Wednesday, April 03, 2013

ICAI - Final Course: Group II

Paper 6: Information Systems Control and Audit (One Paper – Three hours – 100 marks)

1. Information Systems Concepts:
General Systems Concepts – Nature and types of systems, nature and types of information, attributes of information. Management Information System – Role of information within business, Business information systems –various types of information systems – TPC, MIS, DSS, EIS, ES

2. Systems Development Life Cycle Methodology: Introduction to SDLC/Basics of SDLC, Requirements analysis and systems design techniques, Strategic considerations : Acquisition decisions and approaches, Software evaluation and selection/development, Alternate development methodologies- RAD, Prototype etc, Hardware evaluation and selection Systems operations and organization of systems resources, Systems documentation and operation manuals, User procedures, training and end user computing, System testing, assessment, conversion and start-up, Hardware contracts and software licenses System implementation, Post-implementation review, System maintenance, System safeguards, Brief note on IS Organisation Structure

3. Control objectives
(a) Information Systems Controls: Need for control, Effect of computers on Internal Audit, Responsibility for control – Management, IT, personnel, auditors Cost effectiveness of control procedure, Control Objectives for Information and related Technology (COBIT)

(b) Information Systems Control Techniques:
Control Design: Preventive and detective controls, Computer -dependent control, Audit trails, User Controls (Control balancing, Manual follow up)

Non-computer-dependent (user) controls: Error identification controls, Error investigation controls, Error correction controls, Processing recovery controls

(c) Controls over system selection, acquisition/development Standards and controls applicable to IS development projects Developed / acquired systems, Vendor evaluation, Structured analysis and design, Role of IS Auditor in System acquisition/selection

(d) Controls over system implementation: Acceptance testing methodologies, System conversion methodologies, Post implement review, Monitoring, use and measurement

(e) Control over System and program changes, Change management controls, Authorization controls, Documentation controls, Testing and quality controls, Custody, copyright and warranties, Role of IS Auditor in Change Management

(f) Control over Data integrity, privacy and security, Classification of information, Logical access controls, Physical access controls, Environmental controls, Security concepts and techniques – Cryptosystems, Data Encryption Standards (DES), Public Key Cryptography & Firewalls, Data security and public networks, Monitoring and surveillance techniques, Data Privacy, Unauthorised intrusion, hacking, virus control, Role of IS Auditor in Access Control

4. Audit Tests of General and Automated Controls
(a) Introduction to basics of testing (reasons for testing);

(b) Various levels/types of testing such as: (i) Performance testing, (ii) Parallel testing, (iii) Concurrent Audit modules/Embedded audit modules, etc.

5. Risk assessment methodologies and applications: (a) Meaning of Vulnerabilities, Threats, Risks, Controls, (b) Fraud, error, vandalism, excessive costs, competitive disadvantage, business, interruption, social costs, statutory sanctions, etc. (c) Risk Assessment and Risk Management, (d) Preventive/detective/corrective strategies

6. Business Continuity Planning and Disaster recovery planning: (a) Fundamentals of BCP/DRP, (b) Threat and risk management, (c) Software and data backup techniques, (d) Alternative processing facility arrangements,(e) Disaster recovery procedural plan, (f) Integration with departmental plans, testing and documentation, (g) Insurance

7. An over view of Enterprise Resource Planning (ERP)

8. Information Systems Auditing Standards, guidelines, best practices (BS7799, HIPPA, CMM etc.)

9. Drafting of IS Security Policy, Audit Policy, IS Audit Reporting - a practical perspective

10. Information Technology Act, 2000

Sources: Institute of Chartered Accountants of India