemination & storage of data
9
 Characteristics of a Good MIS
- Management-oriented
- Management-directed
- Need-based
- Exception-based
- Integrated
- Common data flow
- Common database
- Modularity
- Comprehensive
- Capable of updating
- Heavy planning element
- Flexible
 Misconceptions about MIS:
- More data means more information

- Accuracy is highly important
- MIS means only computer-based Information System
 Pre-Requisites Of MIS
Components & activities which help to provide a quality or good MIS
- Database is a super file which consolidates data records formerly stored in many data
files.
- Qualified system and management staff
- Support of top Management
- Control & maintenance of MIS
 Evaluation of MIS
An effective MIS should be capable of meeting information requirements of executives and

this can be maintained by evaluating the MIS. Evaluation should take into account the
following points:
- Examining whether enough flexibility exists in the system to cope with any expected or
unexpected information requirement in the future
- Ascertaining the views of users and designers about the capabilities and deficiencies of
the system
- Guiding the appropriate authority about the steps to be taken to maintain effectiveness
of MIS
 Constraints in operating computer-based MIS
- Non availability of experts, who can diagnose the objectives of the organization and
provide a desired direction for installing and operating system
10
- Experts usually face the problem of selecting the sub system of MIS to be installed and
operated upon
- Due to varied objectives of business, the approach adopted by experts for designing
and implementing MIS is a non standardized one
- Non availability of cooperation from staff is crucial problem
 Effects of using computers for MIS
- Speed of processing and retrieval of data increases

- Scope of analysis widened
- Complexity of system design and operation increased
- Integrates the working of different information sub systems
- Increases effectiveness of information systems
- Provides more comprehensive information
 Limitations of MIS
- Quality of output depends on quality of input

- MIS is not a substitute for effective Management
- MIS may not have requisite flexibility for updations
- MIS cannot provide tailor made information packages
- MIS ignores non quantitative factors which have a bearing on the system
- MIS is less useful for making non programmed decisions
15. Enterprises Resources Planning System (ERP) is a fully integrated business Management
system that integrates the core business and Management processes to provide an
organization a structured environment in which decisions concerning demand, supply,
operational, personnel, finance, logistics etc., are fully supported by accurate and reliable real
time information.
 Objectives
- Provide support for adopting best business practices,

- Implement these practices with a view towards enhancing productivity, and
- Empower the customer and suppliers to modify the implemented business processes to
suit their needs
 Myths on ERP
- ERP, a computer system is a myth. ERP is primarily a enterprise wide system which
encompasses corporate mission, objectives, attitudes and people who make the
organization
- ERP is relevant for manufacturing organizations is a myth
11
 Characteristics of ERP
- ERP is a flexible system

- ERP system is modular and open which implies that any module can be interfaced or
detached without affecting other modules
- ERP is an integrated system as it provides data automation
- ERP aims at adopting best business practices
 Features of ERP
- ERP provides multiplatform, multi facilities and multi usage facilities

- It supports strategic and business planning activities
- It has end to end supply chain Management to optimize overall demand and supply of
data
- It facilitates organization wide integrated Information System covering all functional
areas
- It performs core activities and increases customer service, there by, augmenting
corporate image
- It bridges information gap across organizations
- It provides complete integration of systems not only across departments but also across
companies under same management
- It allows automatic introduction of latest technologies like EFT, EDI, E commerce etc.
- It provides intelligent business tools to enable better decision making
 Benefits of ERP
- Better use of organizational resources

- Lower operating costs
- Proactive decision making
- Decentralized decision making
- Enhanced customer satisfaction
- Flexibility in business operations
 Limitations of ERP
- An ERP system provides current status only. Managers need to look beyond current
status to aid better decision making
- The methods used in ERP applications are not integrated with other organizational sub
divisions
16. Management Support Systems (MSS) focus on the managerial uses of information resources
and provide information to managers for planning and decision making. The information
provided by these systems is based on both internal and external data using various data
analysis tools.
 Categories
- Decision Support System

- Executive Information (Support) System
- Expert System
12
17. Decision Support System (DSS) is a system that provides tools to managers to assist them
in solving semi structured and unstructured problems in their own way. A DSS is not intended
to make decisions for managers, but rather to provide managers with a set of capabilities that
enables them to generate the information required in decision making.
DSS are knowledge-based system. These systems allow its users to apply his knowledge for
solution of problems by using “what-if analysis”.
 Systems that replace human decision making rather than supporting it are called
Programmed Decision Systems. Here, the focus is on doing things more efficiently.
 Characteristics of types of information used in executive decision-making are:
- Lack of structure
- High degree of uncertainty
- Future-oriented
- Obtained from informal source & by observing broad trend
 Typical information a DSS might gather & present
- An inventory of all current information assets of an organization

- Comparative sale figures of one period with another
- Projected revenue figures based on new product sale assumptions
- Consequences of different decisions in alternatives
 Characteristics of DSS
- They support both semi structured and Un- structured decision making. Semi structured
and Un- structured decisions are those, for which information obtained from a computer
system is only a portion of the total knowledge needed to make the decision.
- They are flexible enough to respond to changing needs of decision makers. Managers
do not know, usually, in advance what information they need and even if they do, this
information needs keep changing constantly.
- They are easy to use. DSS employs tools which are user oriented like grids, graphics,
non procedural languages etc., thus making it easy for users to conceptualize and
perform decision making process.
- Used for knowledge-based system and Sensitivity analysis
- Can use any type of data of any structure
 Components of DSS
There are 4 major components of DSS:
- Users do not need computer background to use a DSS for problem solving. The most
important knowledge is through understanding of problem and the factors to be
considered in finding a solution.
13
Managers are users who have basic computer knowledge & want the DSS to be very
user friendly. Analysts are people who are more details oriented and willing to use
complex system in their day to day work.
- DSS include one or more Database that contains both routine and non routine data
from both internal and external sources. This component is used to provide inputs for a
DSS problem. DSS users may construct additional databases themselves.
There are 2 types of database in DSS:
 User Database: includes data or inputs collected by user from various sources.
 Corporate Database: includes data values provided by organization’s operational
database.
Database is implemented at three levels, as listed below:
 At Physical Level, involving the implementation of the database on the hard disk
 Logical Level is designed by professional programmers, who have complete

knowledge of DBMS. It deals with the nature of data stored & the scheme of data.
Data is logically divided and stored.
 At External Level, where the logical level defines schema which is divided into
smaller units known as sub schemes.
- Planning Language provides GUI for structuring of problems or creating model base.
They provide various functions & features for efficient solution of problems. There are
two types of planning languages:
 General Purpose Planning Language provides general functions & features to solve
general purpose semi-structured or ad-hoc problems. They are used for those
problem’s solutions which have low data volumes. These are languages that allow
users to perform many routine tasks. These languages enable users to tackle a
broad range of budgeting, forecasting and other worksheet oriented programs.
 Special Purpose Planning Languages are used for solution of problems which have
large data volume. It provides special functions & features which help to solve
complex functions or procedures. They are more limited in what they can do, but
they usually do certain jobs better than GPPL.
- Model Base is the most important component of DSS. It is also known as brain of DSS.
It provides the structure of the problem to be solved by DSS. It performs data
manipulations and computations with the data provided to it by the user and the
database. The analysis provided by the routines in the model base is the key to
supporting user decisions.
 Software Tools Used For Creating DSS
- Database software-Back end

- Model-based software-Front end
14
- Statistical Software-Process
- Graphical Software-Output
 Use Of DSS In Accounting Applications
- In capital budgeting applications for investment analysis

- In cost accounting problems
- General budgeting problems
- Portfolio management
18. Executive Information System (EIS) is a DSS that is designed to meet the special needs of
top level managers. EIS incorporates additional capabilities like email.
An executive can probably be described as a manager at or near the top of the organizational
hierarchy who exerts a strong influence on the course taken by the organization.
 Characteristics of EIS
- EIS is a CBIS that serves the information needs of the top executives
- EIS enables users to extract summary data and model complex problems without the
need to learn query languages, statistical formulas or high computing skills
- EIS provide rapid access to timely information and direct access to management reports
- EIS is capable of accessing both internal & external data
- EIS provide extensive online analysis tools
- EIS can easily be given a DSS support for decision making
 Executives’ role in decision making
- Strategic Planning involves determining the general, long range direction of the
organization. Strategic planning addresses the general concerns of the firm.
- Tactical planning refers to how, when, where and what issues involved with carrying out
the strategic plan.
- Major problems arise sometimes that must be resolved by someone at the executive
level. Other possible Fire Fighting activities will call for key alterations in plans.
 Executives’ decision making environment
Executives take decisions that are broad and based on a vision they have, regarding what it
will take to make their company successful. Executives rely much more on their own
intuition rather than on sophisticated analytical skills. The intuitive character of executive
decision making is reflected strongly in types of information found useful to executives.
 Characteristics of types of information used in executive decision making
- Lack of structure
- High degree of uncertainty
- Future oriented
15
- Informal source
- Low level of detail
 Purpose of EIS
- Support managerial learning about organization

- Allow timely access to information
- Direct managerial attention to specific business problems
 Contents of EIS
A practical set of principles to guide the design of measures and indicators to be included in
an EIS is presented below:
- EIS measures must be easy to understand & collect
- EIS measures must be based on a balanced view of the organization’s objectives
- Performance indicators in an EIS must reflect everyone’s contribution in a fair and
consistent manner
- EIS measures must encourage management and staff to share ownership of the
organization’s objectives
- EIS information must be available to everyone in the organization
- EIS measures must evolve to meet the changing needs of the organization
19. Expert System is a highly developed DSS that utilizes knowledge generally possessed by an
expert to solve a problem. They are software systems that imitate the reasoning process of
human experts and provide decision makers with the type of advice they would normally
receive from such Expert Systems.
It provides tools, information and methods for decision making in specific areas and systems to
support training in specialized areas. A characteristic of the Expert System is the ability to
declare or explain the reasoning process that was used to make decisions.
 Need for Expert Systems
- Expert labour is expensive and scarce and companies are faced with shortage of talent
in key positions
- Even knowledgeable people can handle only few factors at a time
 Benefits of Expert System
- It preserves knowledge that might be lost through expert / labour turnover

- It puts information into an active form so that it can be summoned almost as a real life
expert
- It assists novices in thinking the way professionals do
- They can be effectively used as a strategic tool in the areas of cutting costs and
increasing revenues
16
 Properties potential applications must posses to qualify for Expert System development
- Availability of one or more experts, capable of communicating how they go about solving
the problem to which the Expert System will be applied
- Solution of the problems for which the expert system will be used is a complex task that
requires logical interface planning
- The domain or subject area of the problem is relatively small and limited to a relatively
well defined problem area
- Solution to the problem requires the efforts of experts
- The solution process must be capable enough to cope with ill structured, uncertain,
missing and conflicting data & dynamic problem solving situations
 Levels of expertise
- Assistant level
- Peer level
- True expert
 Components of an Expert System
- Knowledge Base stores the rules data and relationships that are used to solve problems
and contain specific facts about the expert area. A set of rules must be developed to
bridge the knowledge bases and resolve any conflicts. The power of a system tends to
be related to the depth and breadth of the knowledge in the knowledge base
- Interface Engine is the main processing element consisting of the system of programs
that request data from the user manipulate the knowledge base and provides a decision
to the user. Interface engine is the active component of an expert system since it steers
through knowledge and progresses he whole interaction. The interface engine chooses
rules from the agenda to fire.
 A Forward chaining mechanism first examines the knowledge base and the
problems at hand, then, it attempts to discover a solution
 In Backward chaining, the interface engine starts with a hypothesis or goal, which, it
then checks against the facts and rules in the knowledge base
- Knowledge Acquisition Subsystem is the software component of an expert system that
enables the knowledge engineer to build and refine an expert system’s knowledge base
- User Interface is the method by which an expert system interacts with a user and is
highly interactive
- Explanatory facility* is like a reporting system, it provides an explanation of logics to

users for solution arrived by the expert system.
20. Office Automation Systems (OAS) are among the newest and most rapidly expanding CBIS.
Different office activities can be broadly grouped into the following types: Document capture,
Document creation, Receipts & Distribution; filing, search, retrieval & follow up; calculations &
recording; utilization of resources
 Benefits of OAS
- OAS improves communication within an organization & between organizations

- OAS reduces the cycle time between preparation & receipt of messages
- OAS reduces the cost of office communication both in terms of time spent by executives
& communication links
- OAS ensure accuracy of communication flows
 Computer Based OAS
- Text processing systems are the most commonly used components of the OAS. They
automate the process of developments of documents. They reduce keying efforts and
minimizes the chances of errors in the documents
- Electronic Document Management Systems are at capturing the information contained

in documents, stored for future references. They would enable the executives to access
the documents in remote locations
- Electronic Message Communication Systems offer a lot of economy not only in terms of
reduced time in sending or receiving messages
 Components of Message Communication System
 Electronic mail
 Facsimile (Fax)
 Voice mail
***
02 SYSTEM DEVELOPMENT LIFE
CYCLE METHODOLOGY
1. System Development is that process which takes place in an organization whenever that
organization wants to convert an old system into a new system or wants to upgrade or change
the existing system. It refers to the process of examining a business situation with the intent of
improving it through better procedures and methods. It has 2 major components, System
Analysis & System Design
 System Analysis is the process of gathering & interpreting facts, diagnosing problems and
using the information to recommend improvements to the system
 System Design is the process of planning a new business system or one to replace or
compliment an existing system
2. Reasons For Failure of System Development In Organizations
 Lack of senior management support and involvement in Information System development

 User requirements for information technology are constantly changing
 Development of strategic system is difficult due to unstructured nature of decision making
 Lack of standard project management and systems development methodologies
 Over worked or undertrained development staff
 Lack of user participation and resistance to change
 Inadequate testing and user training
3. The System Development Team in the organization is responsible for system development.
The steering committee ensures that ongoing systems development activities are consistently
aimed at satisfying the information requirements of users & managers within the organization.
System Analysts are subsequently assigned to determine user requirements, design the
system and assist in development and implementation activities.
Most Accountants are uniquely qualified to participate in systems development because they
may be among the few people in an organization who can combine knowledge of IT, business,
accounting, internal control, behavior and communications, to ensure that new systems meet
the needs of the user and poses adequate internal controls
4. System Development Methodology is a formalized, standardized, documented set of

activities used to manage a system development project. It refers to the framework that is used
to structure, plan & control the process of developing as Information System.
The methodology is characterized by the following:
 The project is divided into a number of identifiable processes and each process has a
starting point and ending point.
 Specific reports, called Deliverables, are produced periodically during system development
to make development personnel accountable for faithful execution of system development
tasks.
 Users, managers and auditors are required to participate in the project, to provide
approvals, often called Signoffs at pre established management control points. Signoffs
signify approval of the system development process and the system being developed
19
CYCLE METHODOLOGY
 System must be tested thoroughly prior to implementation to ensure that it meets user’s
needs
 A training plan is developed for those who will operate and use the system
 Formal program change controls are established to preclude unauthorized changes to

computer programs
 A post implementation review of all developed systems must be performed to assess the
effectiveness and efficiency of the new system and of the development process
5. Approaches to System Development
 Traditional approach or Waterfall approach

 Prototyping approach
 Incremental approach
 Spiral approach
 End user approach
 Rapid Application Development
 Agile Methodologies
All these approaches are not mutually exclusive
6. In the Traditional Approach of system development, activities are performed in sequence. In
this approach an activity is undertaken only when the prior step is fully completed.
 Project is divided into sequential phases, with some overlap ad splash back acceptable
between phases
 Emphasis is on planning, time schedules, target dates, budgets and implementation of an
entire system at one time
 Tight control is maintained over the life of the project through the use of extensive written
documentation and through formal reviews and signoff by the user
 Popular and usable approach. Used primarily to develop large & complex IS
 All steps of SDLC are followed as it is
 Initial traditional approach was based on principle that there will be no error in previous step
of SDLC
 Later, the old approach was modified to include feedback to rectify errors in previous
phases
 Latest traditional approach has been further modified to simultaneously starting 2 or more
phases to cut time
 Also known as WATER FALL APPROACH
7. The goal of Prototyping approach is to develop a small or pilot version called prototype of the
past or all of a system. A prototype is a usable system or system component that is built
quickly and at a lesser cost and with the intention of modifying or replacing it by full scale and
fully operational system. When a prototype is developed to satisfy all user requirements, either
it is refined & turned into final system or it is scrapped.
20
CYCLE METHODOLOGY
Prototyping can be viewed as a series of four steps, wherein implementation & maintenance
phases take place once the prototype model is tested and found to meet user’s requirements.
The steps are:
a. Identify the Information System requirement

b. Develop the initial prototype
c. Test & revise
d. Obtain user signoff of the approved prototype
 Prototype approach has the following advantages
- Helps to determine exact requirement

- Helps to provide input & output formats in advance
- Helps to ensure success of system
- Helps in sorting technical issues of System Development
 Prototype approach has the following disadvantages
- Time consuming
- Causes inefficient System Development
- Disappointment to user
 Situations where prototyping model cannot be used
- Diffused users
- Level of confidentiality required is high
- Time factor
8. The Increment Model is a method of software development where the model is designed,
implemented and tested incrementally until the product is finished. The product is defined as
finished when it satisfies all of its requirements
9. The Spiral Model is a software development process combining elements of both design and
prototyping in stages, in an effort to combine advantages of Top down and Bottom Up
concepts. It is a system development model (SDM) which combines the features of prototyping
model and the waterfall model and is intended for large, expensive & complicated projects.
 The new system requirements are defined in as much detail as possible
 A preliminary design is created for the new system. Here, all possible alternatives, that can
help in developing a cost effective project are analyzed and strategies are decided to use
them
 A First Prototype of the new system is constructed from the preliminary design
 A Second Prototype is then evolved by evaluating the first prototype, defining further
requirements and planning, designing, constructing & testing it
21
CYCLE METHODOLOGY
TOP DOWN APPROACH BOTTOM UP APPROACH
Those systems, which satisfy organization Those systems, which help operational
objectives or which help top management in executives in day to day operations, are
working, are procured first procured first
Top management is involved in System Operational executives help in System
Development Development
Once system is developed for top
management, the system is extended to Once system is developed, it is extended
satisfy requirements of operational to satisfy requirements of top management
executives
10. In End User Approach, the User specifies requirements from system and accordingly, user
procures or develops system. It is Low cost & easy to use. Disadvantages include the fact that
user cannot specify all requirements and lack of integration among all systems in organization
and lack of complete use of new system
11. SD Approach in Small Organizations is an easy to use and low cost approach. Following are
the steps to be used:
a. Organization determines its requirements for a system

b. Organization evaluates various software available in market, which can satisfy its
requirements
c. Organization selects the software and procures the required hardware accordingly
d. Organization implements the software & hardware for system use.
12. Rapid Application Development (RAD) refers to a type of software development

methodology which uses minimal planning in favour or rapid prototyping. The “Planning” of
software developed using RAD is interrelated with writing the software itself. The lack of
extensive pre planning generally allows software to be written much faster and makes it easier
to change requirements. The aim is to produce high quality systems quickly, primarily through
the use of iterative prototyping active user involvement and computerized development tools.
RAD includes Joint Application Development where users are intensely involved in system
design, either through consensus building or interaction. RAD produces documentation
necessary to facilitate future development & maintenance. RAD is the latest system
development approach, to develop complex systems rapidly or in a lesser time. This approach
is an extension of the traditional system development approach. Here, instead of developing
software by analysts & developers on a standalone basis, a joint application process /
approach is followed by involving user as a part of development.
a. In this approach, system development work are organized with following components as
part of that workshops:
* Users
* Analysts
* Developers
* Computer Aided Software Engineering (CASE) tools
* Previously developed applications
22
CYCLE METHODOLOGY
b. These components help to develop applications rapidly by using the following process
* Document the requirements of the user

* Design the system
* Develop the system
* Test the system
* Jointly develop the application
* Satisfy the requirements of the user
All the above processes are iterative process & are continued till the final product is out for use.
 Assumptions of RAD
- Requirements can be specified accurately only after many iterations

- The application is its own model
- Design and testing are iterative process
- The application is always complete, but never finished
- Empowerment of users is crucial to development of the system
 Components of RAD
- Joint Application Development

- Rapidity of development
- JAD workshops / discussions usually take place at Clean Rooms, which are places
away from the normal office environment and which is free from any routine work
interruptions
- RAD project control involves scoping the project by prioritizing and defining delivery
deadlines which are called Time Boxes
- Incremental Prototyping
 Limitations of RAD
- RAD can be applied only in the construction of applications that are highly interactive
and have clearly defined user groups
- RAD techniques cannot be used for large & distributed systems
- RAD causes duplication of corporate information and inconsistency in the way that it is
held
- RAD applications tend to be inefficient in their use of IT hardware
- The inherent risk involved in RAD is that system controls might be overlooked or
compromised in the interests of expediency
13. Systematic Approach to system development is suitable to small firms and own work areas. It
consists of the following steps
 Identify information processing requirements

 Locate, evaluate and secure suitable software
 Locate, evaluate and secure suitable hardware on which the above system can be run
 Implement the system
23
CYCLE METHODOLOGY
14. Agile Software movements provide a conceptual framework for undertaking software
engineering projects. Agile Methods attempt to minimize risks by developing software in short
time boxes called Iterations. Each one is like a miniature software project of its own and
includes all of the tasks necessary to release the mini – increment of the new functionality.
Characteristics of Agile methodology
 Iterative with short cycles, enabling fast verifications and corrections
 Time bound iterative cycles
 Modularity at development process levels
 People oriented
 Collaborative and communicative working style
 Incremental and convergent approach that minimizes risks and facilitates functional
additions
15. System Development Life Cycle (SDLC) framework provides system designers and
developers to follow a sequence of activities. SDLC is document driven, which means that at
crucial stages during the process, documentation is produced. A phase of the SDLC is not
complete until the appropriate documentation is produced. These are known as deliverables. A
Deliverable may be a substantial written document, a software art craft, a system test plan or
an object that has been ordered and delivered.
SDLC emphasizes the parallel nature of some of the activities and presents activities such as
system maintenance as an alternative to a complete redesign of an existing system.
 Advantages of SDLC
- Better planning and control by the project managers

- Compliance to proscribed standards ensuring better quality
- Documentation is an important measure of communication and control
- Phases are important milestones and help the project manager and user for review and
signoff
 Advantages from perspective of Information System Audit
- The Information Systems Auditor can have clear understanding of the various phases in
the SDLC on the basis of detailed documentation created
- The Information Systems Auditor on the basis of examination, can state in his report
about the compliance by the Information System management of procedures set, if any
- The Information Systems Auditor, if technically qualified, can be a guide during the
various phases of SDLC
- The Information Systems Auditor can provide an evaluation of the methods and
techniques used through the various development phases of SDLC
 Risks associated with SDLC (Shortcomings)
- Development team may find it cumbersome

- Users may find that the end product Is not visible for a long time
- Rigidity of approach may prolong the duration of many projects
- Information Technology may not be suitable for small and medium sized projects
24
CYCLE METHODOLOGY
SDLC can be thought as a set of activities that analysts, designers and users carry out to
develop and implement an Information System.
16. Phases in SDLC
a. Preliminary Investigation involves determining and evaluating the strategic benefits of the
system and ensuring that solution fits the business strategy. It also includes cost benefit
analysis of the proposed system
b. Systems Requirement Analysis analyses the type of the system on the basis of the user
requirements
c. Systems Design involves designing in terms of user interface, data storage and data
processing functions on the basis of the requirement phase by developing the system
flowcharts, system and data flow diagram, screens and reports
d. System Development / Programming implies programming the system as designed and

conduct continuous testing & debugging
e. System Testing involves conducting various kinds of tests before the developed system is
implemented
f. System Implementation means final testing and quality of controls audit, acceptance by
management and users before migration of the system to the live environment and data
conversion from legacy system to the new system
g. Post Implementation Review and Maintenance involves continuous evaluation of the
system as it functions in the live environment and its updation. Maintenance includes
continuous evaluation of the system as it functions in the live environment and its
updations.
17. PRELIMINARY INVESTIGATION
 Objective is to determine and analyze the strategic benefits in implementing the system
through evaluation & quantification of related factors.
CYCLE METHODOLOGY
 Steps in Preliminary Investigation
- Identification of purpose
- Identification of objectives
- Delineation of scope
- Feasibility Study
 Identification of Problem is to define the problem clearly and precisely and is done only
after several rounds of discussions with the user group. The purpose of preliminary
investigations is to evaluate the project request. It is neither a designed study nor it includes
the collection of details to completely describe the business system. It relates to collection
of information that permits committee members to evaluate the merits of the project request
and make an informed judgment about the feasibility of the project.
 After the identification of the problem, it is easy to work out the Objectives of the proposed
solution. The analyst working on the preliminary investigation should accomplish the
following objectives:
- Clarify & understand the project request

- Determine the size of the project
- Determine the technical & operational feasibility of alternative approaches
- Assess the costs & benefits of alternative approaches
- Report findings to the management
 Delineation of Scope. The scope of a solution defines its boundaries. It should be clear &
comprehensible to the user, management; stating what will be addressed by the solution
and what will not. The following questions should be answered while stating the scope:
- Functionality requirement
- Data to be processed
- Control requirements
- Performance requirements
- Constrains
- Interfaces
- Reliability requirements
 Methods to analyze the scope of the projects:
- Reviewing internal documents to obtain information about the organization involved

in, or affected by, the project
- Conducting interviews to get user feedback and an idea on the merits of the existing
system
26
CYCLE METHODOLOGY
 Feasibility Study refers to a process of evaluating alternative systems through cost benefit
analysis so that the most feasible and desirable system can be selected for development.
Project feasibility is the likelihood that these systems will be useful for the firm. System
analysts conduct a feasibility study to see whether the systems developed serve these
purposes.
Feasibility is evaluated under the following dimensions:
o Technical o Time o Behavioral

o Financial o Resources o Legal
o Economic o Operational
Costs
↓ ↓ ↓
Development Operating Intangible
↓ ↓ ↓
Includes costs of Includes hardware, software Costs that cannot be
development process and rental, maintenance of assets easily measured. They
other start up costs etc. are difficult to measure
but related to system
18. SYSTEM REQUIREMENT ANALYSIS
 Objective includes a thorough and detailed understanding of the current system, identify
the areas that need modification to solve the problem, the determination of user
requirements and to have a fair idea about various system development tools
 Fact Finding Techniques. Every system is built to meet some set of needs. To asses
these needs, the analysts often interact extensively with the people, who will be benefited
from the system, in order to determine their requirements.
Some fact finding techniques are:
- Documents
- Questionnaires
- Interviews
- Observations
 Analysis of the Present System involves collecting, organizing and evaluating facts about
the system and the environment in which it operates. There should be enough information
assembled so that a qualified person can understand the present system without visiting
any operating departments. The following areas should be studied in depth:
27
CYCLE METHODOLOGY
- Review historical aspects
- Analyze inputs
- Review data files maintained
- Review methods, procedures and data communications
- Analyze outputs
- Review internal controls
- Model the existing physical system and logical systems
- Undertake overall analysis of the present system
 In Systems Analysis of Proposed Systems, the proposed systems specifications must be

clearly defined and the desired objectives set forth at the first stage of study. Consideration
should be given to the strengths and shortcomings of the present system. The required
systems specifications which should be in conformity with the projects’ objectives are as
follows:
- Outputs Produced, with great emphasis on timely managerial reports that utilize the
“management by exception” principle
- Database maintained with great accent on online processing capabilities
- Input data
- Methods & procedures
- Work volumes and timings, carefully considered for present and future periods, including
peak periods
The future workload of the system must be defined for inputs, database and output in terms
of average and peak loads, cycles & trend
 System Development Tools are techniques developed to improve current Information

System and develop new ones. Such tools help to
a) Conceptualize, clarify, document and communicate the activities and resources involved
in the organization and Information System
b) Analyze present business operations, management decision making and information
processing activities of the organization
c) Propose and design new or improves Information System to solve business problems
or pursue identified business opportunities
19. Major categories of System Development Tools
 System components and flows help the system analysts to document the data flow
among the major resources and activities of an Information System.
28
CYCLE METHODOLOGY
 User interface. Designing the interface between end users and the computer system is a
major consideration of a system analyst while designing the new system.
 Data attributes and relationships. The data resources in Information System are defined,
catalogued and designed by this category of tools.
¤ Data Dictionary catalogs the description of the attributes of all data elements and their
relationships to each other as well as to external systems
¤ Entity relationship diagrams are used to document the number and type of relationship
among the entities in the system
¤ File layout forms document the type, size and names of the data elements in the system
¤ Grid charts help in identifying the use if each type of data element in input / output or
storage media of a system
 Detailed systems processes are used to help the programmer develop detailed
procedures and processed required in the design of a computer program.
 System Development Tools
Structured English also known as Program Design Language or Pseudo Code is the use
of English language with the syntax of structured programming. It aims at getting
benefits of both the programming logic and natural language. Program logic helps attain
precision and natural language helps in getting the convenience of spoken language. It
consists of the following elements:
 Operation statements written as English phrases

 Conditional blocks indicated by keywords such as IF, THEN and ELSE
 Repetition blocks also indicated by keywords DO, WHILE and UNTIL
Flowchart is a graphic technique that can be used by analysts to represent the inputs,
outputs and processes in a pictorial form. The categories include Document Flowchart,
Data Flowchart, System Flowchart and Program Flowchart
Data flow diagrams use few simple symbols to illustrate the flow of data among external
entities, processing activities and data storage elements. A DFD is composed of four
basic elements
 People and organizations that send to and receive data from the system are
represented by square boxes called Data Sources & Destinations
 Data Flow represents the flow of data into or out of a process by lines with arrows
29
CYCLE METHODOLOGY
 The processes that transform data from inputs to outputs are represented by circles
and are known as Transformation Processes
 Data Stores handles storage of the data and is represented by two horizontal lines
Decision tree is a support tool that uses a tree like graph or model of decisions and their
possible consequences, including chance event outcomes, resource costs and utility.
Decision table is a table which may accompany a flowchart, defining the possible
contingencies that may be considered with the program and the appropriate course of
action for each contingency. The parts of a decision table are as follows:
 Condition Sub which comprehensively lists the comparisons or conditions

 Action Sub which comprehensively lists the actions to be taken along the various
program branches
 Condition Entries which list in its various columns the possible permutations of the
answers
 Action entries which list, in its columns corresponding to the condition entries, the
actions contingent upon the set of answers to questions of that column
CASE tools refer to the automation of anything that humans do to develop systems and
support virtually all phases of traditional system development process. An ideal CASE
system would have an integrated set of tools and features to perform all aspects in the
life cycle.
System Component matrix provides a matrix framework to document the resources

used, the activities performed and the information produced by an Information System. It
can be used as an Information System framework for both system analysis and system
design and the views the Information System as a matrix of components
Data dictionary is a computer file that contains descriptive information about the data
items in the files of a business Information System. A data dictionary is a computer file
about data.
Accountants and auditors can also make good use of data dictionary. A data dictionary
can help establish an audit trail because it can identify the input sources of data items,
the computer programs that modify particular data items and the managerial reports on
which of the data items are output. When an accountant is participating in the design of
a new system, a data dictionary can also be used to plan the flow of transaction data
through the system.
Layout form and Screen Generator are for printed report, used to format or paint the
desired layouts and contact without having to enter complex formatting information.
30
CYCLE METHODOLOGY
Menu generator outlines the functions which the system is aimed to accomplish. Report
Generator has the capacity of performing similar functions as found in screen
generators. Code generator allows the analyst to generate modular units of source code
from the high level specifications provided by the system analyst and play a significant
role in the system development process.
 Systems Requirement Specifications (SRS) is a document prepared by the system

analyst and contains the following.
Goals & Objectives of the software content of the CBIS

Information description, problem description & information content, flow & structure
Functional descriptions, interplay among functions and design constrains
Behavioral description and response to external & internal controls
Classes of tests to be performed to validate functions, performance and constrains
SRS review reflects how the development team understands of the existing processes.
20. Roles involved in SDLC
1) Some of the functions of the Steering committee are as follows
- To provide overall direction and ensure appropriate representation of affected parties

- To be responsible for all cost and timetables
- To conduct regular review of progress of the project
- Taking corrective actions like rescheduling, re-staffing, change in project objectives and
need for redesigning
2) Project manager is normally responsible for delivery of the project within time and budget
and periodically reviews the progress of the project
3) Project leader is dedicated to a project and has to ensure its completion and fulfillment of
its objectives
4) Systems / Business analysts’ main responsibility is to conduct interviews with the users
and understand their requirements and plays a vital role in requirements analysis and
design phase
5) A project is divided into several manageable modules, and the development responsibility
for each module is assigned to Module / Team leaders. They are responsible for the
delivery of tested modules within stipulated time and cost.
6) Programmer / Coder / Developer is an individual who converts designs into programs by
coding using the programming language and tests the program for debugging
31
CYCLE METHODOLOGY
7) Database Administrator is a specialist who maintains the data in a database environment.
He handles multiple projects, ensures the integrity and security of the information stored
and helps the application development team in database performance issues.
8) Quality assurance team sets the standards for development and checks compliance with
these standards by project teams on periodic basis.
9) Tester is a junior level quality assurance personnel attached to a project who tests
programs and subprograms as per the plan given by module leaders and prepare test
reports
10) Domain specialist helps the project team to develop new applications in a field that is new
to them. He need not have the knowledge of software system.
11) Information Systems Auditor ensures that the application development also focuses on
the control perspective. He is involved in the design phase as well as the testing phase to
ensure existence and operations of the controls in the new software.
21. SYSTEMS DESIGN
 This phase describes the parts of the system and their interactions, sets out how the
system shall be implemented using the chosen hardware, software and network facilities,
specifies the program and database specifications and the security plan and further specify
the change control mechanism to prevent uncontrolled entry of new requirements.
 Objective is to design an Information System that best satisfies the user’s requirements.
 Activities include describing inputs and outputs; determining the processing steps and
computation rules for the new solution; determining database system design; preparing
program specifications and internal & external controls.
 System design involves first Logical Design and then Physical Construction of a system.
The Logical Design of an Information System is like an engineering blueprint; it shows
major features of the system and how they are related to one another. Physical construction
produces the program software, files and a working system.
 The design phase involves the following steps:
- Architectural design;
- Design of data / information flow;
- Design of database;
- Design of user interface;
32
CYCLE METHODOLOGY
- Physical design; and
- Design and acquisition of the hardware / software system platform
 Architectural design deals with the organization of applications in terms of hierarchy of

modules and sub-modules. It is made with the help of a tool called Functional
Decomposition, which can be used to represent hierarchies. It has three elements –
Module, represented by a box; Connection, represented by arrows; and Couple, which is a
date element that moves from one module to another and is shown by an arrow with
circular tail.
 In Designing the data / information flow for the proposed system, the inputs that are
required are – existing data / information flow, problems with the present system and
objective of the new system.
 Design of database involves determining its scope ranging from local to global structures.
The scope is decided on the basis of interdependence among organizational units. The
design of database involves four major activities. They are:
 Conceptual modeling, describes the application domain via objects, attributes of these
objects, static and dynamic constrains of these objects and their relationships
 Conceptual models need to be translated into Data models so that they can be
accessed and manipulated by both high level and low level programming languages
 Storage structure design. Decisions must be made on how to classify and partition the
data structure so that it can be stored on some device.
 Physical layout design. Decisions must be made on how to distribute the storage
structure across specific storage media and locations.
 Design of user interfaces involves determining the ways in which users will interact with
the system. Designing computer output should be proceeded in an organized, well thought
out manner. The right output must be developed while ensuring that each output element is
designed so that users will find the system easy to use.
Input design objectives consist of developing specifications and procedures for data
preparation, developing steps which are necessary to put transactions data into usable form
for processing and data entry.
Output design objectives include conveying information about past activities & current
status or projections of the future; signal important events, opportunities, problems or
warnings; trigger an action and confirmation of an action.
33
CYCLE METHODOLOGY
Important factors in Input / Output Design
 Content refers to the actual pieces of data to be gathered to produce the required output
to be provided to users
 Timeliness refers to when users need outputs, which may be on a regular periodic basis
 Input Format refers to the manner in which data are physically arranged and Output
Format refers to the arrangement referring to data output on a printed report or screen
 Input – Output Media / Medium refers to the physical device used for input & storage of
output
 Form refers to the way the information is inputted in the input form and the content is
presented to users in various output forms
 Input / Output Volume refers to the amount of data that has been entered in the
computer system or the amount of data output required at any one time
 For the Physical Design, the logical design if transformed into units, which in turn can be
decomposed further into implementation units such as programs and modules. During
physical design, the primary concern of the auditor is effectiveness and efficiency issues.
The auditor should seek evidence that designers follow some type of structured approach
to access their relative performance via stimulations when they undertake practical design.
Design Principles:
- Design two or three alternatives and choose the best one on pre-specified criteria
- Design should be based on analysis
- Software functions designed should be directly relevant to business activities.
- Design should follow standards laid down
- Design should be modular
A Module is a manageable unit containing data and instructions to perform a well defined
task. Interaction among modules is based on well defined interfaces. Modularity is
measured by two parameters. Cohesion – the manner in which elements within a module
are linked, and Coupling – the measure of interconnection between modules. In good
modular design, cohesion will be high and coupling low
 The new Hardware / System Software Platform required to support the application
system will then have to be designed. Auditors should be concerned about the extent to
which modularity and generality are preserved in the design of the hardware / system
software platform.
34
CYCLE METHODOLOGY
22. SYSTEM ACQUISITION
 This phase relates to the acquisition of hardware, software and services

 Management should establish Acquisition Standards, which address the same security
and reliability issues as development standards. They should focus on –
- Ensuring security, reliability and functionality already built into a product

- Ensuring that products being acquired are compatible with existing systems
- Including invitations-to-tender and request-for-proposals
- Establishing acquisition standards to ensure functional security and operational
requirements to be accurately identified and clearly detained in RFP
 Acquiring hardware and software is critical to the success of the system development
project.
- In case of Hardware Acquisition, the management can rely on time tested selection
techniques. The management depends upon the vendor for support services, education
& training etc.
- The determination of Software Requirements by the analysts helps the system

development team to decide what type of application software is needed and
consequently, the degree of processing the system needs to handle.
- Contracts between an organization and a vendor should clearly describe the rights and
responsibilities of the parties to contract. The use of unlicensed software or violations of
a licensing agreement expose organizations to possible litigations.
- Evaluating the vendor’s proposals is necessitated by the fact that each vendor offers
different configuration. The following factors should be considered towards rigorous
evaluation:
¤ The performance capability of each proposed system in relation to costs

¤ The costs and benefits of each proposal
¤ Maintainability of each proposal
¤ Vendor support
- Validation of proposals – methods
¤ Checklists ¤ Bench marking

¤ Point scoring analysis ¤ Test problems
¤ Public evaluation reports
 Advantages of using pre written application packages
- Rapid implementation
- Low risk
- Reliable quality
- Low cost
35
CYCLE METHODOLOGY
23. DEVELOPMENT: PROGRAMMING TECHNIQUES AND LANGUAGES
 Objective is to convert the specification into a functioning system

 Activities include writing, testing and documenting application programs and conducting
system testing
 Deliverable is a fully functional and documented system
 Characteristics of a good coded program
- Reliability refers to the consistence maintained by the program over a period of time
- Robustness refers to the process of taking into account all possible inputs and outputs
of a program
- Accuracy refers to what a program must and must not do
- Efficiency refers to performance which should not be unduly affected by with increase in
inputs
- Usability refers to a user friendly interface
- Readability refers to the ease of maintenance of program
 Program coding standards serve as a method of communication between teams,

amongst the team members and users, thus working as a good control. They minimize
system development setbacks due to programmer turnover. They provide simplicity,
efficient utilization of storage and least processing time
 Programming languages commonly used are as follows
- High level languages general purpose programming languages lice COBOL and C
language
- Object oriented languages like C++, Java
- Scripting languages like JAVA script, VB script
- Decision support or expert system languages like PROLOG
Important criteria for selection of programming language include application area,

algorithmic complexity, and environment of execution, performance consideration, and data
structure complexity, knowledge of software development staff and capability of in house
staff for maintenance.
 Program debugging is the most primitive form of testing activity which refers to correcting
programming language syntax and diagnostic errors so that the program compiles cleanly.
Debugging consists of the following four steps:
36
CYCLE METHODOLOGY
- Inputting the source program to the compiler;
- Letting the compiler find errors in the program;
- Correcting the lines of code that are erroneous; and
- Resubmitting the corrected source program as input to the compiler
 Testing the program should include the testing of all possible exceptions. A log of test
results and all conditions successfully tested should be kept.
 Program documentation should be carefully reviewed to ensure that the software and the
system behave as the documentation indicates. It should also be reviewed for
understandability.
 Program maintenance is usually done by separate categories of programmers called

maintenance programmers.
24. SYSTEM TESTING
Testing is a process used to identify the correctness, completeness and quality of developed
computer software. Testing should systematically uncover different classes of errors in a
minimum amount of time and with a minimum amount of effort. Test also enables the user to
judge the reliability and quality of the software developed.
For types of testing, refer chapter 04
25. SYSTEM IMPLEMENTATION
The process of ensuring that the Information System is operational and then allowing the users
to take over its operation for use and evaluation is called System Implementation. It includes all
those activities that take place to convert from the old system into the new system.
 Objective is to implement the new system
 Activities are as follows
- Conversion of data into the new system files

- Training of end users
- Completion of user documentation
- System changeover
- Evaluation of the system on regular intervals
 Deliverable is a fully functional and documented system in its operational environment
 Activities during the implementation stage
 Equipment installation refers to the process of installing the hardware required to

support the new system and testing it. This includes the following activities
37
CYCLE METHODOLOGY
‡ Site preparation infers the setting up of requisite infrastructure at a predetermined
location
‡ Installation of hardware & software
‡ Equipment checks out infers that the equipment must be turned on for testing under
normal operating conditions.
 Training personnel is a major component of system implementation. This is imparted

through classes which are organized by the vendor and through hands on training
techniques.
 System implementation conversion strategies require careful planning to establish the

basic approach to be used in actual changeover. Types of implementation strategies
are as follows:
‡ Direct implementation is achieved through an abrupt takeover. Here, changeover is

done in one operation, completely replacing the old system in one go.
‡ Phased implementation can be staged with conversion to the new system taking
place by degrees. If each phase is successful then the next phase is started,
eventually leading to the final phase of implementation
‡ Pilot implementation ensures that the new system replaces the old system in one
operation but only on a small scale.
‡ Parallel implementation is considered more secure with both systems running

parallel over an introductory period. After the mentioned period, the old system is
stopped and the new system takes over.
 Activities involved in conversion must be completed successfully to convert from the

previous system to the new Information System. These activities can be classified as
follows:
‡ Procedure conversion. Operating procedures must be completely documented for

the new system that applies to both computer operations and functional area
operations.
‡ File conversion should be started long before programming and testing are
converted because of its large volume. File conversion must be thoroughly tested in
order to ensure accurate conversion.
‡ System conversion infers conversion of daily processing routines from the old to the
new system. All transactions initiated after this time are processed on the new
system.
‡ Scheduling personnel and equipment of a new system for the first time is a difficult
task for the system manager. Schedules should be set up by the system manager of
operational units serviced by the equipment.
38
CYCLE METHODOLOGY
26. POST IMPLEMENTATION REVIEW AND SYSTEM MAINTENANCE
 Objective is to assess and review the complete working solution.
 System maintenance activities are as follows
- Adding new data elements;

- Modifying reports;
- Adding new reports; and
- Changing calculations
 Deliverables is a document stating scope of further improvements
 A Post Implementation Review (PIR) answers to the question “Did we achieve what we
set to do in business terms?” PIR ascertains the degree of success from the project, the
extent to which it met its objectives and addressed the specific requirements as planned.
It should be scheduled some time after the solution has been deployed. Information system
is to be evaluated on two dimensions, whether the newly developed system is operating
properly and whether the user is satisfied with the Information System with regard to reports
supplied by it.
 Evaluation of systems
‡ Development evaluation is primarily concerned with whether the system was developed
a schedule and within budget.
‡ Operation evaluation pertains to whether the hardware, software and personnel are
capable of performing their duties. It is relatively straight forward if evaluation criteria are
established in advance
‡ Information evaluation. This aspect of system evaluation is difficult and it cannot be

conducted in a quantitative manner. The extent of information provided by the system is
the area of concern in evaluating the system.
 System Maintenance is an important aspect of SDLC. Most Information System requires

at least some modification after development. The need for modification arises from the
failure to anticipate all requirements during system design. Classification include:
‡ Scheduled maintenance is anticipated and can be planned for.
‡ Rescue maintenance refers to previously undetected malfunctions that were not

anticipated but require immediate solution.
‡ Corrective maintenance deals with fixing bugs in the code or defects found.
‡ Adaptive maintenance consists of adapting software to changes in the environment,

such as hardware or the operating system.
39
CYCLE METHODOLOGY
‡ Perfective maintenance mainly deals with accommodating to new or changed user

requirements and concerns functional enhancements to the system and activities to
increase the system’s performance or to enhance the user interface.
‡ Preventive maintenance concerns activities aimed at increasing the system’s

maintainability, such as updating documentation, adding comments and improving
modular structure of the system.
27. OPERATION MANUAL
It is a technical communication document intended to give assistance to people using a

particular system. It is usually written by a technical writer, although user guides are written by
programmers, product or project managers or other technical staff, particularly in small
companies.
28. ORGANIZATIONAL STRUCTURE OF IT DEPARTMENT
 Line Management Structure: The Information System management sub systems in the
organization attempt to ensure that the development, implementation, operation and
maintenance of information system proceed in a planned and controlled manner. Levels in
line management structure include
¤ Top management of the must ensure that the data processing installation is well
managed and is primarily responsible for long run policies that affect the future of the
computers in the organization
¤ Information System management has overall responsibility for planning and control if all
computer activities and also provides inputs to top management’s long run policy
decision making
¤ System development management is responsible for the design, implementation and

maintenance of application systems.
¤ Programming management is responsible for programming new systems, maintaining

old systems and providing general systems support software
¤ Data administration is responsible for the control and use of an organization’s data
including the database and library applications of the system.
¤ Security administration is responsible for the physical security of the data processing
and Information System programs
¤ Operations management controls the day to day operations of the data processing
systems.
40
CYCLE METHODOLOGY
¤ Quality assurance management undertakes an in-depth quality assurance review of
data processing in each application system. He review involves a detailed check of the
authenticity, accuracy and completeness of input, processing and output.
 Project Management Structure: Project requests are submitted to and prioritized by the
steering committee. The project manager should be given complete control of the project
and be allocated the resources for successful completion of the project.
29. Duties and responsibilities of an Information System manager
 Information processing is primarily concerned with the operation aspect of the information
processing environment and includes computer operations and related functions
 System development enhancement is concerned with the development, acquisition and

maintenance of computer application systems and performs systems analysis and
programming functions.
 Data entry supervisor is responsible for ensuring whether the data is authorized,
accurate and complete when entered into the system.
 File librarian is responsible for recording, issuing, receiving and safeguarding all
programs and data files that are maintained on the database
 Control group manages the flow of data and is responsible for the collection, conversion
and control of input, and balancing the distribution of output to the user community
 Operations management is responsible for the daily running of hardware and software
facilities so that the production application system can accomplish their work and the
development staff can design, implement and maintain the systems
 Security administrator in a data processing organization is responsible for matters of

physical security
 Physical security ensures a reliable and complete protection from possible attacks to the
database and storage devices
 Data security ensures restricted access to database objects
 Security program is a series of ongoing, regular, periodic evaluations conducted to

ensure that the physical facilities of an Information System are adequately safeguarded
 Production work flow control in an Information System is the responsible of the control
section. It manages the flow of data between users and the Information System and
between data preparation and the computer room
41
CYCLE METHODOLOGY
 Quality assurance group is responsible for testing and verifying whether the program
changes and documentation adhere to standards and naming conventions before the
programs are moved into protection
 System analysts are responsible for interpreting the needs of the user, determining the
programs and programmers necessary to create a particular application.
 Applications programmers are responsible for developing new systems and for
monitoring systems in production
 Systems programmers are responsible for maintaining the systems software including
the operating systems
 Local area network (LAN) administrator is responsible for technical and administrative
control over the LAN
 Help desk administrator is responsible for monitoring, improving and controlling system
performance in mainframe, server hardware and software.
***
42
03 CONTROL OBJECTIVES
1. Definitions
 Control
 Checks or management tools which are implemented to ensure that process or system
will work as per its intended purpose
 Types of control systems:
- System development & acquisition controls

- Control over system implementation
- Control over system & program changes
- Application controls
- Logical access controls
- Physical access controls
- Environmental controls
 Benefits of Control are the difference of expected losses with & without controls. Business
continuity requirements may require that the controls exist even if their cost is more than
expected benefits
 Adequate Control means the control which provides reasonable assurance of reliable &
effective working of IS
 Data Integrity refers to error-free data audit trail each stage of data
 Audit Trail is existence of transaction path from beginning to end. Its existence is vital to
financial audits. It is a log that is designed to record user activities on system &
applications.
2. Classification of controls
 General Controls: those controls which are applicable to overall system components,
processes & data for a given organization or systems environment. Include data centers &
networking operations, system development & acquisition, system change & maintenance
access & computer processing.
 Application Controls: those controls that are applicable to individual accounting

subsystems such as payroll or accounting payable.
3. Importance of Control
 Information is an important resource

 Increasing threats of various types to IS
 Increasing need for regulatory compliance
 Information System is a set of integrated resources
 Growing importance, education & awareness of information security & controls
43
4. Effects of computers on Internal Audit
 Finance & accounting system has become more automated

 Changed the ways auditors used to carry out auditing
 Changed audit style from manual audit to audit around computers, & then to audit
through computers
 Impact of computers in preparation & maintenance of financial books & reports
 Changes in audit trail & audit evidence:
Reasons for changes in audit trail in computerized system compared to manual system are:
 Data retention & storage

 Absence of input documents
 Lack of visible audit trail
 Lack of visible output
 Audit evidences
 Legal issues
 System-generated transactions
 Storage issues
 Changes in internal control environment:
Following are used in both manual & computerized systems:
 Personnel
 Segregation of duties
 Authorization procedures
 Record-keeping
 Access to assets & controls
 Management & supervision & review
Following is the difference between manual & computerized systems:
 Concentration of programs & data

 Segregation of data
 New causes & sources of error:
 System-generated transactions
 Systematic errors
 New audit procedures
44
5. Responsibilities for implementing controls
The management is responsible for establishing and maintaining controls to achieve the
objectives of effective and efficient operations and reliable information systems. Management
should consistently apply the internal control standards to meet each of the internal control
objectives and to asses the internal control effectiveness.
appropriate cost effective
Developing & implementing
controls over information

systems consistent with
internal control through

management assurance
programs & operation
Identify the needed

adequacy of internal
Take corresponding
Assess adequacy of
Regularly report on
internal controls in
corrective actions
Separately assess
internal controls
security policy
documents
statement
    
6. Structure of the control environment
 Long range planning includes documenting goals and objectives, explaining how strengths
will be used and how weakness will be compensated for or corrected
 The Information System managers must take systematic and proactive measures to
develop and implement appropriate, cost effective internal control for result oriented
management; assess the adequacy of internal control in programs and operations and
separately assess and document internal control over Information System consistent with
information security policy of the organization
 Short range planning or tactical planning of the functions and activities performed every day
and are established to meet long term goals
 Personnel management controls involve activities and functions to accomplish the

administration of individual costs. The control techniques include job descriptions, salary
and benefit budget and recruiting standards and criteria
7. CONTROL OBJECTIVES FOR INFORMATION RELATED TECHNOLOGY (COBIT)
 COBIT is a set of best practices or framework for IT management created by Information

Systems Audit & Control Association (ISACA) & IT Governance Institute (ITGI) in
1996.
 COBIT is the most popular control framework for IS Resources. It provides framework for:
- Management
- Users
- Auditors
45
 COBIT provides a set of generally accepted indicators, processes & best practices to assist
them in maximizing benefits derived through use of IT. It helps in appropriate IT governance
& controls in a company. It provides balance between risk & control investment in the IS
environment.
 COBIT framework addresses issues of controls effectiveness from three dimensions:
- To satisfy Business objectives in terms of reliability, security

- To ensure reliability of IT sources
- IT processes: COBIT provides specific controls which are to be conducted with help of
IS.
- COBIT controls help to execute the following processes efficiently:
Planning & Organization

Acquisition & Implementation
Delivery & Support
Monitoring
8. IS Control Techniques
 Control framework primarily divides controls into 3 categories:
- Accounting controls for reliability of financial records

- Operational controls for efficient day-to-day operations
- Administrative controls for compliance of management & statutory requirements
 COSO’s Objectives for organizations:
- Reliability of financial reporting

- Effectiveness & efficiency of operations
- Compliance with applicable laws & regulations
 Auditor’s categorization of controls:
- Preventive Controls: designed to prevent an error or malicious activity in system.

Devised by understanding probable threat, understanding vulnerabilities & exposure of
assets for threats & finding necessary preventive controls to avoid probable threats.
- Detective Controls: used to detect errors or malicious activities in system. Devised by

having clear understanding of lawful activities, using preventive controls & establishing
detective controls which report unlawful activities.
- Corrective Controls: designed to reduce impact of errors or malicious activities by

correcting errors & avoiding malicious activities in future. Help to minimize impact of
threats or problems, rectify issues & modify processing system to minimize future
occurrence of problems.
- Compensatory Controls: where organizations can’t implement preventive controls,

compensatory controls are used.
46
9. Audit Trails are logs that can be designed to record activity audit trail the system, application
& user level. They provide an important detective control to help accomplish security policy
objectives.
 Audit trails attempt to ensure that a chronological record of all events that have occurred in
a system is maintained.
 There are two types of audit trail:
 Accounting audit trail shows the source & nature of data & processes that update the
database
 Operations audit trail maintains a record of attempted or actual resource consumption
within a system
 Audit trails can be used to support security objectives in three ways:
Detecting unauthorized access to the system

Facilitating reconstruction of events
Promoting personal accountability
 Information contained in audit logs is useful to accountants in measuring the potential

damage & financial loss associated with application errors & unauthorized use.
 Logs also provide valuable evidence for assessing the adequacies of controls in place &
need for additional controls
10. User Information Manuals (UIM) defines responsibilities & actions for:
 Input controls (that identify all data entering the processing cycle)
 Processing controls (that includes edit, error-handling, audit trails, master-file changes)
 Output controls (that define how to verify correctness of reports)
 Separation of duties between preparing input & balancing output
11. System Development & Acquisition Controls
 There are 3 major threats to system development & acquisition. These threats can lead to
huge wastage of money:
- May consume excessive time & resources

- May not be developed as per requirement
- May contain unauthorized/ fraudulent instructions
 Following components can be uses to protect system from above problems:
- Developing strategic master plan
47
- Use project control techniques:
 System authorization
 User involvements
 Technical design
 Testing
 Internal auditor’s involvement
 User acceptance & testing
- Proper data processing schedules to maximize use of scarce resources
- Measuring system performance:
 Response time
 Utilization
 Stress test
 Throughput
 Post-implementation review
- Post-implementation review should be undertaken only after:
 Any necessary changes & tuning have been completed

 Sufficient time has been given for significant problem to surface
 Significant time has been given for users to become familiar
12. Controls over System Implementation
 Once system is developed & ready, User Acceptance Test is carried out. Its aim is to
confirm that:
- User requirement specifications are met

- Operational documentation is accurate, comprehensive & usable
- Helpdesk & other ancillary functions are properly operating
- Back-up & recovery procedures will work effectively
 Acceptance testing is a complete end-to-end test of the operational system, including all
manual procedures, which are carried out in a live environment with adequate time frame.
It includes:
- Performance testing
- Volume testing
- Stress testing
- Security testing
- Procedure testing
- Back-up & recovery
- Parallel operation
48
 Principles relating to Testing Controls:
- Identifying defects
- Designed for demonstration & testing errors
 Regression Testing: If a defect is identified & subsequently rectified, the system will need
to be re-tested to ensure that the correction/ change have not triggered other unforeseen
problems. This is known as Regression Testing
 Auditor’s validations for user acceptance & testing:
Audit helps to ensure that system implementation is complete & users have accepted new
systems of use. Auditor has to ensure & verify that:
- An acceptance test plan has been drawn up

- A manager with adequate authority has been appointed to handle proceedings
- Testing is working in actual environments
- Proper data conversion plan has been developed considering all material issues
- Adequate controls exist to prevent unauthorized changes from being made
- Proper resources are available
- Responsibility allocation is complete
- Ensure that end-users are fully involved
 Post-implementation review (PIR):
PIR must evaluate whether the implemented system has met its:
- Business objectives: delivered within budget & allocated time

- User expectations: user-friendly & reliable
- Technical requirements: capable of expansion
13. Controls over System & Program Changes
 Following controls should be used for control over system & program changes:
- Change management controls refer to the formal control policies & procedures, which
are used to properly control information changes.
- Authorization controls ensure all information & data used in processing is authorized
by management & representative of events that actually occurred.
- Documentation controls ensure that there is sufficient documentation that explains

how software/ hardware are used.
- Testing controls ensure that systems perform to satisfaction of various interested

parties.
49
- Quality Controls refer to operational techniques & activities that are used to fulfill
requirements for quality & are concerned with confirming that the products fit for their
intended purpose.
Elements of QC are:
Formal reviews
Walkthrough
Testing
inspection
14. Controls over Data Integrity & Security
 Information classification refers to conscious decision to assign level of sensitivity to

information. It is done as per level of sensitivity of information. It is important since it
determines extent of control over information & value of information.
Information is to be classified under:
1) Top secret
2) Highly confidential
3) Proprietary
4) ‘for internal use’
5) Public documents
 Data integrity aims to prevent, detect & correct errors in transactions as they flow through
various stages of data processing. Further, data integrity helps protect data from malicious
or accidental data alteration or destruction & provide assurance about quality & integrity of
information to the users.
There are 6 data integrity controls:
- Source data controls

- Input validation routines
- Online data entry controls
- Data processing & storage controls
- Output controls
- Data transmission controls
15. Access Controls

Information Systems have two types of access:
 Logical access
 Physical access
16. Logical Access Controls (LAC) are system-based mechanisms used to designate rights to
have access to specific system resources & the type of transactions & functions that are
permitted.
50
 Objectives:
- Only Authorized access to system

- Restrict users to only authorized transactions
- Restricted access of network to authorized only
- Protecting system from malicious programs & viruses
- Helps to protect integrity of application & data
 Types of Logical Access Paths:
- Online terminals
- Operation console (directly connected to servers)
- Dial-up ports (providing remote access)
- Telecommunication links (providing LAN & WAN services)
- Batch processing
 Possible exposures/ revelations in losses:
- Technical exposures include unauthorized implementation or modification of software.

Major technical exposures are:
‡ Data Diddling (involves change of data before/during/after entry in to system in order

to alter key system data)
‡ Bombs (piece of bad code in a program, deliberately planted to cause a destructive
process)
‡ Trojan Horse (an illicit code containing legitimate program & causes illegitimate
action)
‡ Worms (stand-alone programs which are hidden in a host program)
‡ Salami Techniques (involves slicing off small amounts of money from a
computerized transaction)
- Asynchronous exposures (attacks) occur in environments where data can be moved

asynchronously across telecommunication links. The various types of attacks are:
‡ Data leakage
‡ Wire-tapping
‡ Denial of Service
‡ Piggy Backing (following an authorized person through a secured door)
- Loss of exposures
 Effects of computer crime exposures:
- Financial loss
- Legal battles
- Loss of credibility
- Industrial espionage
- Leakage of confidential information
- Sabotage
51
 LAC violators:
- Hackers
- IS Personnel
- End users
- Former employees
- Interested or educated outsiders
- Competitors & crackers
- Part-time & temporary personnel
 Types of LAC
- Using User-id & password

- Using access control
- Using data encryption
- Using firewall
- Using network monitoring
 Access of Control mechanisms:
- Identification & authentication

- Authorization
 Audit of LAC: Role of IS auditor:
- Review relevant documents relating logical access & associated risks

- Review potential unauthorized access paths
- Review working of various logical access controls
- Review password policy of organization
17. Physical Access Controls
 Reasons of physical access violations:
- Abuse of data processing resources

- Embezzlement or fraud
- Blackmailing or revenge
- Damage to equipments & resources
- Theft of equipments & resources
- Public disclosure of sensitive information
 Physical access violations are mostly done by:
- Ignorant employees
- Former employees
- Striking employees
- Interested or informed outsiders
52
 Audit of physical access controls:
- Assess various threats & risks to facilities

- Review controls used to avoid these threats & risks
- Observe & test controls to protect hardware facilities, computer terminals
18. Environmental Controls
 Primarily due to elements of nature.
 Common environmental threats are:
- Fire damage
- Water damage/ flooding
- Power strike
- Electrical shock
- Natural disasters
- Equipment failure
- AC failure
- Bomb threat/ attack
19. Security Concepts & Techniques
- Cryptosystems
- Data Encryption Standards
- Private Key Encryptions
- Public Key Infrastructure
- Firewalls
20. Cryptosystems refer to a set of algorithms used for encryption & decryption of data. It consists
of 3 algorithms:
 One for key generation

 One for encryption
 One for decryption
21. Data Encryption Standards is a mathematical algorithm for encrypting & decrypting
information. The encrypting process converts data in to an unintelligible form & decrypting
process converts data back into its original form (called Plain Text).
Data Encryption is mainly used as a control for safety of data transmitted over a
communication channel.
22. Private Key Encryptions: in this, both sender & receiver use the same key for encryption &
decryption.
23. Public key infrastructure: normally considered a better method of data encryption. Here, a
key pair (private key & public key) is used for data encryption & decryption.
53
24. Firewall
 A computerized system installed between organization’s private network & public network
to protect against unauthorized access.
 Like an insulator, this insulates organization’s private network from invaders coming from
public network.
 Acts as a security between private & public networks & it checks data packets for
authentication & authorization.
There are 4 types of Firewall:
Network level or Packet Filtering Firewalls check source address of incoming data
packets to find out whether they are authorized to enter private network. It maintains a list
of authorized sources.
Stateful Inspection Firewalls provides additional dynamics to packet filtering by checking

state of connection between user & organization network & helps to improve efficiency of
packet filtering process.
Proxy Server Firewall places spam/ junk type of malicious content to separate location.
Application Level Firewall provides higher level of network security. It is very complex &
expensive.
25. Virtual Private Network (VPN) is a collection of technologies that creates a secured
connection over regular internet lines that can be easily used by employees & trusted
customers from anywhere.
Key advantages of VPN are:
Universal connectivity
Security
Low cost
26. Data Privacy refers to relationship between technology & legal rights to public expectation of
data privacy. The most common sources of data that are affected by data privacy issues are:
Health information
Financial information
Genetic information
Location information
The challenge in data privacy is to share data while protecting the personal identifiable
information.
54
Technologies addressing privacy protection issues fall in to 2 categories:
Communication
Enforcement
27. There are 2 popular Intrusion Detection Systems:
 Network-based Systems, where a special device is placed in network system. This

examines network traffic.
 Host-based Systems, installed in the server, examine the system.
28. Hacking is an act of penetrating computer systems to gain access of communication channels
for theft & manipulation of data. There are many ways to hack a system. Some are as follows:
‡ NetBIOS
‡ Internet Control Message Protocol ‘Ping’
‡ File Transfer Protocol
‡ RPC Standard
‡ Hyper-text Transfer Protocol
29. The Information System Audit Process
The Audit of an Information System environment to evaluate the systems, practices and
operations may include one or both of the following:
 Assessment of internal control within the Information System environment to assure validity,
reliability and security information
 Assessment of the effectiveness and efficiency of the Information System environment in

economic terms
The Information System audit process is to evaluate the adequacy of internal controls with
regard to both specific computer programs and data processing environment as a whole.
30. The set of skills that is generally expected of an Information Systems Auditor include:
 Sound knowledge of business operations, practices and compliance requirements,

 Should posses the requisite professional & technical qualifications and certifications,
 A good understanding of information risks and controls,
 Knowledge of information technology strategies, policy and procedure controls,
 Ability to understand technical and manual controls relating to business continuity; and
 Good knowledge of professional standards and best practices of information technology
controls and security
The audit process begins by defining the scope and objectives to adapt the standards and
benchmarks for developing information model for collecting and evaluating evidence to execute
the audit
55
31. Information technology auditor is the translator of business risk, as it relates to the use of
information technology, to management, someone who can check the technicalities well
enough to understand the risk and make a sound assessment and present risk oriented advice
to the management.
32. The information technology auditors review risks relating to information technology systems
and processes. Some of them are:
 Inadequate information security

 Inefficient use of corporate resources, or poor governance
 Ineffective IT strategies, policies and practices
 IT related frauds
33. Categories of information technology audits
 Systems and applications: an audit to verify that systems and applications are appropriate,
efficient and are adequately controlled to ensure valid, reliable, timely and secure input,
processing and output audit trail all levels of system’s activity
 Information processing facilities: an audit to verify that the processing facility is controlled to
ensure timely, accurate and efficient processing of applications under normal and
potentially disruptive conditions
 System development: an audit to verify that the systems under development meet the
objectives of the organization and to ensure that the systems are developed in accordance
with generally accepted standards for system development
 Management of IT and Enterprise architecture: an audit to verify that IT management has

developed an organizational structure and procedures to ensure a controlled and efficient
environment for information processing
 Telecommunications, intranets and extranets: an audit to verify that controls are in place on
the client, the server, and on the network connecting the clients and servers
34. Steps in information technology audit
 Scoping and pre audit survey: Here, the auditors determine the main area of focus.
Information sources audit trail this stage include background reading and web browsing,
previous audit reports, pre audit interview, observations and sometimes subjective
impressions that simply deserve further investigation
 Planning and preparation during which the scope is broken down in to greater levels of
detail, usually involving the generation of an audit work plan or risk control matrix
 Fieldwork implies gathering evidence by interviewing staff and managers, reviewing

documents, observing processes etc.
56
 Analysis. This step involves desperately sorting out, reviewing and trying to make sense of
all the evidence gathered earlier. SWOT technique can be used for analysis
 Reporting to the management is done after analysis of data gathered and analyzed
 Closure involves preparing notes for future audits and following up with management to
complete the actions they promised after previous audits
35. Information System Control Techniques
Information System Control Techniques

↓
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
Management
Application
SDLC
Organizational
BCP Controls
controls
controls
Financial
controls
controls
Logical
access
Physical
controls
controls
Controls
controls
Users
Controls
environment
Data
processing
Access
36. Organizational control techniques include documentation of the following:
 Responsibilities & objectives
The IS Management team is responsible for effective & efficient utilization of IS

resources. Their responsibilities include:
‡ Provide information to senior management on IS resources

‡ Planning for expansion of IS resources
‡ Controlling use of IS resources
‡ Implementing activities & functions that support company’s strategic plan
 Policies, standards, procedures & practices
Documented policies should exist in IS for:
‡ Use of IS resources
‡ Physical, data & online security
‡ Reviewing, evaluating & purchasing hardware & software
‡ System development methodology &
‡ Application program changes
 Job descriptions
 Segregation of duties
57
37. Management Control is to ensure that the IS function correctly & that they meet strategic
business objectives. The controls to be considered when reviewing the organization &
management controls in an IS system shall include:
 Responsibility of a senior management personnel for IS

 An official IT structure
 An IT Steering Committee responsible for overall direction of IT
38. Financial Control Techniques are the procedures exercised by the system user personnel over
source / transactions origination documents before system input. These areas exercise control
over transaction processing. A few financial control techniques are:
 Authorization
 Budgets
 Cancellation of documents (to prevent reuse)
 Documentation
 Dual control
 Input/ output verification
 Safekeeping
 Segregation of duties
 Sequentially numbered documents
 Supervisory review
39. Data Processing Environment Controls are hardware & software related & includes procedures
exercised in software programming, online transaction systems, database administration etc.
40. Physical Access Controls are personnel-related & include procedures exercised on access by
employers/ outsiders to IT resources. They relate to establishing appropriate physical security
& access control measures for IT facilities
41. Logical Access Controls are software-related & include procedures exercised in the IS software
through access controls through system software & application software. They are
implemented to ensure that access to systems, data & programs is restricted to authorized
users so as to safeguard information against unauthorized use, modification or loss.
Key factors in designing LAC include:
 Confidentiality & privacy requirements

 Authorization & authentication
 Access controls
 User identification & authorization profiles
 Incident handling, reporting & follow-up
 Virus prevention & detection
 Firewalls
 Centralized security administration
 User training
 Tools for monitoring compliance
 Intrusion testing & reporting
58
42. SDLC Controls are functions & activities generally performed manually that control the
development of application systems, either through in-house design & programming or
purchase. These procedures establish control functions in each phase of SDLC
43. BCP Controls relate to having an operational and tested IT continuity plan, which is in line with
the overall business continuity plan, and its related business requirements so as to make sure
IT services are available as required and to ensure a minimum business impact in the event of
a major disruption.
44. An operational & tested IT Continuity plan so as to ensure availability of IT Services & to
ensure minimum impact on business in event of a major disruption. The controls include:
Criticality classification
Alternative procedures
Back-up & recovery
Systematic & regular testing & training
Business continuity activation
Fallback & resumption plans
45. Application Control Techniques include the programmatic routines within the application
program code. The objective is to ensure that data remains complete, accurate & valid during
its input, update & storage. Any function or activity that works to ensure the processing
accuracy of the application can be considered as an application control
46. User Controls
Applications represent the interface between the user and the business functions. From the
point of view of the users, it is the applications that drive the business logic. The following are
the user controls that are to be exercised for system effectiveness and efficiency
↓ ↓ ↓ ↓ ↓
Input
Boundary Processing Output Database
Controls
Controls Controls Control Controls
47. Boundary controls establish interface between the user of the system and the system itself.
The system must ensure that it has an authenticated user and users must ensure that they are
given authentic resources and their usage of resources is restricted.
 The major controls of boundary controls are the access controls mechanisms. They link the
authentic users to the authorized resources the users are permitted to access. The steps in
this mechanism are Identification, Authentication and Authorization.
 The user can provide three classes of input information for the authentication process and
gain access control to his required resources. The three classes are Personal Information,
Personal Characteristics and Personal Objects.
59
 Boundary control techniques include:
- Cryptography deals with programs for transforming data in to codes that are
meaningless to anyone who does not posses authentication to access the respective
system or file
- Passwords enable user identification by an authentication mechanism with personal

characteristics
- Personal Identification Numbers are similar to passwords and issued based on user
characteristics and using a cryptographic algorithm
- Identification cards are used to store information required in an authentication process
48. Input controls are responsible for ensuring the accuracy and completeness of data and
instruction input in to an application system. They are important since input involves human
intervention. Auditors should evaluate the quality of coding systems to analyze their impact on
the integrity and accurateness of data keyed in to the system.
Data coding errors include addition or omission of character in code; recording wrong
characters, reversing adjacent characters etc.
 Factors affecting coding errors
- Length of the code

- Alphabetic numeric mix
- Choice of characters
- Mixing of uppercase and lowercase fonts
- Sequence of characters
49. Check Digits are redundant digits that help verify the accuracy of other characters in the code
that is checked. The program recalculates the check digits and compares with the check digit
in the code when it is entered to verify if the code is correct. They may be prefixes or suffixes to
the actual data
50. Processing controls perform validation checks to identify errors during processing of data.
They are required to ensure both completeness and the accuracy of the data being processed.
They are enforced through database management system that stores the data.
Data processing controls are:
 Run to run totals help in verifying data that is subject to process through different stages
 Reasonableness verification compare and cross verify two or more fields to ensure their
correctness
 Edit checks are similar to data validation controls and can be used to verify accuracy and
correctness of data
60
 Field initialization ensures initializing of the record, i.e., setting all values to zero before
inserting a field in to a record
 Exception reports are generated to identify errors in data processed. Such errors give the
transaction code and reason as to why the particular transaction was not processed
 Existence / Recovery controls enable a system to recover in failure is temporary and

localized
51. Output controls ensure that the data delivered to users will be presented, formatted and
delivered in a consistent and secure manner. They ensure the integrity, confidentiality and
consistency of the output. They have to be enforced both in batch processing environment as
well as in an online environment.
Some controls are
 Storage and logging of sensitive, critical forms
 Logging of output program executions
 Spooling and queuing. Spool is a process used to ensure that the user is able to continue
working, even before the print operation is completed. A Queue is the list of documents
waiting to be printed on a particular printer. This should not be subject to unauthorized
modifications.
 Controls over printing will prevent unauthorized disclosure of printed information
 Report distribution and collection controls will prevent unauthorized disclosure of data
 Retention controls consider the duration for which outputs should be retained before being
destroyed
 Existence / Recovery controls are needed to recover the output in the event of its loss or
destruction
52. Database controls. Protecting the integrity of a database with application software acts as an
interface to interact between the user and the database are called Update controls and Report
controls
Update Controls are:
 Sequence check transaction and master files is critical to maintain the integrity of updation,
insertion or deletion of records in the master file with respect to the transaction records
 Ensure all record files are processed
 Process multiple transactions for a single record in the correct order
 Maintain a suspense account or mismatched transactions
61
Report controls are:
- Standing data
 Print run to run control totals
 Print suspense account entries
 Existence / Recovery controls
53. Categorization of controls

Categories of Controls
↓ ↓ ↓
Objectives of Controls Nature of IT Resources Functional Nature
↓ ↓ ↓
1. Preventive 1. Environmental 1. Internal
2. Detective 2. Physical Access Accounting
3. Corrective 3. Logical Access 2. Operational
4. Compensatory 4. IS Operational 3. Administrative
5. IS Management
6. SDLC
54. Preventive controls are those inputs, which are designed to prevent an error, omission or
malicious act from occurring. The broad characteristic of preventive controls are:
 A clear cut understanding about vulnerabilities of the asset

 Understanding probable threats
 Provision of necessary controls for probable threats from materializing
55. Detective controls are designed to detect errors, omissions or malicious acts that occur and
report the occurrence. The main characteristic of such controls are:
 Clear understanding of lawful activities so that anything which deviates from these is
reported
 An established mechanism to refer the reported unlawful activities to the appropriate person
or group
 Interaction with the preventive control to prevent such acts from occurring
 Surprise checks by supervisors
56. Corrective controls are designed to reduce the impact or correct an error once it has been
detected. A business continuity plan is considered to be a significant corrective control. The
main characteristics of the corrective controls are:
 Minimize the impact of the threat

 Identify the cause of the problem
 Remedy problems discovered by detective controls
 Get feedback from preventive and detective controls
 Correct error arising from a problem
 Modify the processing systems to minimize future occurrences of the problem
62
57. Compensatory controls are basically designed to reduce the probability of threats, which can
exploit the vulnerabilities of an asset and cause a loss to the asset.
58. Environmental controls relate to housing IT resources such as power, air conditioning etc.
59. Physical Access controls relate to physical security of the tangible Information System
resources and intangible resources stored on tangible media
60. Logical Access controls relate to logical access to information resources such as operating
systems controls, application software boundary controls, networking controls and access to
database objects
61. Information System operational Controls relating to Information System operation,

administration and its management
62. Information System management controls relate to Information System management,

administration, policies and monitoring of Information System operations
63. SDLC controls relate to planning, design, development, testing, implementation and post
implementation, change management of changes to applications and other software
64. Internal accounting controls are intended to safeguard the client’s assets and ensure the
reliability of financial records
65. Operational controls deal with day to day operations, functions and activities to ensure that the
operational activities are contributing to business objectives
66. Administrative controls are concerned with ensuring efficiency and compliance with
management policies, including operational costs
67. Quality Control management is a process that impacts the effectiveness, efficiency, integrity
and availability of Information Systems and involve IT resources that include people,
applications, technology and facilities. It describes the controls over the IT process of
managing quality that meets business requirements.
Quality control encompasses the following:
 Establishment of quality culture

 Quality plans
 Quality assurance responsibilities
 Quality control practices
 SDLC methodology
 Program & system testing and documentation
 Quality assurance reviews and reporting
 Training and involvement of end-user and quality assurance personnel
 Development of a quality assurance knowledge base
 Benchmarking against industry norms
63
68. Quality Standards enable implementation of quality management controls. The best practices
that identify the quality and assurance are governed by two key standards:
 Capability Maturity Model Integration by Software Engineering Institute; is a framework for

organizing and assessing the maturity level of IT processes for software development and
maintenance of products and services
 9000 Quality Management and Quality Assurance Standards (ISO); defines quality control
as the operational techniques and activities that are used to fulfill requirements for quality
69. Control Over System And Program Changes
 Management of the change process runs parallel to all the phases of SDLC. The complexity
of hardware, software and application relationships in the operating environment needs well
defined, planned, coordinated, tested and implemented change management. It involves
the following tasks:
- Provide feedback to system stakeholders

- Prevents system disruptions which may lead to business losses
- Accepted changeover to a new system across the organization
- Documentation and follow up on the recommended and implemented process change
- Change management process is to be reviewed periodically to evaluate its effectiveness
Change management involves establishing baseline versions of products, services and
procedures and ensuring all changes are approved, documented and disseminated.
 Other controls
Controls Descriptions Auditor’s Role
 Evaluate quality of decisions
Change control process of a
made with respect to project
system under development is
management and change
System change to address the problems not
facilitation
controls detected during system design
 Verify authorization and
or testing and change in user
documentation of changes made
requirements
to systems and programs
 Ensure maintenance of software
Implementing controls over the program code libraries
modification of application  Appropriate backups of the
Program change software programs is to ensure system’s data and programs to
controls that only authorized programs store various versions of files
and authorized modifications  Thorough testing before any new
are implemented software release is applied in a
production environment
They ensure all information  Determine if proper level of
and data entered or used in management is authorizing the
Authorization processing is authorized by transaction activity
controls management, and responsible  Identify any allowable overrides
representatives of events that or bypasses of data validation
actually occurred and edit checks
64
 Review by IT management to
monitor and approve all changes
to hardware, software and
personnel responsibilities
Assessing documentation involves
evaluating the change boards
Documentation contains efforts to complete the following
descriptions of the hardware, critical procedures:
software, policies, standards,  There is sufficient
Documentation
procedures and approvals documentation that explains how
controls
related to the system and software / hardware is to be
formalize the system’s security used
controls  There are documented formal
security and operational
procedures
 Testing commences during the design phase, during which,
designs and specifications should be subject to quality reviews
and continues during the system development and acceptance
testing phases of SDLC
Testing and
 The overall objective of testing is to ensure that the delivered
quality controls
system is of adequate quality.
 The requirement to demonstrate that a system is reliable implies
that it should be tested, not to demonstrate that it works, but to
uncover as many defects as possible
70. System Development And Acquisition Controls
It is important to have a formal, appropriate and proven methodology to govern the

development, acquisition, implementation, and maintenance of Information System and related
technologies. Methodology should contain appropriate controls for management review and
approval, user involvement, analysis, design, testing, implementation and conversion.
Install and accredit solutions and changes is the high level functional area that captures the
greatest number of features representing the activities related to SDLC or release
management.
71. Control process Acquire and Implement 7(AI7), issued by the IT Governance institute states
that:
New systems need to be made operational once development is complete. This requires
proper testing in a dedicated environment with relevant test data, definition of rollout and
migration instructions, release planning and actual promotion to production, and a post
implementation review. This assures that operational systems are in line with agreed
expectations and outcomes.
65
72. Controls over the system development phases and auditor’s role
The SDLC phases define an agenda of issues that stakeholders in the system development process must address. The quality of system
development will depend on how well the stakeholders come to grip with the issues in the context of the project. The following are some
important controls:
Phase Description Control Auditor’s Role

 Need for information system in the
preview of the business requirement
 If the stakeholders have reached an
 Support and priority for the
agreement on the existence of a
Stakeholders must attempt to Information System by the
problem or opportunity
come to an understanding of management
 An understanding of the threats to
Problem Definition the nature of the problem or  Level of acceptance among the
asset safeguarding, data integrity,
opportunity they are stakeholders and the need for
addressing system effectiveness and system
change
efficiency associated with the
 The investigation and strategy by
solutions proposed for the system
which the need for the system is
justified
 Preparing the organization for an
unrestricted change by feedback,
training, participatory decision
making and promote the need for
This runs parallel to the phases
change
of SDLC. This involves  Evaluate quality of decisions made
 Complete changeover to the new
Management of the addressing matters as with respect to project management
system
change process budgeting, exception reporting, and change facilitation
check points and user  Help users adapt to their new roles
coordination and re-freezing activities by
providing positive feedback and
behavioral patterns
66
The specific techniques used  Change proposed is not imposed
 Technical feasibility
to evaluate the feasibility of on the stakeholders?
Entry and feasibility  Operational feasibility
systems depend on the type  Behavioral impact on the users and
assessment  Economic feasibility
and size of the system being the problems that arise in proposed
proposed  Behavioral feasibility
system
 The need to study aspects of the
present organizational structure
 Context in which the decisions for
Analysis shall include a study  The organizational structure gives an
the new proposed systems were
Analysis of the of the existing organizational idea of the power equations within
made
existing system history, structure, culture and the organization
 Evaluate quality of methodologies
existing information flows
used
 Usage of high quality tools in
analysis and documentation
 Evaluate the quality of SRS Design
Also called Systems
work
Requirements Specification,  Align the business requirements with
 The feasibility of system-design
Formulation of document identifies the the preview of management’s
proposed
strategic perceived deficiencies in the objectives, user’s goals and
requirements existing system of the existing  Assess the identified procedures
elicitation of the requirements and
or perceived new system are and substantial behavioral impact
system-design work concurrently
evaluated on the users within the proposed
system
Adapting the organizational  Roles and responsibilities of the
structures and job users of the system are to be defined  Assess the assigned responsibility
responsibility with respect to using formal traditional mechanisms and process used to resolve
Organizational and the proposed system often or open ended structures to facilitate conflicts
job design leads to behavioral problems adaption  Assess control risk associated with
among its stakeholders and  Clear design of responsibilities in responsibilities during SDLC with
may result in implementation initial design phase is critical in substantive testing
failure achieving the goals
67
 Hardware / Software: Design and  Evaluate appropriateness of
The reliability of the controls
requirement to meet the application requirements elicitation strategy in
Information designed in to the system are
system. Modularity and generality of the scope of the stakeholders
processing system to be evaluated to meet
future change  Design and quality of user interface
design strategic requirements of the
proposed system  User interface: Using source needs to follow best design
documents of data reports practices
 Information and system requirement  Highlight risks before vendor
need to meet business and system contract or a software agreement
Application software goals contract is signed
Application software may be
acquisition / selection  Feasibility analysis to define  Collect information through his own
bought or developed in house
process constrains or limitations for each source on vendor viability, support
alternative system from technical as infrastructure
well as business perspective  Ensure legal scrutiny of contracts
73. Types of Anti-Virus Software
 Scanners are basic software used to check memory, disk boot sectors and executables
 Active monitor and Heuristic Scanner looks for critical interrupt calls and OS functions which resemble virus action
 Integrity Checkers detect any unauthorized changes to files on the system
74. Cyclic Redundancy Check.
The integrity checker’s software performs a “take stock” of all files resident on the system and computes a binary check data called the CRC.
When a program is called for execution, the software computes the CRC again and checks with the parameters stored on the disk. In this
manner, any unauthorized changes to the files on the system can be detected.
***
68
04 TESTING – GENERAL & AUTOMATED CONTROLS
Testing is a process to verify correctness, completeness & quality of developed software or any
other product. It is known as criticism or comparison. It helps to verify that developed software or
product would be working, as it is intended to.
1. Software Testing Fundamentals
 Testing objectives
- Program with an intention to find errors

- Having high probability of finding yet undiscovered errors (Good Test Case)
- Uncovering a yet undiscovered error (A Successful Test)
 Objectives of Software Testing
- Errors identification
- Software operation
- Quality assurance
 Starting time of test
- Should start as early as possible in life cycle as early testing helps to reduce errors
(helps in reducing errors & lowering costs)
 Cause of bugs
- Specifications-lack of clarity & sense of urgency

- Design-frequent changes in design, poor planning of software design
- Coding-software complexity, poor dumb mistakes
 Testing costs
- Costs increase manifold if bugs not detected on time. Fixing bugs at early stages of life
cycle will cost less.
 Stopping time of testing
- When deadlines are met

- When test cases are completed
- When testing budget is depleted
- Rate of finding bugs is too small
- Risk in project found to be under acceptable limits
 Testing Strategy is the plan to analyze the product, so as to develop an adequate

assessment of quality. Purpose is to clarify major tasks & challenges of the test project.
An effective test strategy must be:

- Specific - Cost effective
- Practical - Timely
- Justified - Comprehensive
 Approach Test & Architecture
- Test strategy is also known as approach & test architecture

- It describes how to approach a test project & what should be there in the test project to
ensure a high quality product.
2. Levels Of Test Plan
Test plan is derived from test approach and contains requirements, project plan, functional
specifications and design specifications. It details out project specific test approach and lists
out high level test case areas. It includes testing risk assessment and primary test schedules. It
also lists resource requirements.
Test plan includes systematic & documented steps which are performed at different stages of
IS Development.
70
Levels of Test Plan
Unit Test Integration System Test Acceptance

Plan Test Plan Plan Test Plan
Includes
Includes
Includes testing
testing
testing procedures &
procedures & Includes
procedures & types of tests
types of tests testing
types of tests for integrated
for entire procedures
for individual modules & its
system by and types of
modules or interfaces
developer tests to be
programs. What: internal/
before its performed by
What: Basic external links/
implementation users for
input & output interfaces
What: Testing entire system
activities are Sequence:
all initial before its
tested. Arranged
requirements, acceptance &
Sequence: based on
covers use
+ve tests & -ve dependencies
functionality of
tests between
entire project.
modules
3. Test Plan Outline
a) Background g) Approach l) Responsibilities

b) Introduction h) Test item pass/ fail m) Staffing & training
c) Assumptions criteria n) Schedule
d) Test items i) Suspension/ o) Resources
e) Features to be tested resumption criteria p) Risks &
f) Features not to be j) Test deliverables contingencies
tested k) Environmental needs q) Approvals
4. Types of Software Testing
 Static testing (Verification Activities): used for verification activities. To check whether
work being done is as per is as per set standards of organization.
 Dynamic testing (Validation Activities): involves working with software, giving input
values & checking if output is as expected. Includes validation activities, unit tests etc.
5. Black Box Testing aims to derive sets of inputs that will fully exercise all the functional
requirements of the system.
 Treats software as a “black box, without any knowledge of internal implementation”
 Valid & invalid inputs selected to determine accuracy of outputs
 Mainly concerned with correct acceptance of inputs & relevant outputs
 Applicable to all levels of testing
 Can cover unimplemented parts also
 Testing method includes:
- Equivalence partitioning
- Boundary value analysis
- Cause effect graphics techniques
 Equivalence Partitioning: software testing technique that divides input data of software
unit into partition of data from which test cases can be derived. Tries to define test cases
that uncover classes of errors. Its goals are: 1) to reduce number of test cases to necessary
minimum & 2) to select right test cases to cover all possible scenarios. It uses fewest test
cases to cover maximum requirements.
 Boundary Value Analysis (BVA): since more application errors occur at boundary levels
of input domain, BVA is used to identify errors at boundaries rather than finding them in
center of input domain. Test cases are selected at edges of equivalence classes.
 Cause Effect Graphing Techniques (CEG): provides a concise representation of logical

conditions & corresponding actions. Performed once requirements have been reviewed for
ambiguity & content is reviewed.
There are 4 steps in CEG:
- Causes & effects listed for a function

- Development of cause-effect graph
- Graph converted into decision table
- Decision table rules are converted to test cases
6. White Box Testing is a test case design method which uses the control structure of the
procedural design to derive test cases.
 Used when tester has access to internal data structure & algorithms & also access to
implement these algorithms
 Provides test cases for testing internal structure of programs

 Used to test all details of software for:
- Logical errors &
- Syntax errors (typographical errors)
72
 Types of tests used:
- Basis path testing: every path of program is derived & tested. Ensures that every
statement is executed & tested at least once, takes help of flow graphs to simplify
derivations of each path.
- Loop testing: focuses exclusively on validity of loop constructs. There are four different
classes of loops: simple loop, nested loop, concatenated loop & unconstructed loop.
 Types of test used:
- Condition Testing: executes & verifies all the logical conditions in a program.
- Dataflow Testing: selects test paths according to the locations of definitions & uses of
variables in the program.
- Flow-Graphs: Can be used to represent control flow in a program & can help in the
derivation of a basic set.
7. Unit Testing is a method of testing the correctness of a particular module of source code.
 Software verification & validation method where programmer gains confidence that
individual units of source code are fit for use.
 Done by stepping through each & every line of code.
 A unit test is a method of testing the correctness of a particular module of source code &
write test cases for every function in module such that each test case is separate from
others.
 Benefits:
- Encourages change
- Simplifies integration
- Documents the code
 Limitations:
- Cannot capture every error in program

- Cannot catch integration errors
8. Requirement Testing
 Helps to ensure that system’s requirements communicated by users are correct &
requirements are correctly understood & specified by developers for further system
development.
 Helps in developing correct system in efficient manner
73
 Objectives:
- To ensure that system’s requirements are correctly communicated & specified

- To ensure that system performs correctly for sustainable & considerable period of time
- To ensure successful implementation of user requirements
- To ensure that all user needs are fulfilled
- To ensure compliance of organization’s policies & procedures
 Advantage: minimizing extensive re-work by minimizing requirements-related defects that

could have been prevented/ rectified earlier.
9. Regression Testing
 The process of testing changes to computer programs to make sure that older programs
still work with new changes.
 A regression test re-runs previous tests against changed software to ensure that changes
made in current software do not affect functionality of existing software.
 Objectives:
- To ensure that older programs still work with new changes

- To ensure that documents remain updated as per new software
- To ensure that test-data & test-conditions remain updated as per changes
 To be used when there is high risk that new changes may affect unchanged areas of
application software.
 Used in both development & maintenance phases of software.
10. Error Handling Testing refers to the detection and resolution of programming, application and
communication errors. There are 2 types of errors:
a. Development error (also known as syntax and logical error) – Happens due to typing
mistakes or incomplete logics; and
b. Run time error – Happens due to invalid inputs
Error handling testing means establishing that all error handling procedures are in place for
applications, i.e. errors will be detected and handled as per set guidelines.
Error handling Objectives are:
 Applications recognizes all expected error conditions,

 High probability that errors will be corrected, and
 Reasonable controls will be maintained for error corrections
74
11. Manual Support Testing means that certain functions will be performed by people rather than
automated IS. Manual Support Testing is the testing of the manual support functions. Manual
support testing is best done during the installation phase.
It has the following objectives:
 Verify that manual support procedures are correct and documented properly
 Determine that manual support responsibilities are established & defined correctly
 Determine that manual support people are adequately trained
 Determine that manual support procedures are properly connected
12. Inter System Testing ensures that interconnection between various systems & applications
work properly. It is done to ensure that:
 Parameters and data are correctly passed between linked applications and systems
 Proper coordination between working of different linked systems exists
13. Control Testing is a check and it acts as a management tool to ensure that processing is
performed in accordance to the intents of the management. It ensures that:
 Input data is accurate & complete

 Transactions being processed are authorized
 Audit trail is in existence
 Processes being used are efficient, effective & economical
 Processing meets the needs of the users
Methods to use control testing
 First, all risks are to be identified

 Testers should have negative approach
 Testers should run test data and ensure that controls are effective
14. Parallel Testing
 It is done to ensure that the processing of the new application is consistent with respect to
the processing of the previous system.
 The objective is to ensure that the new system performs correctly and to demonstrate the
consistency and inconsistency between the 2 applications.
15. Volume Testing
 It is the testing of the system when the maximum numbers of users are simultaneously
active and when the database contains the greatest volume of data.
 The purpose of volume testing is to find out the weakness in the system with respect to its
handling of large amount of data during the extended time periods.
75
16. Functional Testing
 Checks whether programs do what they are supposed to do what they are supposed to do
or not.
 Test plan specifies operating conditions, input values and expected results and as per this
plan, the programmer checks by inputting the values to see whether the actual result and
expected result match.
17. Stress Testing
 The purpose of stress testing if to find defects in the system capacity of handling large
numbers of transactions during peak periods.
 Server testing deals with the quality of the application in the expected environment. The
idea is to create an environment more demanding of the application than the one the
application would experience during its normal course of operation.
18. Performance Testing
 System performance is generally assessed in terms of response time and throughput rates
under different processing and configuration conditions.
 The performance problems are most often the result of the client or server being configured
inappropriately.
The best strategy for improving client server performance is a three step process:
 1st, execute controlled performance tests that collects data about volume, stress and
loading tests.
 2nd, analyze the collected data
 3rd, examine and tune database queries.
19. Continuous Audit Techniques (Concurrent Audit Techniques)
 Need:
- To continuously monitor the system
- To collect audit evidences while live data are processed during regular operating hours
 Uses embedded audit modules which are segments of program code that perform audit
functions.
 Audit Hooks are auditing routines that flag/ mark suspicious transactions. When employed,
auditors are informed of questionable transactions immediately on their occurrence. This
immediate notification is called Real-time notification.
76
 Integrated Test Facility (ITF):
- Used in IS which is to be audited

- Auditor uses a dummy account for testing & reviewing. The dummy transactions do not
affect IS.
- Mainly used in online system
- Test transactions can be submitted along with actual transactions on frequent basis
without disrupting regular processing operations.
 Snapshot Technique:
- Involves having audit software taking pictures of transactions as it flows through an

application system.
- Both before-images & after-images of transactions are captured to assess accuracy &
completeness of processing
- Decision to be made regarding location of snapshot points & reporting of snapshot data
captured
 System Control Audit Review File (SCARF):
- Similar to snapshot technique

- An embedded audit module is used to continuously monitor transactions & collect data
on transactions with special audit significance
- Information collected is written onto a special audit master file
- One of most complex online audit techniques
- The audit modules are placed at predetermined points to gather information about
transactions which auditors deem to be material
- Two key decisions: what information to be collected & what reporting system to be used
- Auditors use SCARF to collect following types of information:
 Application system errors

 Policy & procedural variances
 System exception
 Statistical sample
 Profiling data
 Performance measurement
 Continuous & Internal Simulation (CIS):
- Used to trap exceptions whenever the application system uses a DBMS

- The DBMS reads an application system transaction & passes it to CIS
- CIS determines whether it wants to examine this transaction further & simulates the
application system processing
- Every update to the database that arises from processing the selected transaction will
be checked by CIS for discrepancies in results produced
- Exceptions are written to an exception log file
77
- Advantages of CIS:
 Does not require modification to application system for auditing
 Faster & efficient testing with large samples of data
 Increases the quantity of audits, so lesser risks
 Entire process can be evaluated and analyzed
 Advantages of continuous audit:
- Timely audit
- Comprehensive & detailed auditing
- Surprise test capability
- Assessing whether IS meets set objectives
- Training for new users
 Disadvantages of continuous audit:
- Rationing of available resources

- Involvement in system development
- Expert knowledge of IS being used
- Missing audit trail
- Stable application system required for implementation
20. Hardware Testing & Review
 Normally, hardware should be tested for:
- Memory
- Performance
- Security
- Reliability
- Error handling/ exit testing
- Max. no. of users supportable
- Maintenance support
- Accessibility testing
78
 Auditor should review & audit procedures for:
Audit Review & testing of Hardware
Preventive
Hardware Hardware Maintenance General
Acquisition Updation Plan Controls
 Check whether
 Check for
updation timely  Check
written policy
planned frequency
 Check approval
 Check whether timely planned  Check
process
updation  Check controls/
 Check whether
schedule maintenance procedures
requests are
provides time contracts & being used
supported by
for installation actual  Check logs of
cost benefit
& testing maintenance system for
analysis
 Check for performed hardware
 Check
proper  Check performance &
procedure of
documentation maintenance problems
purchase
 Check effect on
 Check for
updation, operations
proper
where ever
documentation
necessary
21. Operating System Review
Here, the auditor reviews the procurement, implementation, execution and maintenance of
system software such as operating system, in terms of:
 Approval process of software selection

 Cost / benefit analysis of system software procurement
 Controls over installation of the software
 System documentation
 Test software implementation
 System software security procedures
22. Network Review
 Network Audit Objectives
- Standards are in place for designing and selecting a LAN architecture

- Controls are there to ensure continuous working of LAN
- Ensure that there is cost benefit in operating a LAN
The reviewer / auditor of networks should have knowledge about networks, network topology,
LAN technicalities etc. The auditor should review, test and validate the following controls for
networks:
 Physical controls
- Inspect LAN wiring closet & transmission wiring

- Verify security of LAN file server computer
- Ensure whether LAN operating manuals & documentation are properly secured
 Logical controls
- Evaluate sample profiles to ensure appropriate access

- Look for unauthorized access/ users
- Verify that access & use are properly recorded in automatic report
- Verify the automatic logoff feature
- Review a sample of LAN access change requests
 Environment controls
- Verify adequate temperature, static electricity facilities & electric surge protectors
- Verify storage & backup media facilities
80
SUMMARY OF VARIOUS CONCURRENT AUDIT TESTING
Item Description Merits Limitations

 No need for  Highly complex
separate testing as  Necessity for fool-
In the database, a
periodic testing proof planning
fictitious file is created &
ITF takes place  Adoption of test
test transactions are
 Useful when it is data from
processed with live data
not beneficial to production data
use test data
Designated transactions
are recorded through  Program logic can  Auditors should
the logical paths that are be verified possess extensive
Snapshot
contained in the  Useful when audit knowledge of IS
programs trail is a must environment
It involves embedding  Periodic samples &  Very complex

specially written audit statistics of  Very costly to
software in the population data develop &
SCARF organization  Useful when maintain
applications so that the regular processing  Independence of
applications are should not be auditors may be
selectively monitored interrupted affected
It consists of embedding
of hooks to function as
 Pro-active  useful only when
“Danger Flags”. It helps
Audit Hook  Preventive control select transactions
auditors to handle
 simple are to be
situation before error or
examined
irregularities are out of
control
 When the auditor
wishes to collect
It uses DBMS to trap
 Does not require evidence at
exceptions. The DBMS
modification to the processing points
would indicate to CIS
CIS application system other than those
that its services are
 Provides for online involving DBMS, it
required. CIS would
auditing may not hold good
then determine its role
 Difficult to
implement
***
81
05 RISK ASSESSMENT
METHODOLOGIES & APPLICATIONS
1. Risk Assessment seeks to identify which business processes and related resources are
critical to the business, what threats or exposure exists, that can cause an unplanned
interruption of the business processes and what costs accrue due to an interruption
Risk assessment consists of two basic components: Data Collection & Data Analysis. Purpose
of risk analysis involves threat identification and risk mitigation
2. Risk
 It is the likelihood that an organization may be exposes to some threats that may cause
harm to an organization.
 Risk leads to a gap between the need to protect a system and the degree of protection
applied. This gap is known as Security Gap
 Risk reduction & security measures is needed for:
- Enhanced business performance

- Improved & demonstrated information
- Effective interactions with trading partners and closer customer relations
- Improved competitive advantage
- Protected reputation
 Reasons for occurrence of risk:
- Use of new technologies

- Extensive use of network applications
- Use of distributed systems
- Frequent technological changes
- Easy-to-conduct & hard-to-detect electronic attacks
- Decentralization of management & control
- Unfavorable legal &regulatory requirements
 Possible impact on critical business operations:
- Hacking, virus attack & leakage of corporate confidential information

- Bad effects on privacy & ethical values
- Danger to IS availability & robustness
3. Definitions
 Threat is an action, event or condition where there is compromise in the system, its quality
and ability to inflict harm to the organization. It is any circumstance or event with the
potential to cause harm to an Information System in the form of destruction, disclosure,
adverse modification of data and denial of services
82
05 RISK ASSESSMENT
 Vulnerabilities is the weakness in the safeguard or security of the system that exposes the
IS to various threats.
 Exposure is the extent of loss organization may face in case of risk. It is impact of
occurrence of risk in immediate & longer term.
 Likelihood of the threat occurring is the estimation of the probability that the threat will
succeed in achieving an undesirable event
 Attack is a set of actions which may compromise the integrity & confidentiality & other
desired features of an IS. The type of attack & its degree of success determine the results
or consequences of attack.
 Residual Risk: Any risk that still remains after all the security measures to prevent the risks
are analyzed & implemented. Here, organization Management needs to consider two areas:
- Acceptance level of residual risk

- Selection of safeguards to be implemented to reduce overall risks to reach level of
acceptance
As long as residual risks can be minimized & kept at acceptable level, the risks are
considered to be managed.
 Risk Appetite refers to the management policy as to whether it wants to be risk aggressive
or risk averse
 Risk Acceptability Level refers to the issue of how much risk is acceptable and what
should the price that would be payable to reduce a certain part of the risk
 Security Gap is the gap between the need to protect systems & the degree of protection
applied.
 Malicious code is a code such as viruses and worms which freely access the unprotected
networks which may affect organizational and business networks that use these
unprotected networks.
4. Threats to Computerized Environment
 Power loss
 Communication network failure
 Disgruntled employees
 Errors
 Malicious codes (programs)
 Abuse of access privilege by employees
 Natural disasters
 Theft & destruction of computing resources
 Downtime due to technology failure
83
05 RISK ASSESSMENT
5. Cyber Crime & threats due to Cyber Crime
Cyber Crime is the general nomenclature for “electronic offences” due to increasing use of
computer network & internet & frauds thereof.
 Embezzlement is unlawful misappropriation of money or other things of value, by the

person to whom it was entrusted, for his own purpose
 Fraud occurs on account of intentional misrepresentation of information or identity to

deceive others to obtain money or other things of value
 Theft of proprietary information is the illegal obtaining of designs, patents etc. and personal
or financial information, usually by electronic copying
 Denial of service is usually caused by events such as ping attacks, port scanning probes
and excessive amounts of incoming data
 Vandalism or sabotage is the deliberate or malicious damage, defacement, destruction or

other alteration of electronic files or programs
 Computer virus is a computer program that can copy itself and infect a computer without
the permission or knowledge of the user
6. Risk Assessment is a critical step in disaster and business continuity planning. It is necessary
for developing a well tested contingency plan.
Risk assessment is the analysis of threats to resources and the determination of amount of
protection necessary to adequately safeguard the resources, so that vital systems, operations
and services can be resumed to normal status in the minimum time in case of a disaster.
Risk assessment is a useful technique to asses the risks involved in the event of unavailability
of information, to prioritize applications, identify exposures and develop recovery scenarios.
The areas to be focused are:
 Prioritization of all applications by identifying critical operations to manage recovery in event

of disaster
 Identifying critical components & related applications
 Assessing their impact on organization
- Legal liabilities
- Interruptions of customer service
- Possible losses
- Likelihood of fraud and recovery procedures
 Determination of recovery-time period
84
05 RISK ASSESSMENT
 Assessment of Insurance coverage. The Information System insurance policy should be a
multi peril policy, designed to provide various types of coverage
 Identification of exposures & implications
 Development of recovery plan
7. Risk Management is the systematic application of management policies, procedures &

practices to the tasks of establishing the context, identifying, analyzing, evaluating, treating,
monitoring & communicating risk.
 Classification of Risks
Basis Systematic Risk Unsystematic Risk

Constant across majority of
techniques & applications. Peculiar to each particular
1. Link to technology
Will remain, irrespective of technology/ application
whatever technology used
Related to technology &
Generally dependent on
2. Factors/ sources dependent on internal
external factors
factors
Can be reduced by
Can be reduced by
3. Nature of solution Management Control
Technological Solutions
Process
4. Cost incurred for = Cost of implementing = cost of new technology to
mitigation managerial actions be implemented
To identify whether overall
Generally unavoidable.
5. Management decision risk exposure of firm is
Management has to incur
process reduced on account of
cost of risk mitigation
additional investment
 Risk management process:
- Identify the technology related risks under the scope of operational risks
- Address the identified risks in terms of probability and exposure
- Classify the risks as systematic and unsystematic
- Identify various managerial actions that can reduce exposure to systematic risks and the
cost of implementing the same
- Identify the contribution of the technology in reducing overall risk exposure
- Evaluate the technology risk premium on available solutions and compare the same with
the possible values of loss from the exposure
- Match the analysis with the management policy on risk appetite and decide on
introduction of the same
 Risk management cycle is a process involving the following steps: identifying assets,
vulnerabilities and threats; assessing the risks; developing a risk management plan;
implementing risk management actions and re-evaluating the risks.
85
05 RISK ASSESSMENT
8. Risk Assessment & Evaluation Process
ESTABLISH THE CONTEXT
IDENTIFY THE RISKS

Identification of risk factors
ANALYZE THE RISKS

RISK
ASSESSMENT Quantitative & qualitative analysis of
identified risks
EVALUATE THE RISKS

Compare risks against criteria to
accept/ treat risks
TREAT THE RISKS

Identify & assess options & prepare
treatment plan
RISK = PROBALILITY OF FAILURE x POSSIBILITY OF EXPOSURE
PROBABILITY OF FAILURE EXPOSURE

a) “What is the probability that things can go
wrong?” a) “What is the cost if what can go wrong
b) View will be analyzed only from technical does go wrong?”
viewpoint, and not based on past b) Risk is evaluated by answering the above
experience questions for various risk factors &
c) While deciding on the class to be assessing the probability of failure & impact
accorded, measures available to prevent of exposure for each risk factor
such happening should also be considered
Purpose of risk analysis & evaluation:
 Identify probability of failures & threats

 Calculate the exposure
9. Risk Identification
 Purpose is to identify various risks inherent to performing business functions, especially

w.r.t. use of IT
 Risk identification should be comprehensive
 Risk identification should be for operations, financial objectives & compliance
05 RISK ASSESSMENT
 Questions to be asked:
- What assets to be protected

- What could go wrong with assets
- How could we fail to deliver
- What are various threats to A & L
- What info. to be relied upon
- What is greatest legal, financial & operational exposure
10. Risk Assessment & Evaluation Techniques
 Judgement & Evaluation/ Intuition
- Auditors use their judgement & intuition for risk assessment

- Technique depends on personal & professional experience of IS auditors
- Systematic & CPE required
 Delphi Techniques
- Based on concept of obtaining a consensus opinion from a panel of experts

- Each expert gives individual opinion
- Opinions are then pooled & those within pre-defined acceptance range are taken
 Scoring Approach
- Risks & their respective exposures are listed

- Weights are assigned to each risk depending on impact & costs involved
- System risk is ranked & overall score obtained
 Quantitative Techniques
- Involves calculating an annual loss exposure value based on the probability of the event
and the exposure in terms of estimated costs
 Weighted Point Rating System
- Each level of probability is assigned points {High-10, Medium-5, Low-1}

- Weighted risk = probability x Highest impact rating
11. Risk Ranking
 Technique to measure impact of potential risks
 Requires that each component & application be analyzed separately before ranking
87
05 RISK ASSESSMENT
 Two quantitative parameters used for ranking:
- Probability of occurrence
- Possible impact or exposure of threats
 Considering & analyzing risk impacts & probability of occurrence includes:

(Considerations in analyzing risks)
- Investigating the frequencies of particular types of disaster
- Determining the degree of predictability of disaster
- Analyzing speed of occurring impact of disaster
- Determining amount of forewarning associated with disaster
- Estimating situation of disaster
- Considering impact of disasters if vital records are destroyed/ not destroyed
- Identifying consequences of disaster
- Estimating potential loss
- Determining cost of contingency planning
12. RISK MITIGATION
 Means avoiding risks
 Should be based on probability of occurrence of risk & severity of risk in terms of losses
 Some risk mitigation measures are:
- Creating supportive environment

- Strengthening internal controls
- Establishing reserve funds
- Setting up of operational risk limits
- Setting up independent operational risk management departments
- Establishing disaster recovery plan
 Common risk mitigation techniques:
- Insurance
- Outsourcing
- Service Level Agreements
13. RISK & CONTROLS
Excessive Risk leads to: Excessive Control leads to:

 Loss of assets  Increased bureaucracy
 Poor business decisions  Reduced productivity
 Non-compliance  Increased complexity
 Increased regulations  Increased processing cycle-time
 Increase of activities having no
 Increased frauds
value
***
88
06 BUSINESS CONTINUITY PLANNING
& DISASTER RECOVERY PLANNING
1. Business Continuity Planning refers to the plans to avoid crisis & disasters, and in case
crisis & disasters occur, then, it defines plans for immediate recovery from these. It defines
steps, plans & procedure for continuance of business activities irrespective of any situation.
BCP is a plan for running the business under stressful & time-compressed conditions.
 BCP covers three important areas:
- Business Resumption Planning

- Disaster Recovery Planning
- Crisis Management
 Following resources play an important role in Business Continuity Life Cycle:
- IT & Telecommunication - Liquidity

- Business Processes - Facilities
- People
 Objectives of BCLC:
- Optimum resource mix

- Optimum costs
- Minimum losses
 The above resources are assigned based on following Business Continuity Life Cycle
assessment: (Components of BCLC)
- Risk Assessment
- Determination of Recovery Alternatives
- Recovery Plan Implementation
- Recovery Plan Validation
2. Objectives of BCP
 ‘Objectives’ are used for ‘long-term aim’ & ‘Goals’ are used for ‘short-term aim’
 Objectives:
- Safety to people at time of disaster

- Immediate resumption of critical business operations
- Minimization of losses
- Minimum resource disruption
- Reduce complexity of recovery tasks
- Ensuring effective co-operation of recovery tasks
- Establish required emergency powers & management succession
89
 Goals:
- Identify weaknesses & implement DRP accordingly

- Minimizing duration of serious disruption to business operations
- Facilitate effective coordination for recovery tasks
- Reduce complexity of recovery tasks
3. Developing BCP
 General aspects of sound BCP:
- Provide a complete understanding of efforts required to maintain effective DRP

- Develop easy-to-maintain, understand & implement DRP
- Document possible losses, recovery tasks & procedures
- Integrate the BCP into ongoing other business planning processes
- Select proper BCP team
- Focusing on preventing disaster, minimizing impact of disasters & orderly & timely
recovery from disaster
 Phases of BCP:
- Pre-planning: understanding existing & projected business operations; establish a

steering committee; develop a policy to support BCP; provide awareness & education.
Includes aspects which help to develop & implement an effective BCP.
- Vulnerability Assessment: analyze possible threats/ disasters; assess all security

measures. It focuses on steps to identify how vulnerable are various IT resources. An
assessment of causes & probability of disaster is performed.
- Business Impact Analysis (BIA): discussed in point 4 below
- Detailed definition of requirements: requirements classified into short-term, medium-

term & long-term
- Design & develop BCP Plan: two aims:- business recovery & technical recovery
- Testing: ensure recovery procedures are complete & workable; adequate competence
of personnel; availability of resources; workability of manual procedures; proper training
of BCP programmes
- Implementation: implement selected plan; define periodic test schedules; define test
approaches; identify test types with procedure to conduct tests; analyze test results;
modify plans as per maintenance program
- Maintenance: determine ownership of responsibility for maintenance; identify events

which may trigger maintenance of BCP; ensure proper maintenance & updation of plan
90
4. Business Impact Analysis is a means of systematically assessing the potential impacts
resulting from various events or incidents. A critical step in a sensible BCP is to consider &
analyze the potential impact of each type of problem. This is called BIA.
 Purpose:
- Identify critical systems, processes & functions

- Assess the economic impact of events & disasters
- Assess the pain threshold (the length of time business units can survive without
access to system, service or facilities).
- Understand the degree of potential losses
 Tasks:
- Identify organizational risks

- Identify critical business processes
- Identify & quantify threats/ risks to critical business processes
- Identify dependencies & inter-dependencies of critical business processes
- Determine maximum allowable downtime
- Identify type & quantity of resources required for recovery
- Determine impact to firm in event of disaster
 Sources of collecting information:
- Questionnaires & responses

- Workshops
- Interviews
- Examination of documents & information flows
5. Types of DRP (disaster recovery sub-plans)
 Emergency plan: identify who is to be notified immediately; actions to be undertaken on

priority. Specifies actions to be undertaken immediately when a disaster occurs.
 Back-up Plan: decide what back-up to be maintained; resources to be considered for back-
up. Intended to restore operations quickly so that IS functions can continue to serve an
organization.
 Recovery Plan: explains steps to be taken to recover immediately from disaster; decide
which applications to be recovered first. Sets out procedures to restore full IS capabilities.
 Test Plan: frequently test to check whether all plans are properly functioning. Purpose is to
identify deficiencies in emergency, back-up or recovery plans.
91
6. Threats Management
 Potential Threats:
- Human errors - Natural disasters
- Equipment failures - Virus attack/ hacking
- Electricity/ communication outages - Outsourcing
 Threats may cause:

- Loss of data integrity - Unauthorized access to system
- Loss of data confidentiality resources
- Loss of system availability - Industrial espionage
 Possible appropriate controls:

- Data encryption
- Installing firewall - Updated anti-virus
- Use of data validation & - Regular back-up
reconciliation - Audit trail control
- User identification & authentication - System & network monitoring
 Single Point of Failure Analysis: a particular failure may disrupt entire services in
organization.
Causes of Single Point of Failure:

- Continued growth & complexity in firm’s IS environment
- Changes in technology
- Customer’s demands for new channels
7. Technology Risk Assessment is a business-driven process to identify, quantify and manage

risks, while listing out future suggestions for improvement in technical delivery.
It is a framework that governs technical choice & delivery processes with cyclic checkpoints
during the project life cycle.
Objectives:
 Identify IT risks
 Determine level of risks
 Identify risk factors
 Develop risk mitigation strategies
Benefits:
- Identifies, quantifies & manages risk while listing out future suggestions for improvement in
technical delivery
- Governs technical choice & delivery process
- Interpretation & communication of potential risk impact
- Implementation of strict disciplines for active risk management
92
8. Software & Data Back-Up Techniques
 Full back-up:
- Restores all back-up files at one stretch
- Contains every file
- Requires huge space & consumes lot of time
 Differential back-up:
- Contains all files that have changed since last back-up
- Faster & economical
- 2-step operation
 Incremental back-up:
- Only those files are saved that are modified since last full/ differential back-up
- Difficult to restore
 Mirror back-up:
- Used to create exact copy of back-up data
9. Alternate Processing Facility Arrangement
 Cold Site: maintains critical equipments & resources in duplicate form at some off-site
location. In case of disasters, these resources & equipments operate from off-site. Low-
cost, but does not provide 100% downtime elimination
 Hot Site: maintains critical equipments & resources in synchronized form at some off-site
location. Most expensive, but nil downtime.
 Warm Site: between hot & cold sites. Better than cold, worse than hot sites.
 Reciprocal Agreement: two organizations maintain each-other’s back-up to facilitate other

in continuance of services in case of disaster. Each party maintains extra capacity to serve
other’s critical systems.
10. Issues to be considered which deciding to outsource a third party site for alternate back-up &
recovery process:
- How soon the site will be made available subsequent to a disaster

- The number of organizations that will be allowed to use the site concurrently in the event of
a disaster
- The priority to be given to concurrent users of the site in the event of a common disaster
- The period during which the site can be used
- The conditions under which the site can be used
- The facilities & services the site provider agrees to make available &
- What controls will be in place & working at the off-site facilities
93
11. Back-Up Redundancy
 Off-site back-up: maintain at least one back-up at different location (if the back-up is
maintained at working location itself, it is active back-up)
 Multiple Back-up: maintain same back-up in multiple disks
 Media rotation: rotate active back-up with off-site back-up to update off-site back-up with
latest values
12. Back-Up Media Types & Basis Of Selection
 Various types of back-up media are:
- Floppies - Optical jukeboxes

- CD - Autoloader tape systems
- Magnetic tape - USB Flash drives
- Disk Drive - Zip drive
- Removable disks - DVD
- Digital audio tape (DAT) Drives
 Selection of appropriate tools & back-up devices depends upon:
- Speed - Extensibility
- Reliability - Cost
- Capacity - Flexibility
 Back-up Tips:
- Develop simple & easy-to-understand plan

- Be organized
- Utilize user-friendly software
- Verify the available back-up
- Restrict data storage privilege
- Create a step-by-step guideline
13. Disaster Recovery Plan
 DRP is a document which includes all the procedures to be followed to recover from
disasters
 A very detailed document which lists all procedures & plans.
 Also known as DRP Document or DRP Manual
94
 Includes:
- Emergency plan
- Recovery plan
- Back-up plan
- Test plan
- Insurance
14. Insurance
 Considered to spread the cost & risk of loss from individual to large number of people
 Policies are obtained to cover loss of following:
- Equipments - Extra expenses

- Facilities - Valuable documents
- Storage media - Accounts receivables
- Business interruption - Third party damage claims
 Types of Insurances:
 First party insurance  Third party insurance

 Property damage  General liability
 Business interruption  Errors & omissions
 Directors & officers
15. Testing Methodology & Check-List
 Following tests are conducted for DRP:
- Hypothetical test: paper test where verification of all procedures & actions specified in
recovery plan are conducted
- Component test: used to verify details & accuracy of individual procedures within
recovery plan
- Module test: combination of components is tested together for functionality
- Full test: used to verify that multiple modules will recover immediately from any
disaster. Main objective is to ensure that: 1) total time for recovery meets set time
objective & 2) recovery plan is efficient & can be performed without obstacle
 Following methodologies are used for testing:
- Setting test objectives - Developing assumptions

- Defining boundaries - Testing pre-requisites
- Defining scenarios - Briefing sessions
- Setting testing criteria - Checklists
95
16. Audit Tools & Techniques For DRP
The best audit tool & technique is a Periodic Simulation of a disaster. Other audit tools &
techniques would include:
 Observations  Meetings
 Interviews  Questionnaires
 Checklists  Documentation review
 Inquiries
These tools & techniques are categorized into:
 Automated tools
 Internal control auditing
 Disaster & security check-list
 Penetration Testing (used to locate specific vulnerabilities & threats)
17. Test Objectives should include:
 Recovery of systems at standby site

 A fully documented set of procedures to restore systems & critical applications to agreed
recovery point
 Recovery of system/ application/ network/ database data from backup tapes
 Detailed documentation on how to restore production data
 Established communication lines/ equipment as set out in plan
 Examination of designated alternatives & confirmation of all components
18. Audit Of DRP / Business Resumption Plan
Steps:
 Audit the methodology of DRP preparation

 Audit the back-up & recovery procedures
 Audit the test plan
 Audit the team & personnel responsibilities
***
96
07 AN OVERVIEW OF ERP
1. Introduction
 ERP is a solution to overall business problems. It is an attempt to integrate the five major
resources of an organization, i.e. Man, Material, Money, Machine & Market
 It involves managing a large volume of data, number of users & multiple system
components
 It attempts to integrate all functions & resources to make business more effective.
 ERP is a fully integrated business management system which integrates operation

processes & information flows.
 It aims at one database, one application & one user interface.
2. Definition
 ERP is “Software solution that addresses the need of the enterprise by tightly integrating all
functions of an enterprise.”
 ERP is reengineering of the current business practices for more efficient & accurate
functioning. It is a mix of software tools enabled with newly designed, well-planned
business practices.
3. Why companies undertake ERP?
‡ To integrate financial information

‡ To integrate customer order information
‡ To standardize & speed-up manufacturing processes
‡ To reduce inventory
‡ To standardize HR information
4. Evolution of ERP
Basic requirements of businesses to remain in competition:
 Aggressive cost-cutting
 Cost/ Revenue Analysis
 Flexibility to respond quickly to enhancing requirements
 Better-informed decision-making
To assist businesses in their needs, following IS were introduced:
 Management Information System (MIS)

 Integrated Information System (IIS)
 Executive Information System (EIS)
 Enterprise-wide Information System (EWIS)
97
The above IS lacked integration. Then,
 Materials Requirement Planning (MRP)

Was introduced which integrated manufacturing process with other business IS.
MRP was further extended to include vendors, suppliers etc. through LAN & WAN. This was
known as:
 Manufacturing Requirement Planning (MRP II)

 ERP evolved from MRP II.
5. Enabling Technologies for ERP
Most of ERP systems use power of Three-Tier Client/Server Architecture. Technologies

required for ERP in three-tier C/ST are:
 Basic Technology: sophisticated IT infrastructure like CS/T & RDBMS
 Enabling Technology: work flow, work group, groupware & EDI
 3-tier Client Server:
Server: stores data, maintains integrity & consistency & processes user requests from
client desktops
Middleware: contains all application logic & rules, does validation checks
Processing Architecture: load of data processing & application logic is divided

between client & server
To facilitate online transactions, other important enabling technologies for ERP systems are:
 Workflow,
 Work group,
 Electronic Data Interchange,
 Internet & Intranet; and
 Data warehousing.
6. Difference between Traditional Approach Systems & ERP
Traditional Systems ERP

1. Each transaction is treated 1. transactions part of inter-linked
separately. processes that forms suitable
model
2. All application systems are mainly 2. Fully integrated business
data manipulation tools management system
3. A problem of non-linkage between 3. Integrated for multi-users, at multi-
application systems used by locations
different departments
98
7. Ideals/ pre-requisites of ERP
 Best business practices  Modular & open

 Wide scope  Exhaustive & Flexible
8. Characteristics of ERP
 Flexibility
 Open-system architecture
 Comprehensive
 On-line connectivity to other business entities
 Collection of best business practices
9. Features of ERP
 Cross-functional
 Multi-faceted
 Comprehensive
 Supports business process integration
 Provides end-to-end supply chain management solutions
 Provides customer relations management solutions
 Bridges information gap across organization
 Inter-group system integration
 Automatic use of latest technologies like EFT, EDI, Data Warehousing & E-commerce
 Provides intelligent business tools
10. Benefits of ERP
 Tangible Benefits
- Reduction of lead time

- On-time logistics
- Increased business activities
- Reduction in transaction processing cycle time
- Reduction in inventory of raw material, WIP & finished goods
- Accurate and updated information at any instant
 Intangible Benefits
- Better customer satisfaction

- Improved vendor performance
- Reduced quality costs
- Increased flexibility
- Improved resource utility & decision making capability
99
Business Process Re-Engineering
11. Definition
 BPR aims to achieve dramatic improvement by major transformations of business

processes.
 BPR is the fundamental rethinking, radical redesign and reinventing of business processes
to achieve dramatic improvement in terms of cost, quality, service and speed.
12. Major principles of BPR
 Single point responsibility for any business process
 Continuous communication and coordination between people performing work in parallel
 Common on-line storage form of database
13. Business Engineering
Business Engineering is the merger of two concepts. It combines the innovation of information
technology with BPR to focus on better business processes. The main thrust of business
engineering lies in far reaching; best procedure based, and process oriented solutions; which
have been greatly enhanced by client / server computing.
14. Features of Business Engineering
 It is the method of development of business processes according to changing requirements

 Aims at efficient re-designing of company’s value-added chains
15. Need for BPR
 Objective of implementing ERP is to effectively & completely support the enterprise’s

business plan & business processes
 ERP integrates effectively with business management issues
 When an enterprise does not have optimized business processes, ERP needs a process
re-engineering to capture knowledge of experts into the system
Hence, there is need for BRR
16. Role Of BPR In ERP
The basic objective of implementing ERP is to put in place the application and infrastructure
that support organization’s business plans & processes in the best possible manner. Thus,
BPR is mandatory for successful ERP implementation.
100
17. Business Modeling
 The first step in ERP implementation is to carry out BPR by development of business
process model showing business processes as one large system with interconnection and
sequence of business subsystems and processes. This development of business process
model for present and required business process is known as Business Modeling.
 Business modeling is not a mathematical model, but the representation of business as one
large system with interconnection and sequence of business subsystems and processes.
 Business modeling is the portrayal of a business as one large system based on business
strategy & objectives, showing the inter-connection & sequence of business sub-systems or
processes that drive it.
 It is kind of diagrammatical and tabular representation of various business processes in an
interconnected manner with their underlying data models.
 First, an existing business model is prepared and based on that, another business model
consisting the required business model is prepared.
 Business model consists of two main elements:
a. Blue print describing various business processes and their interactions

b. Underlying data model.
 Features of a business model
- Represents business models

- Comprehensive functionality
- Designed for all types of business
- Multi-national
- Business engineering
- Open system
 Advantages of a business model
- Aids in selecting & implementing a suitable ERP package

- Degree of suitability of ERP packages can be assessed using business models
- Aids in evaluating actual processes & analyzing deviations
18. ERP implementation – steps
1. Identification of the needs for implementing the ERP package

2. Evaluating the as-is situation of the business
3. Deciding upon the would-be situation of the business
4. Conducting of BPR
5. Evaluation of various ERP packages & finalization of the ERP package
6. Installing required hardware & networks
7. Finalizing the implementation consultant
8. Implementation of ERP.
101
Criteria for evaluation of ERP packages
 Flexibility
 Comprehensive
 User-specific
 Integral
 Beyond the company
 Best business practices
 Technological updations
19. Approaches to ERP implementation
20. Challenges in ERP implementation
 Vendor’s clarity regarding user’s requirements

 Customization of product to suit user needs
 Clear definition of responsibilities of employees
 Acceptance of the new process by employees
 Project to be implemented in totality
 Defining the implementation methodology
 Selection of right kind of consultants
 Preparing the implementation guidelines
 Post implementation monitoring of KPI and CSF
21. Drawbacks of ERP implementation
 Extra effort on part of users

 Increase in workload
 Time-consuming
 Changes nature of business
 Design & implementation synonymous
22. Risk & Governance issues in an ERP
 Single point of failure

 Risk on non-acceptance of structural changes
 Changes in job profiles may back-fire
 Risk of lack of skills to handle online real-time updates
 High risk of exposure due to broad system access
 Dependency on external assistance
 Risk of inappropriate access & loss of privacy & confidentiality
23. Guidelines for ERP implementation:
 Understanding the corporate culture and needs

 Complete business process changes
 Communicate across the organizations
 Provide strong leadership
 Ensure availability of effective, efficient & capable project manager
 Create a balanced team
 Select a good implementation methodology
 Proper & extensive training
 Commitment of adapting to changes
23. Factors on which implementation of ERP depends:
 Organizational set-up & its outlook

 Preparation of task-list for implementation
 Setting up proper communication channel
 Educating users
Post Implementation Scenarios
24. Expectations
 An improvement in processes
 Increased productivity on all fronts
 Total automation & disbanding of all manual processes
 Improvement of all Key Performance Indicators (KPI)
 Elimination of all manual records
 Availability of real time information systems
 Total integration of all operations
25. Fears
 Job redundancy & change of job profile

 Loss of importance
 Loss of proper control & authority
 Increased stress due to greater transparency
26. Life after implementation
 Organizations should prepare a list of Critical Success Factors (CSF) & their corresponding
KPIs and continuously evaluate the processes against KPI
 CSF is a process name which is critical to the successful working of the organization. Some
general CSF are:
- Transaction processing time

- Product delivery time
103
- Customer complaint response time
- Labour productivity
- Quality of product
- Consumption of resources
 All these CSF have some sort of KPI, i.e. can be quantified in a value known as KPI, which is a
continuously changing value.
 Both CSF and their corresponding KPI are defined through BPR.
 Some other tasks to be performed post-implementation are:
- Develop new organization structure and job descriptions

- Determine the skill gap between the existing and required jobs post ERP
implementation
- Assess training requirements and implement a proper training plan
- Develop and amend HR, Financial & Operational Policies to suit ERP environment
27. Post Implementation Problems
 Changing CSF due to changing business environment & corresponding new KPI which
require change in processes
 Continuous improvement in technologies
28. Measures for over-coming post-implementation difficulties
 Outsourcing & audit

 Proper usage of system
 Adequate provision for changes
29. List of popular ERP packages
 BAAN
 MFG / Pro
 ORACLE
 SAP R/3
 JD Edwards
30. Brief Description OF Capabilities OF ERP Software Packages
SAP AG has developed an ERP package called “SAP R/3”. It is the most popular package and
considers the entire business as a single entity. It is a unique system that supports nearly all
areas of business on a global scale.
SAP has a number of application modules in the package. Some of these are:
 Financials
 Cost control
104
 Investment management
 Treasury management
 Integrated enterprise management
 Product data management
 Sales & distribution
 Production, planning & control
 Materials management
 Human resource management
31. Relationship between ERP & E-com:
To facilitate E-com, IT departments should build 2 new channels of access into ERP systems:
 One for customers {Business-to-Customer (B2C)}

 One for suppliers & partners {Business-to-Business (B2B)}
32. Functions of Treasury Cash Module in ERP
 Information on sources and uses of funds to secure liquidity

 Monitors and controls incoming and outgoing payment flows
 Supplies data for managing short term market investments and borrowings
 Enables to know current cash position and financial budgeting
 Enables analysis of liquidity
 Aids in managing and monitoring bank accounts
 The LIQUIDITY FORECAST FUNCTION integrates anticipated payment flows from
financial accounting, purchasing and sales to create liquidity outflow from medium to long
term
 Covers foreign currency holdings and items
33. Components of Enterprise Controlling
Enterprise controlling is the SAP module used to consolidate financial statements including
elimination of inter company transactions
 EC-CS: Used for financial, statutory and management consolidation. Allows fully automated
consolidation of investments.
 EC-PCA: Allows working with internal transfer prices and have profit center and enterprise
perspective in parallel. Provides management with a consistent flow of external and internal
financial management reports
 EC-EIS: Allows financial data to combine with external data such as market data, industry
benchmarks and non SAP applications
***
105
08 INFORMATION SYSTEMS AUDIT
STANDARDS & GUIDELINES
1. IS Audit Standards provides audit professionals a clear idea of the minimum level of
acceptable performance essential to discharge their responsibilities effectively.
The technical competencies & skills of IT professionals are assessed against these IS Audit
Standards & practices.
IS AUDITING STANDARDS
↓
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
BS CMM COBIT COSO CoCo ITIL SysTrust HIPPA SAS 70
7799 &
WebTrust
2. BS 7799 (1998)
 Essence: A sound Information Security Management System (ISMS) should be

established within the organization
 Objective: organization’s information is secured & properly protected
 Components
BS 7799 Part – I (ISO 17799) BS 7799 Part – II (ISO 27001)

Code of Practice on IS Management Specification for ISMS
 provides a comprehensive set of security  provides a specification that forms basis of
controls comprising best IS practices in use external 3rd party verification & certification
scheme
 Strongly business-oriented, a good  Attributed to scale, severity & inter-
management tool connectedness of IS threats & emergence
of growing range of data
 Primarily deals with controls  Deals with ISMS
 Does not deal with management systems or  Provides basis for certification to business
technical details partners & outsiders
 Benefits:
- Reduced operational risks

- Increased business efficiency
- Logical application of IS Security
 Checks:
- Justified security controls

- Appropriate policies & procedures
- Good security awareness
- Auditable information processing, security & support activities
106
3. Information Security Management Standard (ISMS)
 General Specifications:
- Protection of assets
- Risk management approach
- Control objectives
- Suitable degree of assurance
 Establishing management framework:
- Define the IS policy

- Define scope of ISMS
- Make appropriate risk assessment
- Identify areas of risk to be managed
- Select appropriate controls
- Prepare a statement of applicability
 Implementation specification includes:
- Verification procedures
- Implementation procedures
 Documentation:
- Management control
- Management framework summary
- Procedure adopted to implement control
- ISMS management procedure
 Document control:
- Ready availability
- Periodic review
- Maintain version control
- Preservation for legal purpose
 Maintenance of Records-issues involved:
- Maintain to evidence compliance

- Procedure for processing such evidence
- Records to be legible & identifiable
- Storage & protection against damage
107
4. Ten focus areas of ISMS
1) Security Policy
This activity involves a thorough understanding of the organization business goals & its
independence on information security. This is an extremely important task & should convey
total commitment to top management. It should cover:
‡ A definition of IS
‡ Allocation of responsibilities
‡ Explanation of reporting process
‡ Defined review process
‡ Nomination of policy owner
Detailed control & objectives are:
‡ To provide direction & support for IS
‡ To manage IS infrastructure
‡ To maintain security of information assets accessed by third parties
‡ To maintain IS when responsibility of information processing is outsourced
2) Organizational Security
Needs proper procedures for approval of the IS policy, assigning of the security roles &
coordination of security across organization.
‡ To manage IS infrastructure within the organization
‡ To maintain security of information assets accessed by third parties
‡ To maintain IS when responsibility of information processing is outsourced
3) Asset Classification & Control
The information assets need to be classified to indicate degree of completion. An

Information Asset Register must be should be created, detailing every information asset
within the organization. It should also describe who is responsible for each information
asset. The value of each asset can be determined to ensure appropriate security.
‡ To ensure that information assets receive appropriate level of protection
‡ To maintain appropriate protection & accountability of organizational assets
4) Personnel Security
Appropriate personnel security ensures that:

‡ Employment contracts & staff handbooks are clear
‡ Ancillary workers, temporary staff are covered
108
‡ To reduce risk of human error/ misuse of facilities
‡ To ensure that users are aware of IS threats & concerns
‡ To minimize damage from security incidents & malfunctions & monitor them
5) Physical & Environmental Security
Involves determining physical security parameter, physical entry control, creating secure
offices, providing protection devices. COST EFFECTIVE DESIGN and CONSTANT
MONITORING are 2 key aspects to maintain adequate security control.

‡ To prevent unauthorized access, damage to business premises & information
‡ To prevent loss, damage & interruption to business activities
‡ To prevent compromise of information & processing facilities
6) Communications & Operations Management
Properly documented procedures for management & operation of all information processing
facilities should be established. External exchange of information should be controlled.
Controls should be applied to protect E-com transactions from any threats.
‡ To ensure correct operational procedures & responsibilities
‡ To minimize risk of system failure
‡ To protect integrity of software & information
‡ To prevent damage to assets
7) Access Control
Access to information and business processes should be controlled on the business and
security requirements. This will include defining access control policy ,rules and monitoring
system access & use and ensuring information security when using mobile computing and
tele-working facilities.
‡ Business requirement for access control to control access to information
‡ User access management to prevent unauthorized access to Information System
‡ User responsibilities to prevent unauthorized user access
‡ Network access control to protect networked services
‡ Operating system access control to prevent unauthorized computer access
‡ Application access control to prevent unauthorized access to information held in
Information System
‡ Monitoring system access and use to detect unauthorized activities
‡ Mobile computing and tele-working to ensure information security when using mobile
computing & tele-working facilities
109
8) Systems Development & Maintenance
It may be necessary to build applications with cryptographic controls. There should be a

defined policy on the use of such controls. A strict change control procedure must be
tracking changes. No convert channels, back doors of Trojans must exist in the system.
‡ To ensure that security is built into information systems
‡ To minimize risk of system failure
‡ To protect integrity of information
‡ To prevent misuse of application system
9) Business Continuity Management
Should be designed & maintained to reduce disturbances caused by security failures.

Detailed control & objective is:
‡ To protect critical aspects of business processes from effects of major failures
10) Compliance
Strict compliance to provisions of national & international IT laws pertaining to Intellectual

Property Rights (IPR), software copyrights & regulations of cryptographic regulations.

‡ To avoid breaches of civil/ criminal laws
‡ To ensure compliance of systems with organizational security policies & standards
‡ To maximize effectiveness & to minimize interference to/ from system audit process
5. Capability Maturity Model (CMM) (1991)
 CMM provides software organizations with guidance on:

- How to gain control of processes for developing & maintaining software
- How to evolve towards a culture of software engineering & management excellence
 Presents set of guidelines to increase software process capability
 Based on knowledge acquired from software process & extensive feedback
 Basic Terms:
- Process is a set of activities, methods that people use to develop & maintain software &
the associated products
- Software Process Maturity is the extent to which a specific process is explicitly

defined, managed, measured, controlled and effective.
110
- Capability describes the range of expected results that can be achieved by following
process
- Performance represents the actual results achieved by following a software process
- Maturity implies potential for growth in capability
- Institutionalization entails building an infrastructure & corporate culture that supports

the methods, practices & procedures of the business, so that they endure in the long run
 Levels of Software Process Maturity
Level-1 Features:
 no stable environment, no policies & procedures

 time & cost over-runs
 abandoning planned procedures & reverting to coding & testing
 success depends on competence & heroics of people involved& having an exceptional
manager
 capability is a characteristic of the individual, not of organization
Level-2 Features:
 policies for managing a software project & procedures to implement those policies are
established
 policies guide projects in establishing management processes
 capability is enhanced by establishing basic process management
 software process capability is disciplined
 basic software management control exist
 software project standards are defined & faithfully followed
Level-3 Features:
 standard process for developing & maintaining software is documented

 process used to help software managers & technical staff
 management has good technical insight of progress on all processes
 Software Engineering Process Group (SEPG) is made responsible for software process
activities
 Training program is implemented
 Defined software process for each project
 software capability is standard & consistent
Level-4 Features:
 organization sets quantitative Quality Goals

 productivity & quality are measured for important software processes
 variations in products & processes narrowed down to fall within acceptable quantitative
boundaries
 process is stable & measured
 software process capability is quantifiable & predictable
Level-5 Features:
 entire organization focused on continuous process improvement

 improvements occur both by advancements in existing processes & by innovations using
new technologies & methods
 software processes are evaluated to prevent known types of defects
 software capability considered as continuously improving
6. COBIT
(Control OBjectives for Information and related Technology)
 Basic concepts of COBIT:
- Controls in IT should be analyzed by looking at information needed to support the

business objectives
- Information should be viewed as a result of combined application of IT-related resources
 Business Requirements of information:
- Quality requirements
- Fiduciary requirements
- Security requirements
112
 Key Aspects of COBIT:
- Information Criteria (7 categories)
 Effectiveness  Availability
 Efficiency  Compliance
 Confidentiality  Reliability
 Integrity
- IT Resources (5 classifications)
 Data
 Application Systems
 Technologies
 Facility
 People
- IT Efforts (4 responsibility domains)
 Planning & Organization: covers strategy & tactics & concerns the identification of
the way IT can best contribute to the achievement of business objectives.
 Acquisition & Implementation: to realize the IT strategy, IT solutions should be
identified, developed or acquired as well as implemented & integrated into business
practices
 Delivery & Support: concerned with actual delivery of required services, which
range from traditional operations & continuity aspects to training
 Monitoring & Evaluation: domain addresses management’s supervision of the
organization’s control process & independent assurance provided by internal &
external audit
7. COSO Framework
“Committee of Sponsoring Organizations of the Treadway Commission”

COSO states that Internal Control is a process established by an entity’s BoD, Management,
designed to provide reasonable assurance regarding the achievement of stated objectives.
3 major control objectives of COSO are:
 Effectiveness & efficiency of operations

 Reliable financial reporting
 Compliance with laws & regulations
COSO COBIT
1. focuses on internal control 1. focuses on IT controls
2. primarily applicable to financial information 2. applicable to all information that is needed
to support business requirements
3. useful for management at large 3. useful for management, users & auditors
113
8. CoCo
 CoCo is a guidance matter, useful in making judgements about designing, assessing &
reporting on the control systems
 It is concerned with control in general. It is a model of controls for information assurance
 CoCo forms a cycle that continues endlessly if an organization is to continue to improve
 Four important Concepts about Control under CoCo are:
‡ Control is affected by people throughout the organization

‡ People accountable for achieving objectives should also be made accountable for
effectiveness of control
‡ Organizations are constantly interacting & adapting
‡ Controls can only provide reasonable assurance, not absolute assurance
9. IT Infrastructure Library (ITIL)
 Public framework that describes best practices in IT Service Management (ITSM)

 Only consistent & comprehensive documentation of best practices for ITSM
Major books under ITIL:
Book 01: Service Delivery
 Concerned with pro-active & forward-looking services that the business requires of its ICT
provider, in order to provide adequate support to the business users.
 Components:
‡ Service level management

‡ Capacity management
‡ IT service continuity management
‡ Availability management
Book 02: Service Support
 Focuses on the user of ICT services and is primarily concerned with ensuring that they
have access to the appropriate services to support the business functions.
 Components:
‡ Incident management
‡ Problem management
‡ Configuration management (to track all individual components in a system)
‡ Change management
‡ Release management (to plan roll-out of software)
114
Book 03: ICT Infrastructure Management
 Recommends best practice for requirements analysis, planning, design, deployment &
ongoing operations management & technical support of an ICT infrastructure {ICT =
Information & Communications Technology}
 Defines practices for:
‡ Design & planning

‡ Deployment
‡ Operations
‡ Technical support
Book 04: Security Management
 Describes the structures fitting of information security in the management organization.

When protecting information, it is the value of information that has to be protected. These
values are stipulated by:
‡ Confidentiality
‡ Integrity
‡ Availability
 The inferred aspects are:
‡ Privacy
‡ Anonymity
‡ Verifiability
Book 05: The Business Perspective
 Collection of best practices that is suggested to address some of the issues often
encountered in understanding & improving IT service provision.
 Issues addressed are:
‡ Business Continuity Management

‡ Surviving change & transformation
‡ Partnership & outsourcing
Book 06: Application Management
 Encompasses a set of best practices proposed to improve the overall quality of IT software
development and support through life-cycle of the software development projects, with
specific attention to gathering & defining requirements that meet business objectives
115
Book 07: Software Asset Management
 software is treated as a valuable asset

 achieved through best practices, enables organizations to save resources
 most widely accepted approach to providing a comprehensive set of best practices
Book 08: Planning to implement Service Management
10. SysTrust & WebTrust
 Two specific services developed based on trust services principles & criteria
 Scope:
 SysTrust designed for provision of advisory services/ assurance on the reliability of

system
 WebTrust relates to assurance/ advisory services on an organization’s system related to
E-com
 Principles to be used in engagements:
 Security  Online privacy

 Availability  Confidentiality
 Processing integrity
 Areas:
 Policies relevant to particular principle

 Communications of defined policies to authorized users
 Procedures in accordance with defined policies
 Monitoring to maintain compliance with defined policies
11. “The Health Insurance Portability & Accountability Act (HIPPA)” (1996)
(An US Federal Act)
 Aspects covered by HIPPA:
- Establishment of national standards for electronic health care solutions

- Creation of national identifiers for healthcare providers, health insurance plans &
employers
- Security & privacy of health data
- Improving the efficiency & effectiveness of the nation’s healthcare system by
encouraging the widespread use of EDI
116
 3 types of security safeguards:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
 Administrative Safeguards:
 Adopt a written set of privacy procedures & designate a Privacy Officer responsible for
implementing all required procedures
 Identify employees having access to Protected Health Information
 Have an appropriate training program
 Have a contingency plan for responding to emergencies
 Have internal audit system
 Document instructions for responding to security breaches
 Physical Safeguards:
 Govern introduction & removal of hardware & software from network

 Control access to equipments containing health information & hardware & software
 Address policies w.r.t. workstation use
 Technical Safeguards:
 Use encryption to protect from intrusion

 Data corroboration to ensure data integrity
 Have a written record of configuration settings
 Document risk analysis & risk management programs
12. SAS 70: Statement of Auditing Standards for Service Organizations
 Service organization is a business/ entity that provides outsourcing services
 2 types of SAS 70 reports:
 Type-I Report:
 Opinion by service auditor

 Describes degree of representation of controls that have been implemented in
operations
 Lists the controls
 Type-II Report:
 Auditor gives opinion on how effectively controls operate
117
 Features:
 Costly & time-consuming

 Provides transparency & builds trust
 One report can be sent to many customers
 Shows weak links
 Easily communicates proficiency for internal controls & safeguards
13. IIA is an international professional association that provides dynamic leadership for the global
profession of internal auditing. It issued Global Technology Audit Guide which provides
management of organizations with information on technology management, control and
security and Information Systems Auditors with guidance on different technology associated
risks and recommended practices. Following are the GTAG developed by the IIA
GTAG 1: Information technology controls

GTAG 2: Change and patch management controls: Critical for organizational success
GTAG 3: Continuous auditing: Implications for assurance, monitoring and risk assessment
GTAG 4: Management of information technology auditing
GTAG 5: Managing and Auditing Privacy Risks
GTAG 6: Managing and Auditing information technology vulnerabilities
GTAG 7: Information technology outsourcing
GTAG 8: Auditing application controls
GTAG 9: Identify and access management
***
118
09 IS SECURITY POLICY, AUDIT POLICY
AND IS AUDIT REPORTING
DRAFTING OF IS SECURITY POLICY, AUDIT POLICY, IS AUDIT REPORTING –

A PRACTICAL PRESPECTIVE
1. Information Security means protection of information, which means processed data and this
data, is protected against loss, inaccessibility, alteration or wrong disclosure.
 The protection of the interest of those relying on the information and information system
and communications that delivers the information, from harms, failures of availability, loss of
confidentiality and integrity.
2. Objective of Information Security
 Availability – IS are available and usable when required

 Confidentiality – Information is disclosed only to those who have the right to know it
 Integrity – Information is protected against unauthorized modifications
3. Importance of Information Security
 Smooth functioning
 Increased dependence of organizations on information
 Information spread geographically and accessed through networks, which are vulnerable
 Organizations depend upon timely, complete, reliable and valid information
 IS are increasingly, coming under threats from internal and external sources
 Security failure may result in both financial and intangible losses
4. Sensitivity of information
Following types of information are normally considered sensitive information:
 Strategic Plans: They are very crucial for success of organization and it is required that
these plans should be well protected
 Business Operations Information: Business operation consists of organization process

and procedures, information of which of proprietary in nature, whose secrecy is to be well
guarded
 Financial Information are very crucial and not to be made public
5. Factors to be considered to ensure safety of sensitive information
 Value of data  Access control

 Area of criticality  Storage of information
 Worthiness of information  Employees’ work review
 Choice of integrated solutions  Proper documentation
119
6. Purpose and Scope of Information Security Policy
 Purpose is to define, what the organization is trying to accomplish through security policy
for IS and its information
7. Factors deciding level of security of information
 Value of information
 Place of critical data (How information is placed)
 Type of storage media
 Hardcopy output of information
 Access to information (Who all should be provided access)
8. Core principles of Information Security
 Accountability  Integration
 Awareness  Reassessment
 Multidisciplinary  Timeliness
 Cost efficient  Societal factors
9. Objectives of IT Security Policy
 To deny unauthorized access to any IT resource

 To restrict access to data & resources
 To allow required IT services to be available to authorized users only
10. Information Protection Methods
 Preventive Protection: This is based on use of security controls. This is based on three
types of controls, i.e. Physical controls, Logical controls and Administrative controls.
 Restorative Protection: It is necessary to have an effective and timely information backup

and recovery plan. The main requirement is that information lost can be recovered.
11. Wholistic Protection: Protection should be done wholistically to give cost effective security to
the firm in such a way that it gives business, appropriate level of security at a cost acceptable
to business.
For this purpose, firm should have a conservative outlook:

 Expect the unexpected & unknown
 Expect the happening of worst events
 Recover from such events when they occur, as if nothing ever happened
120
12. Methods of implementing Information Security
 Security Policy: Security policy sets the acceptable norms for information access and also
set out reactions of organization when such norms are violated.
A good security policy should provide for procedures and policies that can prevent losses
and also help in increasing productivity. The main aim of the policy should be to recognize
the value of, and the dependence on, the information of the organization
 Policy Development: The security policy must be developed on the basis of security
objective and core principles of information security. The security policy so developed
should also support and complement the existing organization policy.
 Roles & Responsibilities: For security to be effective, it is necessary that individual roles,
responsibilities and authorities are clearly defined, communicated and understood by all.
 Design: Design consists of standards, measures, practices and procedures within which,
systems and individuals would function and maintain. System should be designed based on
the need of the organization.
 Implementation: Various controls should be implemented for an effective information

security like:
- Managerial controls
- Identification and authentication controls
- Logical access controls
- Accountability controls
- Cryptographic controls
- SDLC controls
- Physical environment controls
- Computer support and operational controls
- Business continuity & planning controls
 Security Monitoring: System established should be continuously monitored to detect and

ensure correction of security breaches and acted upon. Monitoring ensures ongoing
compliance of policy, standards and security practices.
 Awareness Training & Education: All employees should be aware of security policies and its
importance. Regular training programs are needed in this regard. Achieving security
objectives is not one time implementation but is a mission.
13. Information Security Policy
The security policy is a set of laws, rules and practices that regulates how assets and
information are managed, protected and distributed within the organization. A policy addresses
many issues related to information such as disclosure, integrity and availability issues.
121
An information security policy discusses the following in detail:
 Issues to address
- Definition of information security

- Importance of information security
- Goals & principles of information security
- Information security standards
 Members of security policy
- Management authorities, who have budget & policy authority

- Technical staff, who know what can & can’t be supported
- Legal experts, who know the legal effects of various policy changes
 Requirements to be considered by IS policy
- Business requirements
- Legal, statutory & regulatory requirements
14. Types of Information Security Policies
 User Security Policy sets out the responsibilities and requirements from the users of the
information system
 Acceptable Usage Policy defines the rules for email and internet services
 Organizational Information Security Policy defines the group of policies for security of
the information and information systems
 Network & System Security Policy defines rules for network & Data communication
systems
 Information Classification Policy defines the rules for classification of information
 Conditions of Connection define the rules for access of network and it specifies the
conditions to be satisfied for connecting to different networks
15. Components of the Security Policy
 Purpose and scope of policy and its audience

 Security organization structure
 Classification of assets and their inventory
 Roles and responsibilities of people connected
 IS and its security infrastructure
 Access control mechanism
 Physical and environmental security
122
 System development and maintenance controls
 Network and data communication controls
 Business continuity planning
 Security incident response and reporting mechanisms
16. Responsibility allocation in security policy
 An owner should be appointed for each information asset

 All new network communication link must be approved
 Risk assessment for all third party access to information assets and the IT network must be
carried out
 A conditions of connection agreement in place for all third party connections
17. Information Asset Classification
 An inventory of IS’s assets should be defined

 Assets should be classified as per their importance of value, in the policy
 Handling of information must be approved
 Exchange of data must be controlled
 Classified waste information must be disposed off appropriately
18. Access Controls
Access control (AC) is considered as very important mechanism to provide information

security. Following rules should be part of policy under access control mechanism:
 AC must be in place to prevent unauthorized access to IS

 Access of business information should be permitted in response to a requirement
 Formal process must be in place to validate and provide individuals with access to
information
 Access controls should be regularly audited
 Access rights should be immediately deleted for users who do not need the information any
further
 Each user must be provided with unique IDs and should be prohibited from using another
user’s IDs.
 Proper procedures should be in place for reporting and handling of security related
incident(s)
19. Incident Handling
 Recording activities on system

 Training staff to inform immediately when security breach happens
 Procedures for security administrator to handle breach & control future activities
 Policies to lay out extent of testing to be done under various phases of audit (planning,
compliance testing & substantive testing)
123
20. Business Continuity Management v/s. System Development & Maintenance Controls
System Development & Maintenance

Business Continuity Management
Controls
 A BCP must be maintained, tested &  System development must have appropriate
updated if necessary. All staff must be security controls included to safeguard their
aware of this plan availability & ensure the integrity &
 A Business Continuity & Impact confidentiality of the information they
Assessment must be conducted annually process
 Suppliers of network services must be  All security requirements & controls must be
contractually obliged to provide a pre- identified & agreed prior to the development
determined minimum service level of IS
21. Phases of IS Audit
 Planning: a documented audit program would be developed under an IS policy to include:

 Documentation of IS auditor’s procedures
 Objectives of audit
 Scope, nature & degree of testing required to achieve audit objectives
 Compliance testing: the IS policy should outline the compliance testing areas:
 Organizational & operational controls

 Security management controls
 System Development & Documentation Controls
 Access & Application Controls
 Physical & Environmental Controls
 Business Continuity Controls
 Substantive testing will be carried out:
 Wherever the auditor observes weaknesses in internal control

 Wherever risk exposure is high
 To gather additional information necessary to form an audit opinion
22. Purpose of IT Audit
 To ensure integrity, confidentiality & availability of information & resources
 To monitor & ensure
- Safeguarding of IS assets
- Maintenance of data integrity
- Maintenance of system effectiveness
124
23. Scope of IT Audit
 IS mission statement  Impact of external influences on IS

 Assessment of risk  BCP & testing thereof
 IS Strategy plans  Compliance with legal & regulatory
 IS Usage policies requirements
 IS Budgets
24. Access rights of IS Auditors
 User level access to any computing device

 Access to information
 Access to work areas
 Access to internal audit documents/ reports
 Access to monitor & log traffic on networks
25. Duties of auditor regarding IS Policy
Auditor should ensure that

 IS policy is responsibly maintained, regularly updated
 Employees are aware of IS policy
 No person acts in contradiction to established policy
26. Cautions on Access Rights for IS audit
Audit policy should determine when & to whom audit results should be reported. It should
define access rights to be given to auditors & must include:
 User/ system level access to any computing or communicating device

 Access to information that may be produced, transmitted or stored on dept. equipments
 Access to work areas
 Access to reports/ documents relating to internal audit
 Access to network traffic
27. Audit Working Papers & Documentation
 Working papers should include:

- Audit plan
- Nature of audit
- Timing of audit
- Details of audit procedures performed
- Conclusions drawn from evidences obtained
 In case of recurring audit, some papers may also be classified as permanent:

- Organization structure
- IS policies of organization
- Historical background if IS in organization
125
- Record of internal controls related to IS
- Copies of previous audit report
- Copies of management letters issued by auditors
 Planning documents:
- Knowing available resources
- Knowing the audience
- Knowing scope of work
 Finalizing documents:
- Thoroughly tested & revised documents
- Proper glossary & index
- Proper format
28. Contents of IS Audit Report
 Cover & title page

 Table of contents
 Executive summary
 Introduction
- Context of IT environment
- Purpose of audit
- Scope of audit
- Methodology used for audit
 Findings
 Opinions
 appendices
***
126
10 INFORMATION TECHNOLOGY
(AMENDED) ACT, 2008
1. Objectives of the Act
 To grant legal recognitions for transactions carried out by means of EDI & other means of
communication commonly referred to as “electronic Commerce” in place of paper-based
method of communication
 To give legal recognitions to digital signature for authentication of any information or matter
which requires authentication under any law
 To facilitate electronic filing of documents with government departments
 To facilitate electronic storage of data
 To facilitate & give legal sanctions to EFT between banks & financial institutions
 To give legal recognition for keeping of books of accounts by bankers in electronic form
 To amend the-
- Indian Penal Code
- Indian Evidence Act, 1872
- Banker’s Book Evidence Act, 1891
- Reserve Bank of India Act, 1934
2. Scope of the act
Act extends to the whole of India, unless otherwise provided in the act. Also applies to any
offence or contravention hereunder committed outside India.
Act does not apply to:

 A negotiable instrument under NI Act, 1881
 A power-of-attorney under Power of Attorney Act
 A trust (deed) under Indian Trusts Act
 A will under Indian Succession Act
 Sale deed or registry for immovable property
 Any such documents as may be NIOG
3. Definitions
 Access means gaining entry into, instructing or communicating with the logical, arithmetical
or memory function resources of a computer, computer system or computer network
 Affixing Electronic Signature means adoption of any methodology or procedure by a

person for the purpose of authenticating an electronic record by means of electronic
signature
 Asymmetric Crypto System means a system consisting of secure key pair, private key &
public key to verify the digital signature
127
(AMENDED) ACT, 2008
 Communication Device means cell phones, PDA or any other device used to
communicate, send or transmit any text, video, image
 Computer Network means interconnection of one or more computers using satellite,

microwave or other communication media and terminals or a complex consisting of two or
more interconnected computers or communication device whether or not the
interconnection is continuously maintained
 Computer source code means the listing of programmes, computer commands, design
and layout and program analysis of computer resource in any form
 Computer Resource means computer, communication device, computer system,

computer network, data, computer database or software
 Computer contaminant means any set of computer instructions that are designed –
- To modify, destroy, record, transmit data or program residing within a computer,

computer system or computer network; or
- By any means to disturb the normal operation of the computer, computer system or
computer network
 Cyber Cafe means any facility from where access to the internet is offered by any person
on the ordinary course of business to the members of public
 Cyber Security means protecting information, equipment, devices & information stored
therein from unauthorized access, use, disclosure, modification or destruction
 Digital Signature means authentication of any electronic record by a subscriber by using

electronic method
 Electronic Signature means authentication of any electronic record by a subscriber by

means of electronic technique specified in the second schedule & includes digital signature
 Function includes logic, control, arithmetic process, deletion, storage & retrieval from or
within a computer
 Information includes data, message, text, images, sound or computer generated micro
fiche
 Key Pair means a private key & corresponding mathematically related public key
128
(AMENDED) ACT, 2008
 Hash Function
 Used for integrity of document

 An algorithm which is run over a message & generates a big alphanumeric requirement
known as Message Digest.
 Message Digest is unique value for one message
 Any change in original message will be followed by Hash function, which will generate a
different message digest. I.e. the change in message digest will indicate that original
message has been altered.
 Hacking is a term is used to describe the act of destroying or deleting or altering any
information residing in a computer resource or diminishing its value of utility, or affecting it
injuriously in spite of knowing that such action is likely to cause wrongful loss or damage to
the public or that person.
 Private Key means key of key pairs used to create digital signature
 Public Key means key of key pairs used to verify digital signature
 Secure System means computer system which is secured from unauthorized access &
misuse
 Traffic data means any data identifying or purporting to identify any person, computer
system or computer network or location to or from which the communication is or may be
transmitted and includes communications origin, destination, route, time, date, size,
duration or type of underlying service or any other information.
4. Digital Signature
 Digital signature is created in 2 steps. First, the e-record is converted into a message digest
by using a hash function, which digitally freezes the electronic record thus ensuring the
integrity of the content of the intended communication
 Secondly, identity of the person affixing the digital signature is authenticated through private
key which attaches itself to the message digest & which can be verified by anybody who
has the corresponding public key to such private key
5. E-Governance
 E-Gov. is filing of any form, application or other document with govt. dept. in e-form &
similarly grants of any license or permit from govt. offices, also in e-form.
129
(AMENDED) ACT, 2008
 Low cost, efficient & transparent working
 Rules for making E-Gov. possible:
- Provide legal recognition for E-records
- Provide legal recognition for digital signatures
- Provide for filing of any form, application or other document with govt. dept. in e-form &
similarly grant of any license or permit from govt. offices, also in e-form
- Specify ways for retaining e-documents
- Mandate manual filing of forms in govt. depts. in addition to e-forms in case of violation of
rights
6. Receipt & Dispatch of E-Records
 This chapter provides the manner in which acknowledgement of receipt & dispatch of
electronic records shall be made &
 The manner in which the time & place of dispatch & receipt of electronic records sent by
sender shall be identified
7. Electronic authentication technique shall be considered reliable U/s. 3A if:
 The signature creation / authentication data is linked to the signatory/ authenticator & to no
one else
 The signature creation / authentication data was, at the time of signing, under the control of
the signatory/ authenticator & to no one else
 Any alteration to the e-sign made after affixing such signature is detectable
 Any alteration made to the information after its authentication is detectable
8. Legal recognition of electronic records U/s. 4:
Record shall be deemed to be in printed form if such information is
 Made available in an electronic form &

 Accessible & usable for a subsequent reference
9. Section 5 provides for the legal recognition of digital signatures. Where any law requires that
any information or matter should be authenticated by affixing the signature of any person, then
such requirement shall be satisfied if it is authenticated by means of digital signatures affixed in
such manner as may be prescribed by the central government
10. Retaining of documents in e-form is permitted U/s. 7, if:
 Information is accessible & usable for a subsequent reference

 E-record is maintained in its original format
130
(AMENDED) ACT, 2008
 Details which will facilitate identification of origin, destination, dates & time of dispatch/
receipt of such e-record are available
11. The Central Government may, for the purposes of this act, by rules, prescribe U/s. 10
a) The type of electronic signature;

b) The manner and the format in which the electronic signature shall be affixed;
c) The manner or procedure which facilitates the identification of the person affixing the
electronic signature;
d) Control processes and procedures to ensure adequate integrity, security and confidentiality
of the electronic records or payments; and
e) Any other matter which is necessary to give legal effects to Electronic signature
12. Attribution of e-records U/s. 11:
An e-record shall be attributed to the originator
a) If it was sent by the originator himself

b) By a person authorized to act on behalf of originator in respect of that e-record or
c) By an IS programmed by/ on behalf of the originator to operate automatically
13. Acknowledgement of receipt U/s. 12
 Where the originator has not stipulated that the acknowledgement of receipt of electronic
record be given in a particular form or manner, then an acknowledgement may be given by
any communication or any action of the addressee.
 If there is a stipulation that an electronic record shall be binding only on an

acknowledgement, then the record shall take effect only on the receipt of an
acknowledgement
14. Secure E-signature:
An e-signature shall be deemed to be secured U/s. 15 if:
‡ The signature creation data, at the time of affixing the signature, was under the exclusive
control of the signatory and no other person; and
‡ The signature creation data was stored and affixed in such exclusive manner as may be
prescribed
15. The Central Government may by Notification in the Official Gazette, appoint a Controlling a
Certifying Authority for the purposes of this act. The Controller shall discharge his functions
under this act subject to general controls and directions of the Central Government. (U/s. 17)
131
(AMENDED) ACT, 2008
16. Functions of the Controller U/s. 18
‡ Exercising supervision over the activities; Certifying public keys; specifying the conditions
with regard to conduct of business and laying down standards to be maintained by the
certifying authorities
‡ Specifying the content of materials and advertisements that may be distributed or used with
respect to and specifying the form and content of an electronic signature certificate
‡ Maintaining the database containing the disclosure record of every certifying authority
containing prescribed disclosures
17. Section 19 provides for the power of the controller with the previous approval of the Central
Government to grant recognition to foreign certifying authorities subject to such conditions and
restrictions as may be imposed by regulations.
18. Section 21 provides that the license to be issued to a certifying authority to issue Digital
Signature Certificates by the Controller shall be in such form and shall be accompanied with
such fees and documents as may be prescribed by the Central Government. Further, the
controller may either grant the license or reject the application after giving reasonable
opportunity of being heard.
A license granted under this section shall be valid for such period as may be prescribed; not be
transferable or heritable and be subject to such terms & conditions as may be prescribed.
19. Section 22 provides that the application of license shall be accompanied by a certification
practice statements and statement including the procedure with respect to identification of the
applicant. It shall be further accompanied by a fee not exceeding Rs. 25000/- and other
documents as may be prescribed by the Central Government
20. Section 23 provides that the application for renewal of a license shall be in such form and
accompanied by such fees not exceeding Rs. 5000/- which may be prescribed by the Central
Government.
21. Section 24 deals with the procedure for grant or rejection of license by the controller on certain
grounds. No application shall be rejected under this section unless the applicant has bee given
a reasonable opportunity of presenting his case
22. Section 25 provides that the controller may revoke a license on grounds such as incorrect or
false material particulars being mentioned in the application and also on the ground of
contravention of any provisions of this act. No license shall be revoked unless a reasonable
opportunity has bees given against the proposed suspension.
132
(AMENDED) ACT, 2008
23. Section 26 provides that the controller shall publish notice of suspension or revocation in the
database maintained by him.
24. U/s. 27, the controller may, in writing, authorize the deputy controller, assistant controller or
any officer to exercise any of the powers of the controller under section 18
25. U/s. 28, the controller or any officer authorized by him in this behalf shall take up investigation
of any contravention of the provisions of this act, rules or regulations made there under.
26. U/s. 29, the controller or any person authorized by him shall, if he has reasonable cause to
suspect that any contravention of the provisions of this chapter made there under has been
committed, have access to any computer system, any apparatus, data or any other material
connected with such system, for the purpose of searching or causing a search to be made for
obtaining any information or data contained or available to such computer system.
27. Section 30 prescribes the duties the certifying authority shall follow in respect of digital
signatures. Certifying authorities shall
‡ Make use of hardware, software and procedures that are secure from intrusion and misuse;
‡ Provide a reasonable level of reliability in its service which are reasonably suited to the
performance of intended functions
‡ Adhere to security procedures to ensure that secrecy and privacy of the electronic signature
are assured
‡ Observe such other standards as may be specified
28. U/s. 31, every certifying authority shall ensure that every person employed or otherwise
engaged by it complies with the provisions of this act
29. U/s. 32, every certifying authority shall display its license at a conspicuous place at the
premises in which it carries on its business
30. U/s. 33, every certifying authority whose license is suspended or revoked shall immediately
after such suspension or revocation, surrender the license to the controller
31. U/s. 34, every certifying authority shall disclose the manner specified in the regulations
‡ Its electronic signature certificate

‡ Any certification practice statement relevant thereto
‡ Notice of revocation or suspension of its certifying authority certificate, if any
‡ Any other fact which affects the integrity of the certifying authority
133
(AMENDED) ACT, 2008
32. Section 35 lays down the procedure for issuance of the digital signature certification. It
provides that an application for such certificate shall be made in the prescribed form and shall
be accompanied by a fee not exceeding Rs. 25000/-. The fee shall be prescribed by the
Central Government and different fees may be prescribed for different classes of applicants.
The section also provides that no digital signature certificate shall be granted unless the
certifying authority is satisfied that
‡ The applicant holds the private key corresponding to the public key to be listed in the digital
signature certificate
‡ The applicant holds a private key, which is capable of creating a digital signature
‡ The public key to be listed in the certificate can be used to verify a digital signature in such
form as may be prescribed by the Central Government
33. Section 36 requires that while issuing a digital signature certificate, the certifying authority
should certify that it has compiled with the provisions of the act, the rules and regulations made
there under and also with other conditions mentioned in the digital signature certificate
34. Section 37 states that the certifying authority may suspend such certificate if it is of the opinion
that such a step needs to be taken in public interest. Such certificate shall not be suspended
for a period exceeding 15 days unless the subscriber has been given an opportunity of being
heard.
35. Section 38 provides for revocation of the digital signature certificate under the following
circumstances. Such revocation shall not be done unless the subscriber has been given a
reasonable opportunity of being heard. The conditions are:
‡ The subscriber makes a request that his certificate shall be revoked

‡ Death of the subscriber
‡ Dissolution of the subscriber firm or winding up of the subscriber company
36. Where a digital signature certificate is suspended U/s. 37 or revoked U/s. 38, the certifying
authority shall publish a notice of such suspension or revocation, as the case may be, in the
repository specified in the digital signature certificate for publication of such notice U/s. 39
37. Where any digital signature certificate, the Public Key of which corresponds to the Private Key
of that subscriber which is to be listed in the digital signature certificate has been accepted by
the subscriber, the subscriber shall generate that key pair by applying the security procedure
[Section 40]
38. In respect of electronic signature certificate, the subscriber shall perform such duties as may
be prescribed [Section 40A]
134
(AMENDED) ACT, 2008
39. A subscriber shall be deemed to have a digital signature certificate if he publishes or
authorizes the publication of a digital signature certificate to one or more person; in a repository
or otherwise demonstrates his approval of the digital signature certificate in an manner
[Section 41]
40. Every subscriber shall exercise reasonable care to retain control of the Private Key
corresponding to the plc listed in his digital signature certificate and take all steps to prevent its
disclosure and if it has been compromised, then the subscriber shall communicate the same
without any delay to the certifying authority in the prescribed manner. [Section 42]
41. Contraventions, penalties and damages U/s. 43 of the ITAA, 2008
If any person without permission of the owner or any other person who is in charge of a
computer, computer system or computer network -
a. Accesses or secures access to such computer, computer system or computer network or

computer resource;
b. Downloads, copies or extracts any data, computer database or information from such
computer, computer system or computer network including information or data held or
stored in removable storage medium;
c. Introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
d. Damages or causes to be damaged any computer, computer system or computer network,
data, computer database or any other programmes residing in such computer, computer
system or computer network;
e. Disrupts or causes disruption of any computer, computer system or computer network;
f. Denies or causes disruption of any computer, computer system or computer network by any
means;
g. Provides any assistance to any person to facilitate access to a computer, computer system
or computer network in contravention of the provisions of this act, rules or regulations made
there under;
h. Charges the services availed of by a person to the account of another person by tampering
with or manipulating any computer, computer system or computer network;
i. Destroys, deletes or alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means
j. Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter
any computer source code used for a computer resource with an intention to cause damage
He shall be liable to pay damages by way of compensation to the person so affected.
 Where a body corporate, processing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby
135
(AMENDED) ACT, 2008
causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to
pay damages by way of compensation, to the person so affected
42. Penalty for failure to furnish information, return etc. U/s. 44
Is any person, who is required under this act or any rules, made there under
‡ Fails to furnish any document, return or report to the controller or the certifying authority, he
shall be liable to a maximum penalty of Rs. 150000/- for each failure
‡ Fails to file any return or furnish any information, books or other documents with time
mentioned, he shall be liable to a maximum penalty of Rs. 5000/- for each day of failure
‡ Fails to maintain books of accounts or records, he shall be liable to a maximum penalty of
Rs. 10000/- for each day of failure
43. Section 45 provides for residuary penalty under this act for contraventions against which no
specific penalty if mentioned. The amount of penalty shall be a maximum of Rs. 25000/-
44. Section 46 confers the power to adjudicate contraventions under the act to an officer not
below than the rank of a Director to the Central Government or an equivalent officer of the
state government. Such appointment shall be made by the Central Government.
 The person to be appointed must posses’ adequate experience in the field of information
technology and such legal or judicial experience as may be prescribed by the Central
Government.
 The adjudicating officer so appointed shall exercise jurisdiction to adjudicate matters in

which the claim for injury or damage does not exceed Rs. 5 crores. If claim is more than Rs.
5 crores, the power vests with a competent court.
 The adjudicating officer shall be responsible for holding an inquiry in the prescribed manner
after giving reasonable opportunity of being heard and there after, imposing penalty where
required.
45. Section 47 provides that while deciding upon the quantum of compensation, the adjudicating
officer shall have due regard to the amount of gain of unfair advantage and amount of loss
caused to any person as well as the repetitive nature of default.
46. Sections 48 & 49 provide for the establishment of one or more “Cyber Regulations Appellate
Tribunal” which shall consist of one “Presiding Officer of the Tribunal”, who shall be appointed
by the Central Government by Notification in the Official Gazette and must be qualified to be a
judge of the High Court.
136
(AMENDED) ACT, 2008
47. Other members of the tribunal may be appointed by the Central Government and must be from
amongst the persons having special knowledge of, and professional experience in information
technology, telecommunication or consumer affairs. [Section 50]
48. The presiding officer or the member has a term of 5 years or up to a maximum age of 65 years.
[Section 51]
49. Section 52 provides that the salary and allowances payable to the chairperson and members
of the tribunal shall be as prescribed.
50. Powers of the tribunal
 Powers of superintendence, direction etc. [52A]

 Distribution of business among benches [52B]
 Powers of the chairperson to transfer cases among benches [52C]
 Decision by majority [52D]
51. Section 53 provides that in the situation of any vacancy occurring in the office of the presiding
officer of the tribunal, the Central Government shall appoint another person in accordance with
the provisions of the act.
52. Section 54 provides that the chairperson or other members of the tribunal may, by notice in
writing, addressed to the Central Government, resign from his office. It shall be a three months
notice
53. A shortcoming in the constitution of the tribunal will not invalidate its proceedings [Section 55]
54. The Central Government shall provide staff for the tribunal and they shall function according to
the instructions of the presiding officer and their salaries shall be prescribed.[Section 56]
55. Any person aggrieved by the order of a controller or an adjudicating authority may prefer an
appeal to the tribunal. No appeal shall be made if the judgment has been made with the
consent of the subscriber. Appeal shall be filed within a period of 45 days from the date of the
order. On receipt of an application, the tribunal shall pass such orders as it thinks fit,
confirming, modifying or setting aside the order appealed against. The appeal shall be finished
off in a period of 6 months [Section 57]
56. U/s. 58, the tribunal shall be bound by the principles of natural justice and shall have powers to
regulate its own procedure including the place at which it shall have its sittings. The tribunal
shall have the powers vested in a civil court and every proceeding before the tribunal shall be a
judicial proceedings
137
(AMENDED) ACT, 2008
57. The appellant has the right to legal representation before the tribunal,[Section 59] and the
provisions of Limitation Act, 1963, shall as far as may be apply to an appeal made to the Cyber
Appellate Tribunal [Section 60]
58. Civil court shall not jurisdiction to entertain any suit in respect to which the tribunal exercises
jurisdiction [Section 61]
59. Appeal against the order of the tribunal can be filed with the High Court within 60 days from the
date of order on any question of law [Section 62]
60. Section 63 provides that any contravention under that act may be compounded by the
controller or adjudication officer, either before or after the institution of the adjudication
proceedings subject to such conditions as he may impose.
Compounding sum shall not exceed the maximum amount of penalty and no compounding
shall not apply to a person who commits the same or similar contravention within a period of
three years from the date of first contravention
61. Section 64 provides for recovery of penalty as arrears of land revenue and for suspension of
the license or digital signature certificate till the time the penalty is paid
62. Section 65 provides for punishment up to three years or with a fine which may extend to Rs. 2
lakhs or with both whomsoever knowingly or intentionally tampers with the computer code
source documents.
63. Section 66 provides that a person who commits hacking shall be punished with a fine up to
Rs. 2 lakhs or with imprisonment up to 3 years or both.
64. Section 66A deals with punishment by way of imprisonment up to a maximum of three years
for sending offensive messages through communication service. Any person who sends an
information which is offensive or has a menacing character or any information which the
sender knows to be false shall be liable to punishment U/s. 66A
65. Section 66B deals with punishment for dishonestly receiving computer resource or
communication device knowingly or having reason to believe the same to be stolen computer
resource or communication device. The punishment is imprisonment for a term up to three
years or a fine up to a maximum of Rs. 1 lakh or both
66. Section 66C provides that whomsoever, fraudulently or dishonestly makes use of electronic
signature, password or any other unique identification feature of any other person, shall be
punished with imprisonment of a maximum of three years and fine up to Rs. 1 lakh.
138
(AMENDED) ACT, 2008
67. Section 66D provides that whomsoever, by means of any communication device or computer
resource cheats by personation, shall be punished with imprisonment up to three years and a
fine up to Rs. 1 lakh
68. Section 66E provides punishments for person who intentionally or knowingly captures,
publishes or transmits the image of a private area of any person without his or her consent;
under circumstances violating the privacy of that person shall be punished with imprisonment
up to three years and / or fine up to Rs. 2 lakhs
69. Section 66F provides for punishments to the acts of cyber terrorism
Whomsoever with intent to threaten the unity, integrity, security or sovereignty of India or to
strike terror in the people or any section of the people by
 Denying or cause the denial of access to any person authorized to access computer
resource; or
 Attempting to penetrate or access a computer resource without authorization or exceeding
authorized access; or
 Introducing or causing to introduce any computer contaminant and by means of such
conduct causes or is likely to cause death or injuries to persons or damage to or destruction
of property or disrupts or knowing that it is likely to cause damage or disruption of supplies
or services essential to the life of the community or adversely affect the critical information
infrastructure specified U/s. 70
Punishment for cyber terrorism is imprisonment up to life.
70. Section 67 provides for punishment to whomsoever transmits or publishes or causes to be

published or transmitted, any material which is obscene in the electronic form with
imprisonment for a term up to five years and a fine up to Rs. 1 lakh for first conviction. In event
of second or subsequent conviction imprisonment for a term up to ten years and a fine up to
Rs. 2 lakhs
71. Section 67 A provides punishment for publishing or transmitting of material containing sexually
explicit act, etc. in electronic form. Punishment for first conviction is imprisonment up to five
years and fine up to Rs. 10 lakh. Punishment for further convictions is imprisonment up to
seven years and fine up to Rs. 10 lakhs.
72. Section 67 B provides punishment for publishing or transmitting material depicting children in
explicit act, etc. in electronic form. Punishment for first conviction is imprisonment up to five
years and fine up to Rs. 10 lakh. Punishment for further convictions is imprisonment up to
seven years and fine up to Rs. 10 lakhs.
139
(AMENDED) ACT, 2008
73. Section 67 C relates to preservation and retention of records by intermediaries:
 Intermediary shall preserve and retain such information as may be specified for such
duration and in such manner and format as the Central Government may prescribe
 Contravention shall lead to imprisonment up to three years and also fine
74. Section 68 provides that the controller may give directions to a certifying authority or any
employee of such authority to take such measures or cease carrying on such activities as
specified in the order, so as to ensure compliance with this law. If any person fails to comply,
he shall be liable to imprisonment up to 3 years or fine up to Rs. 2 lakhs or both
75. Section 69 empowers the controller, if he is satisfied that it is necessary or expedient to do so

in the sovereignty and interest of India, security of the state, friendly relation with foreign states
or public order, to intercept any information transmitted through any computer system or
computer network
 Section 69 A empowers the Central Government or any of its officer, if he is satisfied that it
is necessary or expedient to do so in the sovereignty and interest of India, security of the
state, friendly relation with foreign states or public order, it may, by order in writing, direct
any government agency to block access by the public or cause to blocked for access by
public any information generated, transmitted, received, stored or hosted in any computer
resource. Contravention shall lead to imprisonment up to seven years and also fine
76. Section 69 B gives power to Central Government to authorize to monitor and collect traffic
data or information through any computer resource for cyber security. The Central Government
may, to enhance cyber security and for identification, analysis and prevention of any intrusion
or spread of computer contaminant in the country, by Notification in the Official Gazette,
authorize any agency of the government to monitor and collect traffic data or information
generated, transmitted received or stored in any computer resource
77. Section 70 empowers the appropriate government to declare by notification, any computer, or
computer system or computer network to be a protected system. Any unauthorized access of
such systems will be punishable with imprisonment which may extend to ten years or with fine.
78. U/s. 70 A, the Central Government may, by Notification in the Official Gazette, designate any
organization of the government as the national nodal agency in respect of critical information
infrastructure protection.
79. U/s. 70 B, the Central Government shall, by Notification in the Official Gazette, appoint an
agency of the government to be called the Indian Computer Emergency Response Team and
shall provide the agency with a Director General and such other officers and employees.
140
(AMENDED) ACT, 2008
It shall perform the following functions in the area of cyber security
Collection, analysis and dissemination of information on cyber incidents

Forecast and alerts of cyber security incidents
Emergency measures for handling cyber security incidents
Coordination of cyber incidents response activities
Issue guidelines, advisories, vulnerability notes and white papers relating to information
security practices, procedures, prevention, response and reporting of cyber incidents
Such other functions relating to cyber security as may be prescribed
80. Section 71 provides that any person found misrepresenting or suppressing any material fact
from the controller or the certifying authority shall be punished with imprisonment extending up
to two years or fine up to Rs. 1 lakh
81. Section 72 provides a punishment for breach of confidentiality and privacy of electronic
records, books, information, etc. by a person who has access to them without the consent of
the person to whom they belong with imprisonment up to two years or fine up to Rs. 1 lakh or
both
82. Section 72 A provides that any person including an intermediary who, while providing services
under the terms of lawful contact, has secured access to any material containing personal
information about another person, with the intent to cause or knowing that he is likely to cause
wrongful loss or wrongful gain discloses, without the concern of the person concerned or in the
breach of a lawful contract, shall be imprisoned up to three years and fine up to Rs. 5 lakhs
83. Section 73 provides punishment for publishing a digital signature certificate false in material
particulars or otherwise making it available to any person with imprisonment for a term which
may extend to two years and / or fine up to Rs. 5 lakhs
84. Section 74 provides punishment for knowingly publishing a digital signature certificate for
fraudulent purposes with imprisonment for a term which may extend to two years and / or fine
up to Rs. 1 lakh
85. Section 75 provides punishment for commission of any offence/ contravention by a person
outside India (irrespective of nationality) if the offence involves a computer, computer system
or computer network located in India
86. Section 76 provides for confiscation of any computer (system), storage devices or other
accessories related thereto in respect of contravention of any provision of this act
87. Section 77 provides that no provisions of this act shall prevent award of compensation or
imposition of penalty or punishment under any other law in force
141
(AMENDED) ACT, 2008
88. Section 77A provides that a court may compound offences subject to following:
 Punishment of jail is for a period < 10 years

 The accused is not liable to enhanced punishment or punishment of a different kind
 The offence does not affect socio-economic conditions of country
 Offence not committed against a woman/ child < 18 years of age
89. Section 77B states that offences punishable with imprisonment of more than three years shall
be cognizable and less than three years shall be bailable
90. Section 78 provides for power to investigate the offences under this act by a police officer not
below the rank of deputy superintend of police
91. Section 79 provides that the network service providers shall not be liable for any third party
information or data made available by him if he proves that the offence was not committed
without his knowledge or consent
92. Section 79 A provides that the Central Government may, for the purposes of providing expert
opinion on electronic form evidence before any court or other authority specify, by notification
in the official gazette, any department, body or agency of the Central Government or a state
government as an examiner of electronic evidence
93. Section 80 provides that a police officer, not below the rank of an inspector, or any other
officer of the Central Government or the State Government may enter any public place and
search and arrest without warrant any person found therein who is reasonably suspected to
having committed or of committing or of being about to commit any offence under this act. The
person so arrested shall be taken before a magistrate having jurisdictional authority.
94. Section 81 provides that the provisions of this act shall have effect notwithstanding anything
inconsistent therewith contained in any other law for the time being in force.
95. Section 81 A relates to the application of the provisions of this act to electronic cheques and
truncated cheques subject to such modifications and amendments as may be necessary for
carrying out the purposes of the Negotiable Instruments Act
96. As per Section 82, the chairperson, members and other officers and employees of the cyber
appellate tribunal shall be deemed to be public servants
97. As per Section 83, the Central Government may give directions to the State Government as to
carrying in to execution in the state any of the provisions of this act
98. U/s. 84, no suit shall be entertained by any court against any authority, including government,
for anything which is done in good faith or intended to be done in pursuance of this act
142
(AMENDED) ACT, 2008
99. The Central Government may, for secure use of the electronic medium and for promotion of e-
governance, prescribe the modes or methods for encryption U/s. 84 A
100. U/s. 84 B, who ever abets an offence shall, if the act abetted is committed in consequence of
the abatement and no express provision is made in the act for punishment of such
abatement, be punished with the punishment provided for the offence under this act.
101. Punishment for attempt to commit offences mentioned under this act shall be imprisonment
extending to one half of the longest term of imprisonment provided for that offence and / or
with fine [Section 84 C]
102. Where the person committing a contravention is a company, every person who, at the time of
committing the contravention, was responsible to the company for conduct of the business of
the company as well as the company, shall be guilty of the contravention and shall be liable
to be proceeded against and punished accordingly. [Section 85]
103. If any difficulty arises in giving effect to the provisions of this act, the Central Government
may, by order published in the official gazette, make such provisions not inconsistent with the
provisions of this act as appear to it to be necessary or expedient for removing the difficulty.
[Section 86]
104. The Central Government may, by Notification in the Official Gazette, make rules to carry out
the provision of the act [ Section 87]
105. The Central Government shall, as soon as may be after the commencement of this act,
constitute a committee called the Cyber Regulations Advisory Committee which shall consist
of a chairperson and other official and non official members. [Section 88]
The committee shall advise –
 The Central Government either generally as regards any rules or for ay other purpose
connected with this act;
 The controller in framing regulations under this act
106. The controller may, after consultation with the committee and with the previous approval of
the Central Government, by Notification in the Official Gazette, make regulations consistent
with this act and the rules made there under to carry out the purposed of this act. [Section
89]
143
(AMENDED) ACT, 2008
Such regulations may provide for all or any of the following matters, namely
a) The particulars relating to the maintenance of database containing the disclosure record
of every certifying authority
b) The conditions and restrictions subject to which the controller may recognize any foreign
certifying authority
c) The terms and conditions subject to which a license may be granted
d) Other standards to be observed by a certifying authority
e) The manner in which the certifying authority shall disclose specified matters
f) The particulars of statement accompanying application
g) The manner by which a subscriber communicates the compromise of a private key to the
certifying authority
h) The manner in which a subscriber communicates compromise of private key to certifying
authority
107. Power of state government to make rules U/s. 90
 The State government may, by Notification in the Official Gazette, make rules to carry out
the provisions of this act
 Such rules may provide for the electronic form in which filing, issue, grant receipt or
payment shall be effected
***
144

57 Isca

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

57 Isca

Cargado por

Copyright:

Formatos disponibles

Hariharan

CA FinAl Study noteS

 System is an orderly arrangement of a set of interrelated and interdependent elements that

 Physical Systems are a set of elements operating together to accomplish an objective.

3. Reasons for using computers in business

 Handling huge volumes of data, that is not manageable by human efforts

- The interconnections and interactions between the subsystems are termed as

- A huge system is decomposed into subsystems by the process of Decomposition. It is

- Simplification is the processes of organizing subsystems with the intention to reduce

 Entrophy is the quantitative measure of disorder in a system. Maintenance inputs in a

- Accuracy - Adequate & purposeful

- External Information is collected from external environment of the business

6. Information System and its role in Management

An Information System can be considered as an arrangement of a number of elements that

- Information Systems help managers in effective decision making to achieve the

7. Factors On Which Information Requirements Of Executives Depends

- Programmed decisions refer to decisions made on problems and situations with

 Level of Management activity

- Strategic level Management is concerned with the developing of organizational

10. Value / Dimensions of information:

 Economic dimension of information is evaluated in terms of cost & benefits. It is a difficult

 Business dimension. The importance of information for business continuity is determined.

11. Types Of Information System

12. Operations Support Systems

 Objective of OSS is to improve efficiency in operations of an enterprise. This system uses

- Transaction Processing System

 The four common cycles of business activities are:

 The standard operating procedure of TPS is:

 Components used in TPS

- Input, used for capturing and classifying transactions

- Large volume of data - Benefits are easily measurable

- Management refers to a set of functions and processes designed to initiate and

 MIS provides for:

- Identification of relevant information needs

- Determination of information needs

 Misconceptions about MIS:

- More data means more information

Components & activities which help to provide a quality or good MIS

An effective MIS should be capable of meeting information requirements of executives and

 Constraints in operating computer-based MIS

- Non availability of cooperation from staff is crucial problem

 Effects of using computers for MIS

- Speed of processing and retrieval of data increases

- Quality of output depends on quality of input

- Provide support for adopting best business practices,

- ERP is a flexible system

- ERP provides multiplatform, multi facilities and multi usage facilities

- Better use of organizational resources

- Decision Support System

 Characteristics of types of information used in executive decision-making are:

 Typical information a DSS might gather & present

- An inventory of all current information assets of an organization

- Used for knowledge-based system and Sensitivity analysis

- Can use any type of data of any structure

There are 4 major components of DSS:

There are 2 types of database in DSS:

Database is implemented at three levels, as listed below:

 Logical Level is designed by professional programmers, who have complete

 Software Tools Used For Creating DSS

- Database software-Back end

 Use Of DSS In Accounting Applications

- In capital budgeting applications for investment analysis