S.

No

Name

Brief

Details

1 ITIL

IT service management ITIL V3

The Information Technology Infrastructure Library (ITIL), is a set of bestpractices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business. Is best practice in IT Service Management, developed by OGC and supported by publications, qualifications and an international user group Assist organisations to develop a framework for IT Service Management Worldwide, most widely used best practice for IT Service Management Consists of a series of Core books giving guidance on the provision of quality IT services Covers service management and operations

2 ISO 20000 3 ISO 27000

Service management operation Information Security

The Standard is divided into two distinct parts: Part 1 provides the requirements for IT service management to gain certification This is relevant to those responsible for initiating, implementing or maintaining IT service management in their organization Senior Management are responsible and accountable for ensuring all requirements of Part One are met if Certification is sought Part 2 - Code of Practice for Service Management Provides guidance to internal auditors and assists service providers planning service improvements or preparing for audits against ISO 20000 Part 3 - Scope & Applicability Advice on scoping for service management Planning & improvements This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard

ISO 27001

The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world. The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. Published in December 2009, ISO 27004 provides guidance on the development and use of measures and measurement for the assessment of the effectiveness of an implemented information security management system and controls, as specified in ISO 27001. The appendix of the document also suggests metrics which were selected to align with ISO 27002. ISO 27005 is the name of the prime 27000 series standard covering information security risk management. The standard provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001.

ISO 27002

ISO 27003

ISO 27004

ISO 27005

ISO 27006 4 SOX 404 5 SAS 70

This is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. Again it was overseen by ISO's committee SC 27. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO 27001. It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements.

6 COBIT

COBIT is a widely-utilized framework containing best practices for both ITGC and application controls. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.

Control OBjectives for Information and related Technology Originally released in 1996 by the Information Systems Audit and Control Foundation (ISACF) Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998 COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc. The above sources were used to formulate COBIT to be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.

7 ITGC

Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ITGC represent the foundation of the IT control structure. They help ensure the ensure that business reliability of data generated by IT systems and support the assertion that objectives are met. systems operate as intended and that output is reliable. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provide a similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-formoney issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate.

8 COSO 9 CMMI

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

PCI-DSS version 2 released in october 10 2010

Areas covered Service Support -- Incident Management -- Problem Management -- Change Management -- Release Management -- Configuration Management Service Delivery -- Service level management -- Availability Management -- Capacity Management -- IT service continuity management -- Finanacial management for IT services Service desk - ITIL function

Checklist

Management Systems - Management Responsibility, Documentation Requirements, Competences, Awareness & Training Planning and implementation Planning new services

The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate

Change management procedures Source code/document version control Software development life cycle Logical Access Incident Management Problem management Technical Support Hardware/software Disaster recovery Physical Security

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Management Systems Planning & Implementation Planning New Services

Management Responsibility, D Requirements, Competences,

Plan, Implement, Monitor, Imp (Plan. Do. Check.. Act

Planning & Implementing New

Service Delivery Processes

Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting

Infor Man Budg IT Se

Control Processes
Configuration Management Change Management

Release Processes
Release Management

Resolution Processes
Incident Management Problem Management

Rela

Busi Man Supp

gement Responsibility, Documentation rements, Competences, Awareness & Training

Implement, Monitor, Improve . Do. Check.. Act)

ing & Implementing New or Changed Services

ry Processes
Information Security Management Budgeting & Accounting for IT Services

Management eporting

ocesses

Management nagement

Processes

Relationship Processes
Business Relationship Management Supplier Management

nagement nagement

PO1 - Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects AI1 Identify Automated Solutions AI2Acquire and Maintain Application Software AI3Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6Manage Changes AI7 Install and Accredit Solutions and Changes DS1Define and Manage Service Levels DS2Manage Thirdparty Services DS3Manage Performance and Capacity DS4Ensure Continuous Service DS5Ensure Systems Security DS6 Identify and Allocate Costs DS7Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Compliance With External Requirements ME4 Provide IT Governance

PCI DSS Audit Questions and Checklists

Date: Location: Assessor: No Basic Requirement Status

Comply 1 2 3 4 5 6 Restrict access to cardholder data by business need-to7 know Assign a unique ID to each person with computer 8 access 9 Restrict physical access to cardholder data Track and monitor all access to network resources and 10 cardholder data 11 Regularly test security systems and processes Maintain a policy that addresses information security 12
No Audit Checklist Status

Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications

Comply Who has access to a specified file or other resource? 1 Who has had access to a given file or other resource in 2 the past? What resources a given individual has access to across 3 your entire enterprise? That password policies and other directory settings are correct and have remained so over time? 4 That inactive accounts were deleted within the allowed 5 timeframe?

6 That duplicate accounts do not exist? That account removal, modification, and addition is performed according to policies and requirements? 7 What security settings are currently in effect in your 8 environment? What security settings have been in effect in your 9 environment in the past? That security settings are consistently applied 10 throughout the environment? What changes have been made to security settings 11 over time? What privileges have been exercised by users, 12 particularly administrative users? Audit logs with all access by all users to all resources? 13 Audit logs with all actions taken by administrators? 14 Audit logs with all access to auditing information? 15 16 Audit logs with all invalid access attempts? Audit logs with all use of authentication mechanisms 17 such as Active Directory? Audit logs with all initialization (clearing) of audit logs? 18 Audit logs with all creation and deletion of system-level 19 objects? Proof that all systems are up-to-date with the latest 20 service releases? That you can detect unpatched systems and either correct the problem or alert an administrator to do so? 21 That the correct policies are in place to ensure secure 22 transmission of cardholder data? That secure transmission policies have remained in 23 effect continuously?

hecklists

Status

Notes

Not Comply

Status

Notes

Not Comply

Auditing Application Controls

Application Software

Approach to Auditing Application Software

Application Software Audit Methodology

The information systems audit of application software should mainly cover the following areas: Adherence to business rules in the flow and accuracy in processing Validations of various data inputs Logical access control and authorization Exception handling and logging The steps to be performed in carrying out an application software review are as follows:

Auditing Application Controls

Application Software
Application software is the software that processes business transactions. The application software could be a payroll system, a retail banking system, an inventory system, a billing system or, possibly, an integrated ERP (enterprise resource planning) system. It is the application software that understands data with reference to their business context. The rules pertaining to the business processes are implemented in the application Most users interact with the computer systems only through the application software. The application software enables and also limits the actions that a user can do. It is very important to subject application software to a thorough audit because the business processes and transactions involving money, material and services flow through the application software package.

Approach to Auditing Application Software

The first question to ask in an application software review is, "What does the application software do; what business function or activity does it perform?" In this context it is very necessary for the IS auditor to know the business. For application reviews, the IS auditor's knowledge of the intricacies of the business is as important, if not more so, as the technical knowledge. Hence the first step in an application review is to understand the business function/activity that the software serves. This can be done through the study of the operating/work procedures of the organization or other Once this is done, it is necessary to identify the potential risks associated with the business activity/function served by the application (what can go wrong?) and to see how these risks are handled by the software (what

Application Software Audit Methodology

The information systems audit of application software should mainly cover the following areas: Adherence to business rules in the flow and accuracy in processing Validations of various data inputs Logical access control and authorization Exception handling and logging The steps to be performed in carrying out an application software review are as follows: Study and review of documentation relating to the application. However, the IS auditor may find situations in real life where documentation is not available or is not updated. In such cases, the auditor should obtain technical information about the design and architecture of the system through interviews.

Study key functions of the software at work by observing and interacting with operating personnel during work. This gives an opportunity to see how processes actually flow and also observe associated manual activities that Run through the various menus, features and options to identify processes and options for conformance to business rules and practices. (Studying the documentation before this can significantly hasten the activity.) To illustrate with an example, it is a well accepted rule in financial accounting that once an accounting transaction has been keyed in and confirmed on the system to update the ledgers it should not be edited or modified. The correct method would be to pass a fresh reversal transaction to correct errors, if any. However, if the IS auditor This kind of run-through can be done more effectively if a development/test system is made available to the IS auditor. In the absence of such a facility, the auditor only can watch the system run by the system administrator and make notes. The auditor is advised not to do any testing on a production system as this could affect Validate every input to the system against the applicable criteria. Such validations go a long way in eliminating errors and ensuring data integrity. Apart from simple validations for numeric, character and date fields, all inputs should be validated with range checks, permissible values, etc. Validation checks that are built on applicationspecific logic can act as powerful controls not only for ensuring data accuracy but also to prevent undesirable data manipulations. The IS auditor can check validations by actually testing them out in the development/test system. Alternatively, looking at the database definitions, the associated triggers and stored procedures would Verify access control in application software. This consists of two aspects--the inherent design of the access control module and the nature of access granted to various users and its maintenance. Every application software has a number of modules/options/menus that cater to the different functionality provided by the software. Different users will need access to various features based on their responsibilities and job descriptions. All access should be strictly based on the need to know and do. The design of the access control module may be of varied types. Most software would check a combination of user id and passwords before allowing access. Access may be controlled for each module, menu option, each screen or controlled through objects. Often the matrix of users versus the options/actions becomes too large and complex to maintain hence it is normal to define certain roles for different classes of employees and group them together and assign them similar access. The IS auditor should review the design of the access control module keeping in mind the criticality of the Having done this, the auditor should proceed to verify whether all existing users have appropriate access as evidenced by their job descriptions and whether access to certain critical activities are allowed only to select It also is necessary to verify who has administrator/superuser rights and how such rights are used/controlled. Ideally no one in the IT/development group should have any access to the production data. All actions on the data by the superuser should be logged and verified by the data owners regularly. Verify how errors and exceptions are handled. In many activities software provides options and ways to reverse transactions, correct errors, allow transactions under special circumstances, etc. Each one of these is special to the business and based on the rules and procedures defined by the organization for these. The IS auditor needs to see how the software handles these. Are these circumstances properly authorized in the software? Does it capture the user id and time stamp for all transactions to provide suitable trails? Are the exceptions and critical Correct any weaknesses found at the end of an applications review in the software that could lead to errors or compromises in security. These would need to be corrected by either changes in design and/or some recoding. While this would be addressed by the IT department, the user or owner of the application from the functional area would want to know if any of these weaknesses have been exploited by anyone and whether there have been any losses. To provide an answer to this question the IS auditor should download all the data for the period Evaluate the environment under which the application runs. The audit of the application software alone is not enough. Generally, it is prudent to conduct a security review of the operating system and the database in which

All critical applications used in an organization need to be subjected to detailed review by an IS auditor. This is one of the most important aspect of IS audit for a business. The job of application review becomes more complex as the application becomes larger and integrated. While auditing complex applications, it is always good to start with a generic industry-based template of an audit work program and slowly customize the work The IS Auditing Guideline issued by ISACA on Application Systems Review under Performance of Work contains detailed guidelines on planning the review, application risks, documenting the flow of transactions, and identifying and testing the application system controls and reporting. The matter contained in these guidelines have not been reproduced in this article but can be invaluable for an IS auditor seeking guidance or clarifications

Input controls

Penetration testing usability, GUI, compatibility, performance

Output controls

processing controls

Functional, UAT

integrity

and management trail

URL
S.No Parameter

Title Tag

1.1 1.2 1.3 1.4 1.5 1.6 2

It should always appear immediately after the opening <head> tag. It should be specific keywords and phrases. 6 - 12 words ( less than 60 characters ) is a good length for a title tag. Keep the words in title case ( eg: Professional Marketing Tips ) Strive for a keyword density of 25-35% for each keyword. Try to keep title tags as unique as possible in each pages in your website. The main body text Keyword prominence: Make sure to put the most important keywords into a carefully crafted paragraph at the beginning of your HTML page. Prominence is how close to the start of the area that the keyword appears. In general, a keyword that appears closer to the top of the page or area will be more relevant. Keyword Density: If the page contains less than 500 words, keeping 1%-3% of those words is better. If the page contains more than 500 words, keep 3%-5% of the overall content. Try to provide a minimum word count of 250 and a maximum of 750 words on each page. Use 'Alt' tag to describe the image. ALT tag defines the text to display for a image if the user has graphics turned off, or if they put the cursor over it in Internet Explorer. Some search engines including google will look for keywords in the ALT tags. eg: <IMG SRC=image.jpg ALT=Blue Widgets, Red Widgets,and GreenWidgets</a>

2.1

2.2

2.3

2.4

2.5

Insert comments tag in your page, it is hidden and not visible to the user. A couple of search engines will read this text, so you may wish to include keywords in these tags. eg: <!-- Blue Widgets, Red Widgets, and Green Widgets ->

Meta tags

META Description Tag <META name="Description"

content="Your descriptive sentence goes here.">

1. Write it in sentence structure. 2. Should be relevant to the similar 25-30 word (under 150 characters) description of the first text within the visible page. 3. Do not repeat your keywords more than 3 times in description tag. If you need, make alternatives (e.g. 'prescription' and 'prescriptions' can be used 3 times each). 4. Minimize the use of "stop words" such as "and, the, of". 5. Keyword phrases that appear earliest in the Meta description will generally receive higher ranking value. 6. Try to include this tag in all pages by describing the content and it should be unique. 7. Don't load your Meta description with only keywords. 8. Strive for 6%-20% keyword density. 9. Use different Meta description tag for each pages.

META Keyword Tag <META name="keywords"

content="your keywords, go here, separated by a comma">

1. Keep 100 to 250 characters to get better results. 2. Start with the most important and then proceed to less important. 3. Use keywords/Phrases 4. Do not repeat any word more than 3 times. 5. Do not place repeated keywords close together. 6. If your site has content of interest to a specific geographic location be sure to include the actual location in your keyword Meta. 7. Use keywords that are actually on the page and reflect the essence of your content. 8. Try to use keywords in your Meta keywords tag with comma, not by space. 9. Try to use small case in keyword/phrases (eg: replace the keyword phrase - "Website Design" with "website design") 10. Strive for 4%-10% keyword density. 4 Spider Friendly Navigation 1. Use keyword/phrase that best describes the target page. 2. Always use your primary keywords in the link text least one or more on the page. 3. Try to place your primary keywords at the starting of a link text if possible. 4. Try to use Title Attribute in the text links. eg: <a href="yourpage.html" title="Describe this page.">The link label goes here</a> 5. Avoid using image maps, if needed make it sure to add text links at the bottom of all pages 6. Do not use long text; limit 40-50 characters in a link text. 7. Avoid using JavaScript links 8. Create text links and use a common navigational menu for all the pages. 9. Make sure the pages on your site to be linked to one another, especially the home page. 10. Try to include a Site map if you have more than 30 pages. 11. Submit an XML site map to Google. (Visit: Google Sitemaps) 12. Limit the number of links per page to less than 20 for better results. 13. If your Website using Flash, make it sure to add text links at the bottom of the page as a supplement to the Flash navigation. (Google now takes links from Flash)

14. Try to use keyword phrases in the HTML and image file names 15. Keep your file names hyphenated (eg: http://www.hotels-kochi.htm) 1. Try to get reciprocal links between your site and others in the same industry. 2. Incoming links should use your keyword phrase. 3. Link to others with higher Page Rank 4. Include your reciprocal page link from the main page of your Website. 5. Avoid using the link text such as "links", "link exchange" use "Resources" instead. 6. Try to build link category that best match to your site content. 7. Do not provide more than 20 links per page, if needed try to split it into additional page. 8. Try to use brief text along with links describing the content of the outbound link page.

www.Mazars.co.in
Observation The title tag at present is Home Mazars India, it does not provide short description of the page or nature of the site like E& Y which has title tag as "Advisory, Assurance, Tax, Transaction Services Ernst & Young India - Ernst & Young - India"

The keywords describing the nature of the site have not been defined.

No Alt Tag defined for the image

Meta tags haven not been defined appropriately.

The current meta description is "Home Page" which does not tell anything about services provided by Mazars and nature of the site

Not defined

The title tags have not been defined in the links provided on the website due to which the crawlers may not navigate through the site completely.

No site map

Ideal The Title tag is an important part of a Website. It is a short description of the page, and the most important words should go first. Every HTML (web page) should have a Title tag and all Title tags should be unique. Don't use the same Title tag for multiple documents. It should be inserted into the header of your web page

This carries score of 1.5 and is very essential for search engines to crawl and index your website.

Meta tags are tags, which are embedded in the HTML code of a page, You should insert the META tag element at the top of your document, just after the <TITLE> element. The basic syntax for Meta Tags is: <HEAD> <TITLE>Your Page Title Goes Here</TITLE> <META name=description content=type your description here> <META name=keywords content=type, your, keywords, keyword phrase here> </HEAD>

PCAOB Audit Standard 5 Public company accounting oversight board section 319 0.16

0.17

0.18

Enhance the timeliness, availability, and accuracy of information. Facilitate the additional analysis of information. Enhance the ability to monitor the performance of the entitys activities and its policies and procedures. Reduce the risk that controls will be circumvented.

0.19
IT also poses specific risks to an entitys internal control, including

Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data.

0.2

0.3

0.31

The significance of changes made to existing systems, or the implementation of new systems The extent to which data is shared among systems The extent of the entitys participation in electronic commerce The entitys use of emerging technologies The significance of audit evidence that is available only in electronic form

0.32

0.77

0.78

0.79

PCAOB Audit Standard 5 Public company accounting oversight board section 319 0.16
An entitys use of IT may affect any of the five components of internal control relevant to the achievement of the entitys financial reporting, operations, or compliance objectives, and its operating units or business functions. For example, an entity may use IT as part of discrete systems that support only particular business units, functions, or activities, such as a unique accounts receivable system for a particular business unit or a system that controls the operation of factory equipment. Alternatively, an entity may have complex, highly integrated systems that share data and that are used to support all aspects of the entitys financial reporting, operations, and compliance objectives.

0.17 The use of IT also affects the fundamental manner in which transactions are initiated, recorded, processed, and reported. fn 8 In a manual system, an entity uses manual procedures and records in paper format (for example, individuals may manually record sales orders on paper forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in such a system also are manual and may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Alternatively, an entity may have information systems that use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in systems that use IT consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. An entitys mix of manual and automated controls varies with the nature and complexity of the entitys use of IT. 0.18 IT provides potential benefits of effectiveness and efficiency for an entitys internal control because it enables an
entity to

Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data. Enhance the timeliness, availability, and accuracy of information. Facilitate the additional analysis of information. Enhance the ability to monitor the performance of the entitys activities and its policies and procedures.

Reduce the risk that controls will be circumvented. Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.

0.19
IT also poses specific on systemsentitys internal control, includingprocessing data, processing inaccurate data, or Reliance risks to an or programs that are inaccurately both. Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data.

0.2
The extent and nature of these risks to internal control vary depending on the nature and characteristics of the entitys information system. For example, multiple users, either external or internal, may access a common database of information that affects financial reporting. In such circumstances, a lack of control at a single user entry point might compromise the security of the entire database, potentially resulting in improper changes to or destruction of data. When IT personnel or users are given, or can gain, access privileges beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can occur. This could result in unauthorized transactions or changes to programs or data that affect the financial statements. Therefore, the nature and characteristics of an entitys use of IT in its information system affect the entitys internal control.

0.3

In making a judgment about the understanding of internal control necessary to plan the audit, the auditor also considers IT risks that could result in misstatements. For example, if an entity uses IT to perform complex calculations, the entity receives the benefit of having the calculations consistently performed. However, the use of IT also presents risks, such as the risk that improperly authorized, incorrectly defined, or improperly implemented changes to the system or programs performing the calculations, or to related program tables or master files, could result in consistently performing those calculations inaccurately. As an entity's operations and systems become more complex and sophisticated, it becomes more likely that the auditor would need to increase his or her understanding of the internal control components to obtain the understanding necessary to design tests of controls, when applicable, and substantive tests.

0.31
The auditor should consider whether specialized skills are needed for the auditor to determine the effect of IT on the audit, to understand the IT controls, or to design and perform tests of IT controls or substantive tests. A professional possessing IT skills may be either on the auditors staff or an outside professional. In determining whether such a professional is needed on the audit team, the auditor considers factors such as the following: The complexity of the entitys systems and IT controls and the manner in which they are used in conducting the entitys business

The significance of changes made to existing systems, or the implementation of new systems The extent to which data is shared among systems The extent of the entitys participation in electronic commerce The entitys use of emerging technologies The significance of audit evidence that is available only in electronic form

0.32 Procedures that the auditor may assign to a professional possessing IT skills include inquiring of an entitys IT personnel how data and transactions are initiated, recorded, processed, and reported and how IT controls are designed; inspecting systems documentation; observing the operation of IT controls; and planning and performing tests of IT controls. If the use of a professional possessing IT skills is planned, the auditor should have sufficient IT-related knowledge to communicate the audit objectives to the professional, to evaluate whether the specified procedures will meet the auditors objectives, and to evaluate the results of the procedures as they relate to the nature, timing, and extent of other planned audit procedures. fn 9 0.77 In designing tests of automated controls, the auditor should consider the need to obtain evidence supporting the
effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a user review of an exception report of credit sales over a customers authorized credit limit as a direct control related to an assertion. In such cases, the auditor should consider the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report (for example, the general controls).

0.78 Because of the inherent consistency of IT processing, the auditor may be able to reduce the extent of testing of an automated control. For example, a programmed application control should function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor should consider performing tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them. 0.79 To test automated controls, the auditor may need to use techniques that are different from those used to test manual controls. For example, computer-assisted audit techniques may be used to test automated controls or data related to assertions. Also, the auditor may use other automated tools or reports produced by IT to test the operating effectiveness of general controls, such as program change controls, access controls, and system software controls. The auditor should consider whether specialized skills are needed to design and perform such tests of controls.

Execution -- Configuration Management Testing - 4 -- Business logic testing - 8 -- Authentication Testing - 4 -- Authorization Testing - 4 -- Session Management Testing - 3 -- Data Validation Testing - 6 -- Testing for Denial of Service - 3 -- Web Services Testing - 4