PHASE
|
CHAPTER NO.
|
1
|
6 to 10
|
2
|
11, 12 & 19
|
3
|
13 & 14
|
4
|
18, 15, 16 & 17
|
5
|
3, 4 & 5
|
6
|
1 & 2
|
PHASE
|
CHAPTER NO. IN STUDY MATERIAL
|
CHAPTER NAME
|
PAGE NO.
|
I
|
6
|
Enabling Technologies
|
1 to 2
|
7
|
System Development Process
|
3 to 6
|
|
8
|
System Design
|
7
|
|
9
|
System’s Acquisition, Software Development & Testing
|
8 to 9
|
|
10
|
System Implementation & Maintenance
|
10
|
|
II
|
11
|
Design of Computerised Commercial Applications
|
11
|
12
|
Enterprise Resource Planning – Redesigning Business
|
12 to 14
|
|
19
|
CASE Tools & Digital Technology
|
15 to 16
|
|
III
|
13
|
General Controls in EDP Set-up
|
17 to 19
|
14
|
Application Controls in EDP Set-up
|
20 to 21
|
|
IV
|
18
|
Information Security
|
22 to 23
|
15
|
Detection of Computer Frauds
|
24 to 25
|
|
16
|
Cyber Laws & Information Technology Act, 2000
|
26 to 27
|
|
17
|
Audit of Information System
|
28 to 29
|
|
V
|
3
|
Basic Concepts of MIS
|
30 to 31
|
4
|
System’s Approach & Decision Making
|
32
|
|
5
|
Decision Support & Executive Information System
|
33
|
|
VI
|
1
|
Basic Concepts of System
|
34 to 35
|
2
|
Transaction Processing System
|
36
|
Mainframe
Architecture
|
Personal
Computers
|
File-Server
Architecture
|
Ø Dumb Terminal
Ø Non GUI
Ø Higher Costs
Ø Support every
hardware platform
|
Ø Independent PC
Ø No sharing of data & resources
|
Ø Dumb Server Smart Terminal
Ø Supports GUI
Ø Network Traffic
Ø Sends Entire File
Ø Max. 12 Users
|
Preliminary Investigation
Present System Proposed System
- System Flow Chart(Documents flow of system & information processing procedures)
- Data Flow Diagram (Flow of data within an organisation)
- Lay out forms & screens(Pre printed forms)
- System Components Matrix
- CASE Tools(Automation of anything that human do to develop systems)
- Data Dictionery(Computer file containing descriptive information about the data items)
- System Components & Flows
- User Interface
- Data attributes & relationships
- Detailed system process
- Review System’s Requirements
- Developing a model
-
PhysicalDesignLogical Design
- Convey Information (Past, Current & Future Projections)
- Signal important events
- Trigger an action
- Confirmation of an action
1.
Capability & Quality
1.
Program Flow Charts. (Graphical Format)
Equipment Installation
|
Training Personnel
|
Conversion Procedure
|
Post-Implementation Evaluation
|
Ø Installation Checklist.
Ø Site Preperation. [Space occupied by equipment & people. Proper control for temperature, dust & humidity.]
Ø Equipment check-out.
|
Ø System operator training. [Trouble-shooting list i.e. list of probable errors & their remedies]
Ø User training.
|
Conversion Strategy
1) Direct changeover (Straight forward dropping old system & using the new one. Thorough testing is required before this conversion)
2) Parallel conversion (Running both old & new system)
3) Gradual conversion.[Combined features of (1) & (2) ]
4) Modular prototype conversion.
5) Distributed conversion. [One entire conversion is done at one site.]
Activities Involved
1) Procedure conversion.
2) File conversion.
3) System conversion.
4) Scheduling personnel & equipment.
5) Alternative plans in case of equipment failure.
|
Ø Evaluate whether the new system is working properly & the users are satisfied.
Ø Current adjustment in new system.
Ø Proposed adjustments in case of future development.
Dimensions
1) Development evaluation. [on schedule & within budget]
2) Operation evaluation.
3) Information evaluation.
|
Payroll Accounting System
Inventory Control System {Raw Material, WIP & Finished goods}
Sales Order Processing
ERP
|
MODULES
|
MODULES
|
COMPONENT
|
COMPONENT
|
COMPONENT
|
COMPONENT
|
Ø
Identifying the needs for implementing ERP.
Positives
|
Negatives
|
1. Increased productivity.
2. Automation of processes.
3. Improvement in KPI’s.
4. Elimination of manual work.
5. Total integration.
6. Real-time information.
7. Improved networking features.
|
1. Job redundancy.
2. No secrecy of departmental data.
3. Loss of control & authorization.
|
Enterprise Controlling – Consolidated Statements
|
Enterprise Controlling – Profit Centre Allocation
|
Enterprise Controlling – Executive Information System
|
è Automatic consolidation
of various branches &
subsidiaries.
è Inter-branch transfers
are eliminated.
|
è Consolidated figures are
allocated to respective
profit centres.
è Inter-branch transfers are
considred.
|
è EC-CS & EC-PCA are
integrated & inter-firm
comparision are made
for decision making.
|
CASE Technology
|
Tools
Supports individual process activities
|
Workbenches
Supports set of related activities
|
Environment
Supports almost all the activities
|
Editors
|
Compilers
|
File Compactors
|
Analysis & Design
|
Programming
|
Testing
|
Integrated Environment
|
Process Centered Environment
|
Multi-method
Workbenches
|
Single Workbenches
|
General Purpose Workbenches
|
Large Specific Workbenches
|
CASE Workbenches
|
Programming Workbench
|
4GL Workbench
|
Analysis & Design Workbench
|
Testing Workbench
|
Meta-CASE Workbench
|
Set of tools to support program development.
e.g. :-
à Language
Compiler.
à Structured
Editor.
à Linker.
à Loader.
à Cross-
Refrencer.
à Interactive
debugger,
etc.
|
Produce interactive application which extracts information from DBMS & present it to the end user.
Updates DBMS with changes made by the end user.
e.g. :-
à Query
Language
à Form design
tools.
à Spread-sheet
àReport
generator,
etc.
|
Supports the analysis & design stage of software.
e.g. :-
à Diagram
editor.
à Data
dictionary.
à Forms
definition
tools.
à Import
Export
Facility.
à Code
generators,
etc.
|
Helpful in testing of systems before implementation.
e.g. :-
à Test Manager
à Oracle
àFile compactor
à Report
generator
à Simulators,
etc.
|
Used to generate other CASE Tools.
5 aspects :-
1. Data Model.
2. Frame Model.
3. Diagrammatic notation
4. Textual presentation
5. Report structures
|
Protection
|
|
Of
|
From
|
Operating System
|
Itself
|
Operating System
|
Its environment
|
Operating System
|
Users
|
Users
|
Each other
|
Users
|
Themselves
|
OS Control
|
OS Security
|
Threats to OS integrity
|
Controlling against Virus, etc.
|
Controlling Audit Trail
|
1. Log on procedure. [User ID & Password] After Log-on, Access Token is created by OS for each session.
2. Access Token. [Contains user ID, password & privileges granted]
3. Access Control List. [List of privileges to all the users]
4. Discretionary access control. [One valid user can assign to other at his discretion]
|
1. Accidental. [Hardware failure, Os failure]
2. Intentional. [Abused authority & intruders]
3. Computer virus.
|
1. Virus. [Penetrates OS]
2. Worm. [Occupies idle memory]
3. Logic Bomb. [triggered by pre-determined event]
4. Back Door. [Unauthorised access]
5. Trojan Horse. [Captures ID’s & passwords]
Controlled by :-
1. Anti-Virus program
2. Anti-Viral program/vaccine
[Run continuously on a computer system to detect virus]
|
Objectives –
1. Detecting unauthorized access. [Real time / subsequently]
2. Analyzing the reasons for such event.
3. Personal accountability.
|
Access Controls
|
Back-up Controls
|
Ø Flat File System – Easy to control.
Ø DBMS – 5 control features :-
1. User View – Privileges to required users only.
2. Database Authorization Table – Contain actions a user can take.
3. User Defined Procedures – Series of personal questions.
4. Data Encryption
5. Biometric Devices – Finger Prints, Voice Prints, etc.
|
Ø Back up may be in magnetic disc or in magnetic tape.
Ø 4 features :-
1. Back-up
2. Transaction Log – Provides an audit trail.
3. Checkpoint – Several checkpoints in 1 hour.
4. Recovery Module
|
Risks
|
Controls
|
1. Fire Damage
2. Water Damage
3. Energy Variations
4. Pollution Damage
5. Unauthorised Intrusion
|
1) Disaster Recovery Plan
i. Emergency Plan
ii. Back-up Plan
iii. Recovery Plan
iv. Test Plan
2) Insurance of Hardware & Data
|
5. System Development Controls
|
6. System Maintenance Control
|
i. System Authorisation – Evaluation of the system before the development.
ii. Users Specifications – Active involvement of user during the development phase.
iii. Technical Design – Documentation of user specifications and development process.
iv. Internal Audit Participation
v. Program Testing
vi. User acceptance
|
i. Maintenance Authorisation, Testing & Documentation.
ii. Source Program Library (SPL) Controls – Documentation of retrieval, change, obsolescence, etc. of program in SPL.
iii. Password Control in SPL
iv. Audit Trail & Management Report
v. Program Version Number
vi. Message Sequence Numbering
|
User
|
SYN
|
ACK
|
ACD
|
SYN/ACK
|
ACD
|
Ø Receiving Server is blocked due to non receiving of ACD packets and the legitimate user is prohibited from communicating.
|
Risks
|
Controls
|
1. Incompatibility of Hardware / Software.
2. Poor Data Security
3. Decentralisation of processing
4. Computer Virus
5. No thorough testing.
6. Weak access control
7. Inadequate Back-up procedures
|
1. Centralizing PC purchase
2. Physical locking of hardware
3. Regulating the use of floppy
4. Proper training
5. Virus prevention
6. Proper Back-up arrangement – Floppy, Dual Internal Hard Disks, External Hard Disk, Tape Back-up.
7. Multi-level password control.
|
Field Interrogation
|
Record Interrogation
|
File Interrogation
|
Ø Examines the characters in the field.
i. Limit Check
ii. Data Type Check (alphabetic / numeric)
iii. Valid Code Check
iv. Check Digit
v. Arithmetic Check
vi. Cross Check
|
i. Sequence Check
ii. Completeness Check
iii. Combination Check
iv. Redundant Data check
v. Password
vi. Authorisation
|
Ø It ensures that the required file is being processed.
i. Internal Label Check
ii. Version Check
iii. Expiration Date Check – Prevents deletion before expiry.
|
Individuals
|
Responsibilities
|
Executive Management
|
Overall responsibilities
|
IS Security Professionals
|
Design & Implementation of security policy.
|
Data Owners
|
Maintaining accuracy & integrity
|
Process Owners
|
Ensuring appropriate security embedded in there IS.
|
Technology Providers
|
Assist in implementation of Information Security System.
|
Users
|
Follow the set procedures.
|
IS Auditors
|
Independent assurance.
|
Internal Threats
|
External Threats
|
1. Input [alter computer input]
ü Collusive fraud (Banking Fraud)
ü Disbursement Fraud (payment against false bills)
ü Payroll fraud (fictitious employees)
ü Cash receipt fraud
2. Processor [unauthorised use of computer system / services / time]
3. Computer Instructions [tampering with the software]
4. Data [altering / damaging / copying company’s data]
5. Output [misuse of printed / displayed output]
6. e-mail [altering the content]
|
1. Removal of information
2. Destruction of integrity
3. Interference with web pages
4. Virus by e-mail
5. Interception of e-mail
6. Interception of EFTs
|
License Issues digital certificates
Order of CAT
(Set aside, confirm, modify the order appealed against)
|
Appeal to HC
(May be on Q. of law / fact)
|
IS Auditor must ensure that provisions are made for:
Management
|
Information
|
System
|
à Determining the objectives
à Developing plans
à Securing & organizing various resources
à Exercising adequate controls
à Monitoring the results
|
à Reprocessing of data & putting them into a meaningful & useful context
|
à Consisting of a no. of elements operating together for accomplishment of an objective.
|
Environmental Information
|
Competitive Information
|
Internal Information
|
à Govt. policies
à Factors of production
à Technological information
à Economic trend
|
à Industry demand
à Firm demand
à Competitive data
|
à Sales forecast
à Financial budget
à Supplier factors
à Internal policies
|
Top Level (Strategic Level)
|
Middle Level (Tactical Level)
|
Supervisory Level
|
à Determining the overall
goals & objectives
à Economic / political /
social information
à Competitive information
|
à Sales Manager, Purchase
Manager, Finance Manager
à Most of the information is
internal
à Demand & supply
information
|
à Section officers, Foreman
à Instruct and supervise
employees
à Make routine & day to
day decisions.
|
Finance & Accounting
|
Production
|
Marketing
|
Personnel
|
Financial decision making involves decision regarding procurement & effective utilization of funds.
- Estimation of funds & the timing.
- Capital structure. (Optimum Mix)
- Capital budgeting (Investment)
- Profit planning
- Tax management
- Working capital management
- Current Assets management.
|
- Production Planning
- Production Control
- Material requirement planning (MRP)
Production Planning = What to produce + When to produce + How to produce.
|
Marketing bridges the gap between the firm & its customers.
- Sales support & analysis.
- Market research & intelligence.
- Advertising & promotion.
- Product development & planning.
- Product pricing
- Customer service
3 types of information
- Internal
- Competitive
- Environmental
|
- Proper recruitment
- Placement
- Training
- Compensation
- Maintenance
- Health & Safety
Sources of information
- Accounting information system
- Payroll processing
|
1.
Data based software
Ø
Supra-system is an entity formed by a system / sub-system and its related systems / sub-system