Chap 3 For May 2012 PDF

CA. Rishabh Pugalia | www.iscanotes.
com
Chap 3 | Control Objectives | May 2012
CHAP 3 - CONTROL OBJECTIVES [Selected Questions for May-2012]
NEED FOR CONTROL AND AUDIT OF INFORMATION SYSTEMS
Safeguarding assets (includes data/information) to maintain data integrity to achieve system eff-eff is a
significant control process.
FACTORS influencing an organization toward “control and audit” of computers and the impact of the
information systems “audit” function on organizations are-
1. Controlled evolution of computer Use- unreliable systems can be destructive

2. Costs of Computer Abuse- destruction of assets
3. High Costs of Computer Error- data error during entry or processing
4. Value of Computer Hardware, Software and Personnel- critical resources
5. Incorrect Decision Making- decisions require accurate data

6. Organisational Costs of Data Loss- data is a critical resource
7. Maintenance of Privacy
8. Information Systems Auditing- attesting objectives

9. Asset Safeguarding Objectives- information system assets
10. Data Integrity Objectives- based on value of information
11. System Effectiveness Objectives- system meets user requirements
12. System Efficiency Objectives- optimize use of resources
(- Used & Abused Computer creates High Cost Error Only then you understand its Value)
(- Incorrect Decision Data & Privacy lost -)
(- IS Auditor Safeguards Integrity of Eff-Eff Objectives -)
[Diagram involved]
EFFECT OF COMPUTERS ON INTERNAL CONTROLS
With respect to INTERNAL CONTROLS within an enterprise in a “computerized environment” - the major
“areas of impact” with the “goal of asset safeguarding, data integrity, and system eff.-eff.” are
discussed below-
1. Management supervision and review- Helps deter and detect both errors and fraud
2. Segregation of duties- “Segregation” means that the stages in the processing of a transaction are split
between different people, such that one person cannot process a transaction through from start to
finish. X knowledge of interrelationship between source of data, processing, distribution and use of
output X alter transaction data or applications
3. Personnel- Ensure trustworthy, competent with skills & training
4. Concentration of programs & data- Transaction & master file data + editor programs available at same
place
5. Record keeping- protection and storage of documents for audit trails
6. Access to assets and records- nature and types of control for protecting eData different
7. Authorisation procedures- transactions are approved - written evidence/computerised authorisation
controls
(- Mgmt reviews & Segregates duties of Personnel. And asks them to Concentrate on Keep Records, control Access &
authorization -)
Register for online training on Advanced Excel at www.excelnext.in after May-2012 exam 3.1
CA. Rishabh Pugalia | www.iscanotes.com
“INTERNAL CONTROLS” used in an organisation comprise of the following 5 interrelated “COMPONENTS”:
1) Control environment- Elements that establish control context in which accounting systems and control procedures
must operate, how authority-responsibility assigned, how to plan and monitor performance etc.
2) Control activities- Elements that concerns accounting controls (records, checks, authorized), administrative
controls (eff-eff of Obj)
3) Monitoring- Elements that ensure internal controls operate reliably over time
4) Risk Assessment- Elements that identify and analyze the risks
5) Information and Communication- Elements that ensures information is identified, captured and exchanged in a
timely and appropriate form to allow personnel to discharge their responsibilities.
(- Congress EN.ACTS 5 laws for Risk Assessment & Monitoring of Info-Communication like FB, Wiki -)
EFFECT OF COMPUTERS ON AUDIT (-Auditor’s headache-)
To cope with new technology (-changes-), Auditor is to be competent to provide independent evaluation as
to whether the business process activities are recorded and reported according to established standards or
criteria. The two basic functions carried out to examine these changes are summarised under as-
1. CHANGES TO EVIDENCE COLLECTION [audit trail & evidence]
• Data retention & Storage- Client’s storage capabilities limits online data retention & it’s ready
accessibility by auditors. Audit trail may only exist in a machine readable form that must be translated
first
• Absence of input documents- Transaction data entered directly without supporting documentation
• Lack of a visible audit trail- NA or available for short time-period “auditing around computer
system” by seeking other sources of evidence
• Lack of visible output- No printed output record directly access “read-only” electronic data
• Audit evidence- Transactions (e.g. depn./interest) generated automatically by computer. No formal
authorization required. Hence, it may be ultra-vires.
• Legal issues- eTrading & EDI e.g. Contracts - legal jurisdiction, time-stamp, law varies across
countries & courts etc.
2. CHANGES TO EVIDENCE EVALUATION [system programming & sources of error]
• System generated transactions- Systems’ ability to initiate, approve and record transactions (e.g. EDI,
automated transaction generation systems) increases processing efficiency However, to audit,
auditors must view application’s programming for authorisation
• Systematic Error- Designed to do processing on consistency basis (repeating), which is both +ve and -ve
Hence, determine reason for the error
∆ EC > Nothing is Stored: No Input - Trail - Output Hence, No Evidence Result: Legal issues
∆ EE > System generated transactions give Systematic Error
[MICS M08: Discuss various factors that render manual audit method ineffective in Information System audit. – Sol:
Electronic evidence, Terminology, Automated processes, New risks and controls, Reliance on controls]
CATEGORIES of IS Audits- IT audits have been categorized in to 5 types ( “An audit to verify that…” ) -
1. Information Processing Facilities (IPF)- … are appropriate, efficient, controlled, secure + eff-eff processing
2. Telecommunications, Intranets, and Extranets- … are controlled, secure
3. Systems Development- … as per standards and meets objectives

4. Systems and Applications- … are appropriate, efficient, controlled, secure + timely IPO
5. Management of IT and Enterprise Architecture- … is proper
STEPS in IT Audit
1. Scoping and pre-audit survey- Determine areas of focus vs. out-

of-scope based on risk assessment. Info sources- web, previous audit
reports, interview, observations
2. Planning and preparation- scope is broken into levels of detail ->
audit work plan or risk-control-matrix
3. Fieldwork- gathering evidence by interviewing, reviewing
documents, observing processes etc.
4. Analysis- via SWOT or PEST (Political, Economic, Social,
Technological) (- Scoping & Planning are FAR from Closure -)
5. Reporting- to management
6. Closure- preparing notes for future audits and following –up
Based on the objective with which controls are designed or implemented, controls can be
classified as:
Preventive Controls
…are those inputs, which are designed to prevent an error, omission or malicious act from occurring. E.g.
password protection. Characteristics:
• Understanding vulnerabilities of the asset
• Understanding probable threats
• Provision of necessary controls
Examples of preventive controls -

• Employ qualified personnel, Segregation of duties, Training staff, Documentation
• Access control, Passwords, Authorization of transaction, Firewalls, anti-virus software
Controls can be implemented in both manual and computerized environment - implementation methodology
may differ.
Mix of “Manual & Computerized” Preventive Controls

Scenario Manual Control Computerized Control
Restrict unauthorized entry Build a gate and post a security Use access control software, smart
into the premises guard. card, biometrics, etc.
Keep the computer in a secured

Restricted unauthorized entry Use access control, viz. User ID,
location and allow only authorized
into software applications password, smart card, etc.
person to use the applications.
Detective Control
Designed to detect errors, omissions or malicious acts that occur and report occurrence. Characteristics:
• Clear understanding of lawful activities & deviation
• Mechanism to refer the reported activities to appropriate person or group
• Surprise checks by supervisor
• Interaction with preventive control
Examples -
• Intrusion detection system
• Hash totals, Duplicate check
• Past reports
• Periodic performance reporting with variances
• Internal audit functions
• Cash counts and bank reconciliation
• Monitoring expenditures against budgeted amount
Corrective Controls:
…are designed to reduce the impact or correct an error once it has been detected. E.g. BCP.
Characteristics:
• Minimize threat impact
• Identify cause of problem, remedy
• Modify processing systems to minimize re-occurrences
• Get feedback from preventive and detective controls
Examples -
• Contingency planning, Backup procedure, Treatment procedures
• Investigate budget variance and report violations
Compensatory Controls:
Controls are basically designed to reduce probability of threats, which can exploit the vulnerabilities of an
asset and cause a loss to that asset. While designing the ‘appropriate’ control — cost of the lock should not
be more than the cost of the assets it protects.
Sometimes organizations may not be able to implement appropriate controls. In such a scenario, there should
be adequate compensatory measures which may although not be as efficient as the appropriate control, can
definitely reduce the probability of threats to the assets. Such measures are called compensatory controls.
Advanced Excel
for Finance | Audit | MIS Reporting
A MUST-HAVE SKILL SET FOR EVERY CHARTERED ACCOUNTANT
More than 1,400 professionals and students

have attended our Advanced Excel training
program since 2010.
Our Corporate training programs have been

conducted in 9-cities: Kolkata, Mumbai,
Gurgaon, Bangalore, Hyderabad, Chennai,
Pune, Bhopal, Thimphu - a testimony to our
training’s quality and value-for-money offering.
Tips & Tricks Formulas CAAT MIS reporting
Dashboard techniques Logical functions
Data Analytics What--IF Analysis Consultants’ Charts

What
ONLINE PROGRAM LAUNCH in April 2012
Rishabh Pugalia,
Pugalia, Founder & Program Director, Excel Next Training Solutions
Qualified Chartered Accountant
Has worked for names like KPMG, J.P. Morgan
Four years of work experience in the area of Investment Banking & Audit
Successfully completed six-weeks Analyst training program of Adkins Matchett & Toy
Trained more than 1,400 participants in Advanced Excel, Advanced PowerPoint since 2010
4 - B Dr. Sarat Banerjee Road. Kolkata – 700029 (Nr. Rashbehari Avenue – Lake Market)
www.excelnext.in | excelnext@gmail.com | (033) 40 660 140 – 141
“While reviewing a client’s control system, an information system auditor will identify 3
components of internal control.” State and briefly explain these 3 components.
Aim: Business objectives are achieved and undesired risk events are prevented or detected and corrected.
1. Internal Accounting controls- Intended to safeguard client’s assets & ensure reliability of financial records
2. Operational controls- Deals with the day to day operations, functions and activities to ensure that the operational
activities are contributing to business objectives
3. Administrative controls- Concerned with ensuring efficiency and compliance with management policies, including
the operational controls
Financial Control Techniques
These controls are generally defined as the procedures exercised by the system user personnel over source,
or transactions origination, documents before system input.
Exercise control over transactions processing using reports generated by the computer applications to reflect
un-posted items, item counts, transactions settlement and reconciliation etc
A few examples are highlighted here:
1) Authorization: Obtaining the authority to access assets such as accounting entries

2) Budgets: Estimates of time or money expected to be spent during a particular period of time, project, or event.
Budgets must be compared with the actual performance -> find differences, resolve
3) Documentation: Includes written or typed explanations of actions taken on specific transactions or instructions that
explain the performance of tasks.
4) Sequentially numbered documents: Working documents with preprinted sequential numbers, which enables the
detection of missing documents.
5) Cancellation of documents: This marks a document in such a way to prevent its reuse. E.g. invoices with a “paid”
or “processed” stamp
6) Safekeeping: Physically securing assets, such as computer disks, under lock and key, in a desk drawer, file cabinet
storeroom, or vault.
7) Segregation of duties: - refer ↑ -

8) Dual control: Having 2 people simultaneously access an asset. E.g. depositories of banks’ 24-hour ATM should be
accessed AND emptied with two people present. Dual control ≠ Dual. Dual access divides the access function between
two people: once access is achieved, only one person handles the asset.
9) Supervisory review: Review of specific work by a supervisor
10) Input/ output verification: Comparing information provided by a computer system to the input documents. This is
an expensive control that tends to be over-recommended by auditors.
(-Authorize Budgets -> Document it, Number it, Cancel it -> Keep it Safe -)
(- Segregate duties -> Dual Control by Supervisor for IO verification -)
User controls: Error Identification, Correction and Recovery Controls
BOUNDARY CONTROLS- These are primarily access controls mechanism. The user can provide three classes
of input information for the authentication process and gain access control to his required resources.
Class of Information Types of Input

Personal Information Name, Birth date, A/c No., Password, PIN
Personal Characteristics Fingerprint, Voice, Hand size, Sign, Retinal pattern
Personal Objects ID Cards, Badge, Key, Finger Ring
The following 3 key access control mechanism are used as boundary controls:
• Identification: Name, account number, address, card number
• Authentication: ID and Password, PIN, Finger Prints
• Authorization: Access rights for access of resources
Identification / Authentication / Authorization Process
Boundary control techniques

For transforming data into codes that are meaningless to anyone who does not
possess the authentication to access the respective system resource or file.
A cryptographic technique encrypts data (clear text) into cryptograms (cipher text)
and its strength depends on the time and cost to decipher the cipher text by a
cryptanalyst.
1. Cryptography
The three techniques of cryptography are-
1) Transposition (permute/reverse the order of characters within a set of data).
E.g. day vs. yad
2) Substitution (replace text with a key-text) and
3) Product cipher (combination of transposition and substitution)
User identification by an authentication mechanism with personal characteristics

like name, birth date, employee code, function, designation or a combination of two
or more of these can be used as a password boundary access control.
2. Passwords
Best practices: a minimum password length, X common dictionary words, periodic
change, encryption and limit on number of entry attempts.
Similar to a password assigned to a user by an institution based on the user

characteristics and encrypted using a cryptographic algorithm
3. Personal
Identification OR the institute generates a random number stored in its database independent to a
Nos. (PIN) user identification details, or a customer selected number.
Vulnerable while issuance or delivery, validation, transmission and storage.
Used to store information needed for authentication / user identification process.

4. ID Cards Control over application, preparation, issue, use & card return or card termination
phases.
INPUT CONTROLS- Input controls ensure that input data is valid, accurate and complete. Data codes like
account number etc are used for accurate and efficient data entry. Poorly designed data codes & human
intervention in data input cause recording and keying errors.
Types of “data coding errors”-

1) Addition Addition of an extra character in a code e.g. 54329 coded as 543219
2) Truncation Omission of characters in the code e.g. 54329 coded as 5439
3) Transcription Recording wrong characters 54329 coded as 55329
4) Transposition Reversing adjacent characters 54329 coded as 45329
5) Double Reversing characters separated by one or more characters i.e., 54329 is entered as
transposition 52349. Non-adjacent digits are transposed
RTP Answer:
> Transcription Errors: 1) Addition 2) Truncation 3) Substitution (replacement)
> Transposition Errors: 1) Single Transposition 2) Multiple Transposition
Factors affecting coding errors as follows:

1. Length of the code: Long codes prone to errors – Should be broken using hyphens, slashes or spaces
to reduce coding errors.
2. Alphabetic numeric mix: Code should provide for grouping of alphabets and numerical separately if
both are used. Intermingling both is error prone
3. Choice of characters: Certain alphabets such as B, I, O, S would be confused with numbers 8,1,0,5.
Avoid it.
4. Mixing uppercase/lowercase fonts: Upper case and lower case should NOT be mixed when using
codes since they delay the process of keying in due to usage of the shift key
5. Sequence of characters- Character sequence should be maintained. ABC vs. ACB
Check Digits: are redundant digits that helps verify the accuracy of other characters in the code that is checked. The
program recalculates the check digits and compares with the check digit in the code when the code is entered to verify if
the code is correct. Check digits may be prefixes or suffixes to the actual data. When the code is entered, a program
recalculates the check digit to determine the accuracy.
PROCESSING CONTROLS : Data processing controls perform validation checks to identify errors during
processing of data to ensure completeness & accuracy of data being processed. It is enforced by DBMS &
front end application system.
Data Processing Controls-
To verify data that is subject to process through different stages. A specific record
(probably the last record) can be used to maintain the control total.
Run-to-run totals
E.g. If the current balance of an invoice ledger is Rs.150,000 and the additional
invoices for the period is of total Rs.20,000 then the total sales value should be
Rs.170,000.
Two or more fields can be compared & cross verified to ensure their correctness.
Reasonableness
verification E.g. statutory % of PF can be calculated on the gross pay amount to verify if the PF
contribution deducted is accurate.
Edit checks, similar to the data validation controls, can also be used at the
Edit checks
processing stage to verify accuracy & completeness of data.
Data overflow can occur, if records are constantly added to a table or if fields are
Field initialization added to a record without initializing it, i.e., setting all values to zero before
inserting the field or record.
Exception reports are generated to identify errors in data processed. Such

Exception reports exception reports give the transaction code and why the particular transaction was
not processed or what is the error in processing the transaction.
Existence/Recovery The check-point/restart logs, facility is a short-term backup and recovery control
Controls that enables a system to be recovered if failure is temporary and localized.
OUTPUT CONTROLS: ensures that the data delivered to users will be presented, formatted and delivered in
a consistent and secured manner + ensures CIA. Output forms - printed report, database file etc.
1. Storage and logging Pre-printed stationery should be stored securely to prevent unauthorized
of sensitive,
destruction or removal and usage
critical forms
2. Logging of output When programs used for output of data are executed, it should be logged and
program
monitored to protect confidentiality of data
executions
“Spool” is an acronym for “Simultaneous Peripherals Operations Online”.
Process to ensure user is able to continue working, even before the print
operation is completed. When a file is to be printed, the OS stores data stream
to be sent to the printer in a temporary file on the hard disk. This file is them
3. Spooling/Queuing
“spooled” to the printer as soon as the printer is ready to accept the data.
This intermediate storage of output or the queue (list of documents waiting to

be printed on a particular printer) could lead to unauthorized disclosure and/or
modification.
4. Controls over Users must be trained to select correct printer and access restrictions may be
printing placed on the workstations that can be used for printing.
Distribution of reports should be made in a secure way to ensure unauthorized

disclosure of data. It should be made immediately after printing to ensure that
the time gap between generation and distribution is reduced. A log should be
5. Report distribution maintained as to what reports were generated and to whom it was distributed.
and collection
controls Where users have to collect reports the user should be responsible for timely
collection of the report especially if it is printed in a public area. A log should
be maintained as to what reports where printed and which of them where
collected. Uncollected reports should be stored securely.
Retention controls consider the duration for which outputs should be retained
before being destroyed. Retention control requires that a date should be
determined for each output item produced.
6. Retention controls
Factors affecting retention period - need of & use of output, legislative
requirements, type of storage medium
Needed to recover output in the event that it is lost or destroyed. If the output
7. Existence/Recovery is written to a spool of files or report files and has been kept, then recovering
Controls
and new generation is easy and straight-forward.
-Unauthorized disclosure / modification-
DATABASE CONTROLS: Protecting the integrity of a database when application software acts as an
interface to interact - between user and database are called the update controls and report controls.
• Sequence Check Transaction and Master Files

• Ensure All Records on Files are processed
Update controls
• Process multiple transactions for a single record in the correct order
• Maintain a suspense account
• Standing Data
• Print-Run-to Run control Totals
Report controls
• Print Suspense Account Entries
• Existence/Recovery Controls
Update controls are:
1) Sequence Check Synchronization and correct sequence of processing between the master file
Transaction and and transaction file is critical to maintain the integrity of updation, insertion or
Master Files deletion of records in the master file with respect to the transaction records
2) Ensure All
While processing, the end-of-file of transaction file should be mapped with end-
Records on Files
of-file of respective master file.
are processed
3) Process multiple
Multiple transactions can occur based on a single master record (eg. dispatch of a
transactions for a
product to different centers). Here order of transaction processing must be
single record in
done based on a sorted transaction codes.
correct order
When mapping master record to transaction record results in a mismatch due

4) Maintain a to failure in the corresponding record entry in the master record then these
suspense account transactions are maintained in a suspense account. A non-zero balance of the
suspense accounts reflect errors to be corrected.
Report controls are:
Application programs use many internal tables to perform various functions like
pay calculation, interest calculation etc. Maintaining integrity of these internal
1) Standing Data tables is critical as any changes or errors in these tables would have an adverse
effect on the basic functions. Periodic monitoring of these internal tables by
means of manual check or by calculating a control total is mandatory.
2) Print-Run-to Run Helps in identifying errors or irregularities like record dropped erroneously
control Totals from a transaction file, wrong sequence of updating or processing errors.
3) Print Suspense Suspense account entries are to be periodically monitored with respective error
Account Entries file and action taken on time.
The back-up and recovery strategies together encompass the controls required to
4) Existence / restore failure in a database. Backup strategies are implemented using prior
Recovery version and log of transactions or changes to the database. Recovery strategies
Controls involve roll-forward (current state database from a previous version) or the roll-
back (previous state database from the current version) methods.
Discuss the 3 processes of Access Control Mechanism, when a user requests for resources.
Access control mechanism processes the user request for resources in 3 steps.
• Identification: Name, account number, address, card number
• Authentication: ID and Password, PIN, Finger Prints
• Authorization: Access rights for access of resources
The access control mechanisms operate in the “following sequence” (diagram below):
1. Users have to identify themselves, indicating their intent to request usage of system resources
2. Users must authenticate themselves and the mechanism must authenticate itself
3. Users request for specific resources, need & usage details
The mechanism then accesses:

a) Previously stored information about users
b) Resources they can access
c) Action privileges they have with respect to these resources
The mechanism then verifies this information against user entries & it then permits or denies the request
1) & 2) Identification and Authentication: Users identify themselves by providing information such a name,
account number, finger print, signature etc. his entry is matched process proceeds
3) Authorization: There are two approaches to implementing the authorization module in an access control
mechanism:
• Ticket oriented: Mechanism assigns users a ticket for each resource they are permitted to access.
Details stored in rows in matrix form
o (+) run-time efficiency (fast)
• List oriented: Mechanism associates with each resource a list of users who can access the resource and
action privileges
o (+) efficient administration of capabilities (list-change & control)
Service Level Agreements (SLA) -Refer Chap. 5 (IN-OUT AG.)
• Formal agreement between a customer requiring services and the organization that is responsible for
providing those services.
o Service: A set of deliverables that passes between a provider and a consumer.
o Level: Measurement of services agreed upon and delivered and the gap between the two.
o Agreement: Contract between 2 entities—the one providing the service and the recipient
• Not a legal contract in itself,
• States required performance of the system in terms of its availability to users, response times, and
numbers of transactions processed and any other suitable criteria meaningful to the user
• Monitored
An SLA should also define:

• Level of technical support to be provided to users
• Procedures for proposing changes to the system
• Standards of security provision and administration, controls and monitoring system and network use
• Emergency requirements
• Charges for services
PLUS the following from Auditor’s side
• Right to audit clause
• Legal compliance requirements
• Monitoring procedures
• Business continuity measures
• Non disclosure requirements
• Insurance requirements
Post-implementation review (PIR) stage
• PIR after a development project is completed - to determine if the anticipated benefits were achieved.
• Jointly done by project development team, end users, independent group
• Objectives:
Business objectives within budget and deadline, savings and benefits as expected
User expectations user friendly, good response time, reliable
Technical requirements expansion, easy to operate and maintain
What are the issues that should be considered by a system auditor at post-implementation review
(PIR) stage before preparing the audit report? (-___ = confirm/verify-) [NOT Activities]
1. Interview business users assess their satisfaction w.r.t. system use

2. Interview security, operations and maintenance staff
3. Based on User Requirements Specification system’s requirements have been met? If not, reasons
4. ___ System is being backed up

5. ___ Previous system de-commissioned. If not, reasons
6. Review system problem reports and change proposals to study problems/remedy
7. ___ Adequate internal controls have been built documented operated correctly. Underlying
system design weaknesses?
8. ___ Adequate SLA has been drawn up & implemented. Areas where failed
9. Review Business Case and determine whether:

o anticipate benefits have / are been achieved
o any unplanned benefits (extra) have been identified
o costs are in line with those estimated
o benefits and costs are falling with the anticipated time-frame
10. Review trends, storage use etc.
Key elements in System Development and Acquisition Control
• Important to have formal, appropriate, and proven methodology and Appropriate controls
• Key elements:
Control Category Threats/Risks Controls
• Long-range strategic master plan,

• data processing schedules,
System System development • assignment of each project to a manage and team,
development and projects consume • project development plan,
acquisition controls excessive resources. • project milestones,
• performance evaluations,
• system performance measurements.
Briefly explain the formal change management policies, and procedures to have control
over system and program changes
• Important to have formal, appropriate, and proven methodology and Appropriate controls
• Key elements:
Control Category Threats/Risks Controls

• Change management control policies and procedures,
• periodic review of all systems for needed changes,
• standardized format for changes,
Systems development • log and review change requests,
Change projects consume • assess impact of changes on system reliability,
management excessive resources, • categorise and rank all, changes,
controls unauthorised systems • procedures to handle urgent matters,
changes. • communicate changes to management and users,
• management approval of changes,
• assign specific responsibilities while maintaining
adequate segregation of duties etc.
What do you understand by classification of information? Explain different

classifications of information.
Helps assign a level of sensitivity to information degree of protection needed + indicative value of assets
Information
Description
Classification
• Highly sensitive internal information. Security level = highest possible.

Top Secret • Very restricted distribution and must be protected at all times otherwise serious damage
• E.g. pending mergers or acquisitions; investment strategies; plans or designs
• Information critical to its ongoing operations. Security level = very high.

Highly • X copied / removed from organization’s operational control without specific authority
Confidential otherwise seriously impede the organization’s operations
• E.g. accounting information, sensitive customer information of banks, patient's medical records
• Information of a proprietary nature; procedures, operational work routines project plans,

Proprietary designs & specifications. Security level = high.
• Authorized personnel only
• Information not approved for general circulation outside the organization where its loss would
Internal Use inconvenience the org/mgmt. Security level = controlled but normal
only • Disclosure unlikely to result in financial loss or serious damage to credibility.
• E.g. internal memos, minutes of meetings, internal project reports
Public • Information in the public domain; annual reports, press statements etc. which has been
Documents approved for public use. Security level = minimal
(- Even Top High-Court Professor Uses Public toilet-)
Explain the term “Cryptosystems’. Briefly discuss Data Encryption Standard.
Refers to a suite of algorithms needed to implement a particular form of encryption & decryption. Consists
of following 3 algorithms:
• Key Generation Algorithm
• Encryption Algorithm
• Decryption Algorithm
The pair of algorithms of Encryption & Decryption is referred as Cipher.
Data Encryption Standard (DES):

• It is a cipher. It is a mathematical algorithm for encrypting and decrypting binary coded information.
• Encrypting of data converts it to an unintelligible form called cipher. Decrypting cipher converts the
data back to its original form called plaintext. Encryption and Decryption operations are done by using a
binary number called a key.
• A key consists of 64 (bits) binary digits: 56 bits for encryption/decryption & 8 bits for error detection
Authorized users must have unique key that was used to encipher the data in order to decrypt it. Using
different key resulting cipher is different. The encryption & decryption processes are depicted in the
following diagram:
Some documentation distinguishes DES from its algorithms. It refers algorithms as DEA (Data Encryption
Algorithm).
Public Key Infrastructure (PKI)
• Key pair = public key + private key

• Digital Signature, Certifying Authority
Types of Intrusion Detection systems (IDS)
1. Network based systems- placed on the network to examine network traffic

2. Host based systems- run on the system to examine activity
3. A new type that reside in OS kernel
When utilizing PKI policies & controls, financial institutions need to consider the following:
• Defining methods of initial verification and controls for issuing digital certificates and key pairs
• Defining certificate validity period, certificate’s revocation conditions
• Updating database
• Protect root key
• Regular independent audits
• Secure audit log, exception reports
• Comply with widely accepted PKI standards
Discuss anti-virus software and its types. (- ArMy HoSpital ke ICU mey Scanner laga hai -)
A program that is used to detect viruses prevents further spread and harm. 3 types:
1. Active Monitor and Heuristic Scanner: Looks for critical interrupt calls & OS functions that resemble
virus action.
2. Integrity Checkers: Can detect any unauthorized changes to files on the system. They perform a “take
stock” of all files stored & compute a binary check data called the Cyclic Redundancy Check (CRC).
When a program is called for execution, the software computes the CRC again and checks with the
parameter stored on the disk.
3. Scanners: Scan for a sequence of bits called virus signatures that are characteristic of virus codes. They
check memory, disk boot sectors, and executables and systems files to find matching bit patterns.
Important to frequently update the scanners
Describe any 3-ways in which a hacker can hack the system (- Net par Ping karo & mp3 File t/f karo -)
NetBIOS: Worst kind since it doesn't require you to have any hidden backdoor program running on PC.
Exploits a bug in Windows 9x. NetBIOS is meant to be used on LAN, so machines on network can share
information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can
access your machine remotely.
ICMP ‘Ping’ (Internet Control Message Protocol): ICMP is one of the main protocols that make the Internet
work. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would
respond to this ping, telling the sender that the computer does exist.
A large number of pings can make a Denial-of-Service attack (DoS), which overloads a computer. Also,
hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings). If a
computer responds to a ping, then the hacker could launch a more serious form of attack against a computer.
FTP (File Transfer Protocol): FTP is a standard Internet protocol. Used for file downloads/uploads. FTP
normally requires some form of authentication for access to private files, or for writing to files. FTP
backdoor programs: Doly Trojan, Fore, and Blade Runner - simply turn computer into an FTP server, without
any authentication.
Others: RPC statd, HTTP
A company is engaged in the stores taking data activities. Whenever, input data error
occurs, the entire stock data is to be reprocessed at a cost of Rs. 50,000. The management
has decided to introduce a data validation step that would reduce errors from 12% to 0.5% at
a cost of Rs. 2,000 per stock taking period. The time taken for validation causes an additional
cost of Rs. 200. (i) Evaluate the percentage of cost-benefit effectiveness of the decision taken
by the management and (ii) suggest preventive control measures to avoid errors for
improvement.
(i)
Without validation With validation
S. No. Particulars Procedure Procedure
1 Cost of reprocessing the stock data Rs. 50,000 Rs. 50,000
2 Risk of data errors 12% 0.50%
3 Expected processing cost Rs. 6,000 Rs. 250
4 Cost of validation procedure Nil Rs. 2,000
5 Cost of delay due to validation Nil Rs. 200
6 Total cost involved Rs. 56,000 Rs. 52,450
7 Net expected benefit Rs. 3,550
in % 6.30%
(ii) Preventive Control Measures (Refer next pages)
Firewalls
A collection of components (computers, routers, software) that mediate access / act as an access control
point for traffic between security domains. All traffic between security domains must pass through firewall.
Help inspect & block traffic & coordinate activities with network intrusion detection systems (IDSs)
How Firewalls work? Firewalls block or allow traffic based on rules (static or dynamic) configured by the
administrator.
• A static rule set is an unchanging statement to be applied to packet header, such as blocking all
incoming traffic with certain source addresses.
• A dynamic rule set often is the result of coordinating a firewall and an IDS.
When firewalls fail, they typically should fail closed, blocking all traffic, rather than failing open and
allowing all traffic to pass.
Selection of firewall type is dependent on many characteristics of the security zone

• Amount of traffic
• Sensitivity of the systems and data, and applications
• Ease of firewall administration
• Degree of firewall monitoring support through automated logging and log analysis
• Capability to provide alerts for abnormal activity
Advanced Excel

program since 2010.


What
Rishabh Pugalia,
Describe various types of firewalls in brief. They are 4 primary firewall types from which to
choose:
1. Packet Filtering
2. Stateful Inspection
3. Proxy Servers
4. Application-Level Firewalls.
(- State-sponsored Proxy-war mey Packet-Filter bomb Apply karte hain Firewall helps protect that -)
Packet Filtering
• Evaluate headers of each incoming / outgoing packet to ensure it has a valid internal address,
originates from a permitted external address, connects to an authorized protocol or service, and
contains valid basic header instructions.
• If packet does not match pre-defined policy for allowed traffic, then firewall drops the packet. (-no
match, no catch -)
• X analyze the packet contents beyond header information. Many routers contain access control lists
(ACLs) that allow for packet-filtering capabilities
Weaknesses:
• Easy to mis-configure, which allows traffic to pass that should be blocked
• Vulnerable to attacks that take advantage of vulnerabilities in network protocols.
• Limited Logging functionality
• Unable to prevent attacks that exploit application-specific vulnerabilities because packet filter does
not examine packet contents
• X support advanced user authentication schemes
Applicability:
• Offers less security, but faster performance than application-level firewalls
• Appropriate in high-speed environments where logging and user authentication with network resources
are not as important.
• Useful in enforcing security zones at the network level.
• Commonly used in small office/home office (SOHO) systems and default OS firewalls
• Implementing additional firewall components that include application-level screening
Stateful Inspection Firewalls
• Packet filters that monitor the state of the TCP connection.
• Each TCP session starts with an initial “handshake” communicated through TCP flags in the header
information Connection established firewall adds connection information to a table.
• Firewall can then compare future packets to the connection or state table. This essentially verifies
that inbound traffic is in response to requests initiated from inside the firewall.
Proxy Server Firewalls
• Proxy servers act as an intermediary between internal & external IP addresses and block direct
access to the internal network.
• They rewrite packet headers to substitute “IP of the proxy server” for the “IP of the internal machine”
and forward packets to & from the internal and external machines
• Commonly employed behind other firewall devices
• Primary firewall receives all traffic determines which application is being targeted directs traffic
to appropriate proxy server
• Common proxy servers are domain name server (DNS), Web server (HTTP), and mail (SMTP) server.
Frequently cache requests and responses

They provide another layer of access control by segregating the flow of Internet traffic to support
additional authentication, logging capability, content filtering.
They may implement anti-virus and anti-spam filtering, disallow connections to potentially malicious
servers, and disallow downloading of files
Application-Level Firewalls
• They perform application-level screening, ( filtering capabilities of packet filter firewalls + additional
validation of the packet content based on the application)
• They capture & compare packets to state information in the connection tables
• It examines each packet after the initial connection is established for specific application Checks
for commands, protocols, packet length, authorization, content, or invalid headers
• Strongest level of security, but are slower and require greater expertise to administer properly
Do a comparative analysis on the different types of firewalls that mediate the access
between different domains.
PHYSICAL ACCESS CONTROLS
Designed to protect the organization from unauthorized access or to prevent illegal entry.
Common access control techniques
Locks on Doors
• Push-button panel mounted near outside of door Numbered buttons enter 4-digit number
Cipher locks
sequence unlock for sometime
(Combination
• Used in low security situations or when a large number of entrances & exits must be usable all
Door Locks)
the time. More sophisticated and expensive if person’s handprint used
Bolting Door
• Special metal key for access
Locks
• A magnetic or embedded chip-based plastics card key or token may be entered into a sensor
reader to gain access
Electronic Door • (+) Special internal code identify correct individual
Locks • (+) Individuals access can be custom restricted (time, doors)
• (+) Duplication risk reduced
• (+) Can be easily deactivated
• Extremely secure where an individual’s unique body features, such as voice, retina, fingerprint
Biometric Door
or signature, activate these locks.
Locks
• Extremely sensitive facilities. E.g. Military
Physical identification medium

Personal
• A secret number assigned
Identification
• Insert a card + enter their PIN via a PIN keypad for authentication
numbers (PIN)
Plastic Cards Used for id purposes
Cryptographic
<Refer earlier details> Transformation of data into meaningless codes
Control
Identification
Special identification badges using color codes, photo
Badges
Logging on utilities
Manual Logging Sign a visitor’s log with details alongwith a valid and acceptable identification
Electronic Logging Combination of electronic and biometric security systems.
Other means of controlling Physical Access
Video Cameras Placed at specific locations and monitored by guards. Recordings retained
Security Guards Guards from external agency
Controlled Visitor
Employee should escort all visitors
Access
Bonded Personnel All service contract personnel, such as cleaning people etc. should be asked to sign a bond
• A pair of doors – 1st entry door must close and lock, for 2nd door to operate, with the only
Dead man Doors person permitted in the holding area.
• Only 1 person is permitted at a given point of time & reduces risk of piggybacking, when an
unauthorized person follows an authorized person through a secured entry
Non–exposure of No explicit indication such as presence of windows of directional signs hinting the presence of
Sensitive Facilities facilities such as computer rooms. (- No extra dikhaawa -)
Computer
Device to the desk is not turned on or disengaged by unauthorized persons
Terminal Locks
Controlled Single
All incoming personnel can use controlled Single Entry Point. Rest entry points deadlocked
Entry Point
Linking alarm system to inactive entry point motion detectors and the reverse flows of enter or
Alarm System
exit only doors, so as to avoid illegal entry
Perimeter Fencing Fencing at boundary of the facility
Control of out-of-
Employees who are out of office for a longer duration during office hours
hours of employee
Secured Report
/ Document Mail carts, must be covered and locked and should always be attended.
Distribution Cart
Accounting Audit Trial
• Record source and nature of all changes to the database to recreate time series of events
• Action privileges, log-on attempts, Resources, Time etc
ENVIRONMENTAL CONTROLS
“From the perspective of environmental exposures and controls, information systems resources may
be categorized as follows, with the focus primarily on facilities which house”:
• Hardware & Media
• Information Systems Supporting Infrastructure or Facilities
• Documentation
• Supplies
• People
“Environmental Issues and Exposures” includes nature and man-made. E.g. Fire, power failure etc.
Controls for Environmental Exposures

1. Strategically Locating the Computer Room
2. Fireproof Walls, Floors and Ceilings surrounding the Computer Room
3. Fire Resistant Office Materials
4. Manual Fire Alarms

5. Smoke Detectors
6. Fire Suppression Sys./techniques: 1) Dry-Pipe sprinkling systems 2) Water-based systems 3) Halon gas
7. Hand-Held Fire Extinguishers
8. Regular Inspection by Fire Department
9. Water Detectors
10. Wiring Placed in Electrical Panels and Conduit

11. Electrical Surge Protectors
12. Emergency Power-Off Switch
13. Uninterruptible Power Supply (UPS) / Generator
14. Power Leads from Two Substations
15. Prohibitions Against Eating, Drinking and Smoking within the IPF
16. Documented & Tested Emergency Evacuation Plans
Audit and Evaluation techniques for Environmental Controls (-verify/check-)

-same pts. As above -
Discuss the ROLE of IS auditor with respect to “Environmental controls”. Critical audit considerations
that an IS auditor should take into account while conducting his audit:
Audit planning and assessment- As part of risk assessment:
• Risk profile should include different kinds of environmental risks (natural & man-made) Review &
Update
• Review security policy, Admin procedures, building and wiring plans, IPF
• Interview personnel for awareness, roles
• Controls safeguard are in place
Audit of technical controls- Conduct physical inspections & observe practices. Verify:
• IPF, Construction material
• Water & smoke detectors, power supply arrangements (back-up power), fire-fighting equipments
• AC, heaters etc.
• Emergency procedures, evacuation plans - Mock drill
• Documents for compliance
• Compliant logs and maintenance log
* Information Systems Processing Facility (IPF)
Role of IS Auditor in Physical Access Controls
Auditing physical access requires the auditor to review the physical access risk and controls to form an
opinion on the effectiveness of the physical access controls. This involves the following:
1. Risk assessment: Covers periodic and timely assessment of all assets, physical access threats,
vulnerabilities of safeguards and exposure there from
2. Controls assessment: Physical access controls are in place and adequate to protect the IS assets
3. Planning for review of physical access controls: Examination of relevant documentation
4. Testing of controls: Tour of facilities, Physical inventory, Interviewing, physical access logs and reports
Role of an IS auditor in evaluating Logical access controls
• Reviewing the relevant documents pertaining to logical facilities and risk assessment and evaluation
techniques and understanding the security risks facing the information processing system.
• The potential access paths into the system must be evaluated by the auditor and documented to assess
their sufficiency.
• Deficiencies or redundancies must be identified and evaluated.
• By supplying appropriate audit techniques, he must be in a position to verify test controls over access
paths to determine its effective functioning.
• He has to evaluate the access control mechanism, analyze the test results and other auditing evidences
and verify whether the control objectives has been achieved.
• The auditor should compare security policies and practices of other organizations with the policies of
their organization and assess its adequacy.
Role of Auditor in Environmental Controls
The IS auditor should satisfy not only the effectiveness of various technical controls but that the overall
controls assure safeguarding the business against environmental risks
Audit Planning and Risk Assessment
• Environmental risks- natural and man-made threats

• Organization security policy & procedures
• Building plans and wiring plans
• Employees’ awareness
• Controls safeguard are in place
• Administrative procedures
Audit of Technical Controls (Conduct physical inspections & observe practices)
• IPF and construction material

• Environmental control equipment such as air-conditioning, dehumidifiers
• Water and smoke detectors, power supply arrangements- UPS
• Fire extinguishers, fire-fighting equipment
• Emergency procedures, evacuation plans and fire exits
• Documents for compliance with legal and regulatory requirements

• Compliant logs and maintenance logs
Role of IS Auditor w.r.t. Quality Control Systems
General questions:
1. Does the system design follow a defined and acceptable standard?

2. Are completed designs discussed and agreed with the users?
3. Does the project’s quality assurance procedures ensure that project documentation is reviewed against
the organization’s technical standards and policies, and the User Requirements Specification;
4. Do quality reviews follow a defined and acceptable standard?
5. Are quality reviews carried out under the direction of a technically competent person who is
managerially independent from the design team;
6. Are auditors/security staffs invited to comment on the internal control aspects of system designs and
development specifications?
7. Are statistics of defects uncovered during quality reviews and other forms of quality control maintained
and analyzed for trends? Is the outcome of trend analysis fed back into the project to improve the
quality of other deliverables?
8. Are defects uncovered during quality reviews always corrected?
9. Has a System Installation Plan been developed and quality reviewed?

10. Are all System resources (hardware, software, documentation) that have passed quality review been
placed under change control management and version control?
11. Has a Training Plan been developed and quality reviewed? Has sufficient time and resources been
allocated to its delivery?
QB 39 - 11
Cost effectiveness of controls:

“Implementing and operating controls in a system involves the following 5 costs”-
1) Initial setup cost- to design and implement

2) Executing cost- for execution of a control
3) Maintenance costs- ensuring the correct working
4) Failure cost- undetected or uncorrected errors cause losses
5) Correction costs- correction of error or irregularity
(- Initial Setting-up agar achche se Execute + Maintain kiya jaaye, to no question of Failure and need for Correction -)
Case Study (determining Cost-Benefit effectiveness): At one MNC, data errors occasionally required the entire
payroll to be reprocessed, at a cost of Rs. 10,000. Management determined that a data validation step would reduce error
risk from 15% to 1%, at a cost of Rs.600 per pay period. The cost-benefit analysis that management used to determine if
the validation step should be employed is shown:
If the proposed payroll validation procedure is not utilised, then the expected loss to the company is Rs.1,500. Because the
expected loss with the validation step is Rs.100, the control provides an expected benefit of Rs.1,400. After deducting the
control costs of Rs.600, the validation step provides a net benefit of Rs.800 and clearly should be implemented.
Responsibility of IS Auditor: “SET OF SKILLS” that is generally expected of an IS auditor

include:
• Professional technical qualification and certifications
• Knowledge of business operations, practices and compliance requirements,

• Knowledge of IT strategies, policy and procedure controls
• Knowledge of Professional Standards and best practices of IT controls and security.
• Understanding of information Risks and Controls

• Understanding of technical and manual controls relating to business continuity,
The controls to consider when reviewing the organisation and management controls in an IS
shall include:
• Responsibility: Strategy to have a senior management personnel responsible for the IS

• An official IT structure: Prescribed organisation structure with all staff deliberated on their roles and
responsibilities by written down and agreed job descriptions
• An IT steering committee: Comprising of user representatives from all areas of the business, and IT
personnel. Responsible for overall direction of IT
An IS auditor is responsible to evaluate the following when reviewing the adequacy of data
security controls:
• Who is responsible for the accuracy of the data?

• Who is permitted to update data?
• Who is permitted to read and use the data?
• Who is responsible for determining who can read and update the data?
• Who controls security of the data?
• If the IS system is outsourced, what security controls and protection mechanism does the vendor have in
place to secure and protect data?
• Contractually, what penalties or remedies are in place to protect the tangible and intangible values of
the information?
• The disclosure of sensitive information is a serious concern and is mandatory on the auditor’s list of
priorities.
SHORT NOTES:
> Encryption techniques: DES + Private Key + Public key
> Fire Suppression System/techniques:
• Dry-Pipe sprinkling systems (sprinkler systems): These pipes remain dry and upon activation by
electronic fire alarm water is sent through the pipe. (+) Any failure in the pipe will not result in water
leaking into sensitive equipment.
• Water based systems also function similar to the sprinkler systems. Effective but unpopular because
they damage equipment and property.
• Halon systems contain pressurized halon gases that remove oxygen from the air. (+) Halon is inert and
does not damage equipment like water does. There should be an audible alarm and brief delay before
discharge to permit personnel time to evacuate the area or to override and disconnect the system. (-)
Halon adversely affects the ozone layer.
> Hacking: Act of penetrating computer systems to gain knowledge about the system and how it works.
Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to
the technical workings of a computer.
> Crackers are people who try to gain unauthorized access to computers. Normally done through the use of a
'backdoor' program installed on the machine. A lot of crackers also try to gain access to resources through the
use of password cracking software
> Data diddling involves the change of data before or as they are entered into the system. A limited
technical knowledge is required to data diddle and the worst part with this is that it occurs before computer
security can protect data.
> Bomb is a piece of bad code deliberately planted by an insider or supplier of a program. An event, which is
logical, triggers a bomb or time based. The bombs explode when the conditions of explosion get fulfilled
causing the damage immediately. However, these programs cannot infect other programs. Since these
programs do not circulate by infecting other programs, chances of a widespread epidemic are relatively slim.
Two types:
• Time Bomb: Name because of mechanism of activation. A physical time bomb explodes at the time
it is set for (unless somebody forces it to explode early), likewise the computer time bomb causes a
perverse activity, such as, disruption of computer system, modifications, or destructions of stored
information etc. on a particular date and time for which it has been developed. The computer clock
initiates it.
• Logic Bomb: They resemble time bombs in their destruction activity. Logic bombs are activated by
combination of events. For example, a code like; “If a file named DELETENOT is deleted then
destroy the memory contents by writing ones.” This code segment, on execution, may cause
destruction of the contents of the memory on deleting a file named DELETENOT. These bombs can
be set to go off at a future time or event.
> Trojan Horse: Malicious programs that are hidden under any authorized program. Typically, a Trojan horse
is an illicit coding contained in a legitimate program, and causes an illegitimate action. The concept of
Trojan is similar to bombs but a computer clock or particular circumstances do not necessarily activate it. A
Trojan-may
o Change or steal the password or
o May modify records in protected files or
o May allow illicit users to use the systems.
Trojan Horses hide in a host and generally do not damage the host program. Trojans cannot copy themselves
to other software in the same or other systems. The Trojans may get activated only if the illicit program is
called explicitly. It can be transferred to other system only if an unsuspecting user copies the Trojan
program. E.g. “Christmas Card” Trojan
> Piggybacking: This is the act of following an authorized person through a secured door or electronically
attaching to an authorized telecommunication link that intercepts and alters transmissions. This involves
intercepting communication between the operating system and the user and modifying them or substituting
new messages. A special terminal is tapped into the communication for this purpose.
> Worms : A worm does not require a host program like a Trojan to relocate itself. Thus, a Worm program
copies itself to another machine on the network. Since worms are stand-alone programs they can be
detected easily. Worms can help to sabotage systems yet they can also be used to perform some useful tasks.
For example, worms can be used in the installation of a network. A worm can be inserted in a network and we can check
for its presence at each node. A node, which does not indicate the presence of the worm for quite some time, can be
assumed as not connected to the network. Examples of worms are Existential Worm, Alarm clock Worm etc. The Alarm
Clock worm places wake-up calls on a list of users. It passes through the network to an outgoing terminal while the sole
purpose of existential worm is to remain alive. Existential worm does not cause damage to the system, but only copies
itself to several places in a computer network.
> Virus is a program (usually destructive) that attaches itself to a legitimate program to penetrate the OS.
The virus destroys application programs, data files, and operating systems in a number of ways. One common
technique is for the virus to simply replicate itself over and over within the main memory, thus destroying
whatever data or programs are resident. One of the most dangerous aspects of a virus is its ability to spread
throughout the system and to other systems before perpetrating its destructive acts. Typically, a virus will
have a built-in counter that will inhibit its destructive role until the virus has copied itself a specified number
of times to other programs and systems. The virus thus grows geometrically, which makes tracing its origin
extremely difficult.
Virus programs usually attach themselves to the following types of files:

• An .EXE or .COM program file
• The .OVL (overlay) program file
• The boot sector of a disk
• A device driver program
When a virus-infected program is executed, the virus searches the system for uninfected programs and copies
itself into these programs. The virus in this way thus spreads to the applications of other users or to the
operating system itself.
> Check Digits: are redundant digits that helps verify the accuracy of other characters in the code that is
checked. The program recalculates the check digits and compares with the check digit in the code when the
code is entered to verify if the code is correct. Check digits may be prefixes or suffixes to the actual data.
e.g. MasterCard has 16-digits with 51-55 as prefix.
Advanced Excel

program since 2010.


What
Rishabh Pugalia,
> Unauthorised Intrusion: The intruder physically may enter the installation to steal assets or carry out
sabotage. Alternatively, the intruder may eavesdrop on the installation by wire -tapping, installing an
electronic bug or using a receiver that picks up electro-magnetic signals. [3.80]
> Biometric Devices: The ultimate in user authentication procedures is the use of biometric devices, which
measure various personal characteristics, such as fingerprints, voice prints, retina prints, or signature
characteristics. These user characteristics are digitized and stored permanently in a database security file or
on an identification card that the user carries.
> Spooling/Queuing (“Simultaneous Peripherals Operations Online”): A process used to ensure that the
user is able to continue working, even before the print operation is completed. When a file is to be printed,
OS stores the data stream to be sent to the printer in a temporary file on the hard disk. This file is them
“spooled” to the printer as soon as the printer is ready to accept the data. This intermediate storage of
output could lead to unauthorized disclosure and/or modification. A queue is the list of documents waiting
to be printed on a particular printer. This queue should not be subject to unauthorized modifications
A user instruction manual document defines responsibilities and actions:
• Input controls that identify all data entering the processing cycle;
• Processing control information that includes edits, error handling, audit trails and master file changes;
• Output controls that define how to verify the correctness of the reports;
• Separation of duties between preparing the input and balancing the output
To provide the user with the tools to achieve their responsibilities, the user instruction
manual should include:
• Narrative description of system

• Detailed flowchart of processes + Detailed document flowchart
• A copy of each input document + List of approvals required on each input document
• A copy of any batch control forms
• Reconciliation reports
• A copy of each report produced by the system with a description of its purpose, the number of copies,
distribution and instructions for balancing output to original input
• A list of retention periods for docs/reports
• A system recovery section including user responsibilities for assisting in the restoration of the system.
AUDIT TRAILS [N-11]
Audit trails - Logs to record activity at the system, application, and user level.
• Chronological record of all events
• Provide an important detective control
• Many OS allow management to help select which events will be recorded in the log. An effective audit
policy will capture all significant events without cluttering the log with trivial activity.
(- More details can be borrowed from Group I – Auditing -)
Audit Trail Objectives
Audit trails can be used to support security objectives in three ways:
1) Detecting unauthorized access- Real-time detection protects system. A real-time audit trail can also be
used to report on changes in system performance due to virus. However, real-time detection & logging
can degrade system performance. After-the-fact detection logs can be stored electronically and
reviewed periodically.
2) Personal Accountability- Audit trails can be used to monitor user activity at the lowest level of detail.
This capability is a preventive control that can be used to influence behavior. Individual are likely to
violate an organization’s security policy if they know that their actions are recorded in an audit log.
3) Reconstructing events- Audit analysis can be used to reconstruct the steps that led to events such as
system failures, security violations by individuals, or application processing errors. Such knowledge of
conditions can be used to assign responsibility and to avoid similar situations in the future. Audit trail
analysis aids in accounting control.
(- Detecting unauthorized entries in Personal A/Cs of a Construction Co. -)
Implementing an Audit Trail : The information contained in audit logs is useful to accountants in measuring
the potential damage and financial loss associated with application errors, abuse of authority, or
unauthorized access by outside intruders.
Logs also provide valuable evidence or assessing both the adequacies of controls in place and the need for
additional controls. They generate data in overwhelming detail. Important information can easily get lost
among the superfluous detail of daily operation. Thus, poorly designed logs can actually be dysfunctional.
//excess details can be bad//

Chap 3 For May 2012 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Chap 3 For May 2012 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

CA. Rishabh Pugalia | www.iscanotes.

CHAP 3 - CONTROL OBJECTIVES [Selected Questions for May-2012]

NEED FOR CONTROL AND AUDIT OF INFORMATION SYSTEMS

1. Controlled evolution of computer Use- unreliable systems can be destructive

5. Incorrect Decision Making- decisions require accurate data

8. Information Systems Auditing- attesting objectives

EFFECT OF COMPUTERS ON INTERNAL CONTROLS

“INTERNAL CONTROLS” used in an organisation comprise of the following 5 interrelated “COMPONENTS”:

EFFECT OF COMPUTERS ON AUDIT (-Auditor’s headache-)

1. CHANGES TO EVIDENCE COLLECTION [audit trail & evidence]

2. CHANGES TO EVIDENCE EVALUATION [system programming & sources of error]

3. Systems Development- … as per standards and meets objectives

5. Management of IT and Enterprise Architecture- … is proper

1. Scoping and pre-audit survey- Determine areas of focus vs. out-

Examples of preventive controls -

Mix of “Manual & Computerized” Preventive Controls

Keep the computer in a secured

More than 1,400 professionals and students

Our Corporate training programs have been

Tips & Tricks Formulas CAAT MIS reporting

Dashboard techniques Logical functions

Data Analytics What--IF Analysis Consultants’ Charts

ONLINE PROGRAM LAUNCH in April 2012

Financial Control Techniques

A few examples are highlighted here:

1) Authorization: Obtaining the authority to access assets such as accounting entries

7) Segregation of duties: - refer ↑ -

User controls: Error Identification, Correction and Recovery Controls

Class of Information Types of Input

Identification / Authentication / Authorization Process

Boundary control techniques

User identification by an authentication mechanism with personal characteristics

Similar to a password assigned to a user by an institution based on the user

Vulnerable while issuance or delivery, validation, transmission and storage.

Used to store information needed for authentication / user identification process.

Types of “data coding errors”-

Factors affecting coding errors as follows:

Data Processing Controls-

Exception reports are generated to identify errors in data processed. Such

“Spool” is an acronym for “Simultaneous Peripherals Operations Online”.

This intermediate storage of output or the queue (list of documents waiting to

Distribution of reports should be made in a secure way to ensure unauthorized

-Unauthorized disclosure / modification-

• Sequence Check Transaction and Master Files

Update controls are:

When mapping master record to transaction record results in a mismatch due

Report controls are:

The mechanism then accesses:

Service Level Agreements (SLA) -Refer Chap. 5 (IN-OUT AG.)

An SLA should also define:

Post-implementation review (PIR) stage

User expectations user friendly, good response time, reliable

Technical requirements expansion, easy to operate and maintain

1. Interview business users assess their satisfaction w.r.t. system use

4. ___ System is being backed up

9. Review Business Case and determine whether:

Key elements in System Development and Acquisition Control

Control Category Threats/Risks Controls

• Long-range strategic master plan,

Control Category Threats/Risks Controls

What do you understand by classification of information? Explain different

• Highly sensitive internal information. Security level = highest possible.

• Information critical to its ongoing operations. Security level = very high.