Working group for information systems security for the banking and financial sector

Department of Information Technology
Reserve Bank Of India
Mumbai

October, 2001

The business operations in the banking and financial sector have been increasingly dependent on the computerised information systems over the years. It has now become impossible to separate Information Technology (IT) from the business of the banks and the financial institutions. There is a need for focussed attention on the issues of the corporate governance of the information systems in computerized environment and the security controls to safeguard information and information systems.

The application of Information Technology has brought about significant changes in the way the institutions in the banking and financial sector process and store data and this sector is now poised to countenance various developments such as Internet banking, e-money, e-cheque, e-commerce etc., as the most modern methods of delivery of services to the customers. The telecommunication networks have played a catalytic role in the expansion and integration of the Information Systems (IS), within and between the institutions, facilitating data accessibility to different users. In view of the critical importance of IS, there is a need to exercise constant vigilance for the safety of the financial systems. Structured, well defined and documented security policies, standards and guidelines lay the foundation for good IS security and each institution is required to define, document, communicate, implement and audit IS Security to ensure the confidentiality, integrity, authenticity and timely availability of information, which is of paramount importance to business operations.

Reserve Bank of India constituted a ‘Working Group for Information Systems Security for the Banking and Financial Sector’ to discuss and finalise the standards and procedures for IS Audit and IS Security Guidelines for the banking and financial Sector. The Working Group has prepared this report on the ‘Information Systems Audit Policy’ including ‘Information Systems Security Guidelines’.

This report discusses various aspects of IS Audit such as the objectives, approaches, methodology, charter, planning, standards and guidelines, sampling, evidence and documentation. It discusses the skills, the IS auditors will require to possess as also the way they will require to address the irregularities, observed

i during auditing. It discusses the issues relating to the corporate governance of Information Systems and Security Controls. It has brought out the primary roles to be performed by the Auditor and the Auditee.

Under the ‘Information Systems Security Guidelines’, the report discusses IS Security Controls relating to computer hardware, software, network, Telecommuting/Tele-working, Mobile Computing, Computer Media Handling, Voice, Telephone and related equipment and Internet and the procedures/methodologies to be adopted to safeguard information and information systems. It discusses issues such as Change Control Mechanism, Separation of Development and (Production) Operational Facilities, Information Handling and Back-up, Electronic Mail and Financial Services/Products. It emphasises the use/implementation of Firewall, Digital Signature, Cryptographic Controls, Business Continuity Planning (BCP), Framework/Disaster Recovery Planning (DRP) including Cryptographic Disasters. It also discusses various other issues relating to Certification Authorities (CAs)/Trusted Third Parties (TTPs), Compliance with Legal Requirements, Intellectual Property Rights (IPR), Review of IS Security Policy and Human Resources.

The IS Audit Policy issues and the IS Security Guidelines, discussed in this report, are indicative ones only and each institution will require to examine the adequacy of the security controls on an on-going basis and enhance the same, as required, from time to time. We are forwarding a copy of this report for information and comments. We request all the banks and the financial institutions to set up appropriate audit and security systems in this vital sector.

The Chairman, Members of the Working Group and the officials of the Department of Information Technology, Reserve Bank of India, Mumbai, associated with the preparation of this report, deserve compliments for the good work done.

(Vepa Kamesam)
Deputy Governor

Mumbai 6-11-2001

1.1 The developments in Information Technology have a tremendous impact on auditing. Information Technology has facilitated re-engineering of the traditional business processes to ensure efficient operations and improved communication within the organisation and between the organisations and its customers. Auditing in a computerized and networked environment is still at its nascent stage in India and established practices and procedures are evolving. Well planned and structured audit is essential for risk management and monitoring and control of Information Systems in any organisation.

Information Systems (IS) auditing is a systematic independent examination of the information systems and the environment to ascertain whether the objectives, set out to be met, have been achieved. Auditing is also described as a continuous search for compliance. The Auditors may not necessarily examine the entire system. They may examine a part or parts of it only. Auditing covers primarily the following broad major areas of activity :

1. gathering of information
2. comparison of information and
3. asking why

1.2 Types of Audit : Various methods are adopted for categorizing Audit . One such method of categorization divides audit into two types e.g. Adequacy Audit (also called Systems Audit) and Compliance Audit. Another method categorizes Audit by levels – Internal Audit, External Audit and Extrinsic Audit. Yet another method of categorization is by parties – First Party, Second Party and Third Party audits. The most common types of audit are Financial Audit, Compliance Audit, Information Systems Audit and Operations Audit.

1.3 Banking & Financial Activities and Risks : The deployment of Information Technology in banks and financial institutions, both in the front and back office operations, has facilitated greater systemic efficiency in the banking and financial sector. It has, at the same time, introduced new areas of risk. Risk is inherent in the traditional banking and financial activities. However, risk in a computerized and networked environment is multifarious such as operational risk, reputational risk, legal risk, credit risk, liquidity risk, interest rate risk, foreign exchange risk etc., as briefly discussed hereunder :

1.3.1 Operational risk arises out of the problems concerning the reliability and integrity of the Information Systems. The extent of such risks depends on the security features, design and implementation of security policies and procedures, adopted in an electronic banking system. Network security, database security, data integrity, appropriateness of the security policies and practices and the likely misuse of the information and information resources by the employees, customers and third parties are some of the factors, which require to be addressed for risk measurement in a computerized and networked environment in the banking and financial sector.

1.3.2 Reputational risk is very closely intertwined with the other kinds of risks. Failures, frauds, lack of proper delivery or non-delivery of information to customers, monetary loss to customers, lack of personal touch and litigation are some of the factors which cause loss of reputation to an organisation. Lack of reputation is a very serious problem for any business and the banking/ financial institution is no exception. Lack of reputation is usually due to serious security loopholes and lapses in the information systems, lack of fast and efficient delivery channels for retail banking and financial services and the market’s general lack of trust in electronic banking/financial channel, say credit cards, which constitutes one type of electronic money or e-cash or plastic money. The occurrence of external and internal attacks on an organisation’s information and Information Systems may cause serious damage to public confidence in the organisation.

1.3.3 Legal risk emanates from various factors such as the lack of adequate legal framework, inappropriate, ineffective, irrelevant and inapplicable Information Technology Act, inappropriate customer secrecy obligations on the part of the banks and financial institutions, inadequate privacy policy for the customers, Certification Authority risk, Trans-border financial transactions with very little or no legal backing or international law for the same, lack of legal provisions for public trans-border communication network such as Internet, other private networks etc.

1.3.4 Credit risk arises when the parties default in repayment of loans and advances. In computerized environment, credit risk gets enhanced because credit is channelised through electronic channels, which transgress the barriers of time and space. Credit appraisal in order to ascertain the credit worthiness of a prospective customer is difficult to verify as multiple remote customers may access the bank round the clock for credit through non-traditional channels of communication with little or no ways and means being available with the banks to completely ascertain the veracity of their claims within the set limits of response time, as per the guidelines for Customer Relationship Management. In cases of credit flow through trusted third parties like the operators of electronic inter-bank/institutional payment gateways, any default on the part of the third party operators in assessing the credit worthiness of the final customers would boomerang on the bank and has to be considered as another factor contributing to credit risk. Credit risk assumes great importance in an electronic banking environment.

1.3.5 Liquidity risk arises when an entity fails to meet its payment obligations in a timely manner. Banks, which may provide the facility of electronic money, shall be liable to arrange for adequate funds in case of redemption or settlement on electronic money. Any default could lead to legal wrangles and loss of liquidity.

1.3.6 Interest Rate risk arises due to variation in the interest rates. In case of banks offering electronic money, any fluctuation in the interest rate, which affects the value of the assets, created by electronic money, are liable to create interest rate risk liability on the bank.

1.3.7 Cross-border Transactions Risks: Electronic banking envisages a borderless world of financial services and therefore, risks, arising out of variation in the exchange rate, are likely to create additional risks for a bank. Different exchange rates, existing in different countries, mean that the banks need to analyse not only the exchange rate fluctuations with respect to the currencies of their respective countries, but exchange rate fluctuations between two or more (other) countries also. This kind of risk is likely to arise in case the bank has to cover losses due to unfavourable exchange rate fluctuations or in case, the third country participants in an electronic payment system are unable to fulfill their financial obligations due to social, economic and political factors in their respective countries.

A financial audit is an examination of an organization’s financial statements. A financial audit like other types of audit has to be conducted by an independent auditor. Auditors must not only be independent, but have to also appear to be independent.

The term audit here describes the investigation, which the auditors undertake to provide the basis for their analysis and opinion/suggestion. As a part of financial audit, auditors consider and evaluate the internal controls, put in place by an organization, in regard to the preparation of the financial statements. This evaluation gives them a feel of the accuracy and reliability of the information in the organization’s accounting system. The auditors gather evidence/information to substantiate every material item appearing in the financial statements. Auditors also build up procedures, designed to determine that the financial statements and the accompanying notes are complete in all respects.

After completing the audit, the auditors express their expert opinion as to the fairness of the financial statements. These opinions are expressed in the form of audit reports. Audit reports, however, do not guarantee the accuracy of the financial statements, but provide the auditor’s professional opinion only on the overall fairness and accuracy of the financial statements, based on the information made available to the Auditors.

The primary purpose of financial audit is to determine the overall accuracy and fairness of the financial statements and not to detect any or all acts of fraud. Most audit procedures are based on samples and therefore, it may not be possible for the auditors to verify all the transactions. However, frauds, which render the financial statements misleading, require to be brought under the scope of any form of audit. Auditors design their investigation to detect errors and omissions that are material to the financial statements. With respect to the financial statements, an item is material, if knowledge of the item might reasonably be expected to influence the decisions of the users of the financial statements.

The use of Information Technology has revolutionised the banking and financial sector. The manner in which the financial services are being offered by the banks and the financial institutions is undergoing a sea change. A set of new financial services such as Electronic Banking, Tele-banking, Electronic Clearing Systems, Electronic Funds Transfer, Electronic Money, Smart Cards, Credit Cards etc. is fast gaining ground. Information Technology has helped the banks and the financial institutions to build up more efficient back-office systems togetherwith automated management information systems for asset-liability management and risk analysis.

In a computerized environment, the financial statements could be generated from diverse database systems, operating on different operating systems. The financial transactions, on the basis of which the financial statements are generated, could be fully automated and there may or may not be proper audit trails, time stamps like log reports and the like to monitor and trace these transactions. Further, these transactions may not be bound by the traditional boundaries of time, space and even organizations. Various legs of a transaction could have been effected not only at different points of time, but at geographically different locations and between different banks or financial institutions. Needless to say that such transactions become very complex.

An organisation’s financial statements reflect a set of management assertions about its financial health. The task of an auditor is to determine whether the financial statements have been fairly presented. To accomplish this, the auditor has to establish the audit objectives, design procedures and gather evidence/ information, which may corroborate or refute the management’s assertions.

1.4.1.2 In a computerized environment, financial audit requires to be carried out in three phases, as under :

In the first phase, an audit plan has to be drawn up. This will require to be done by reviewing the organisation’s policies and practices, regulatory and legal controls as applicable, trade practices and conventions and internal control mechanism. The financially significant applications and the controls over the primary transactions, which are processed by these applications are also studied in this phase of audit. The techniques for gathering the desired information at this phase include questionnaires, interviewing management/concerned authorities and reviewing the systems documentation.

In the second phase, the internal controls, which have been set up, are tested. Various tests are conducted to test the ruggedness of the internal controls.

In the third phase, detailed drill-down tests are conducted by scrutiny of the individual transactions, selected from a fairly large sample of the business transactions.

An organization’s operations are subject to a variety of laws and regulations. Violation of these laws and regulations would result in imposition of huge fines and penalties. Compliance with these laws and regulations is monitored by the regulatory authorities through Compliance Audit.

Compliance Audit of the computerised transactions is a difficult and complicated task. There has to be a systematic examination of the transactions, at least a reasonable sample thereof, to understand the various issues involved. Let us take an example of a simple money transfer, say electronic funds transfer, from the account of a customer of a bank in one country to the account of a customer in another bank of another country. In this case, the compliance with the foreign exchange management laws of the two countries, regulatory guidelines, issued by the Central Banks and the taxation laws of the two countries, to name a few of the compliance requirements, will require to be examined. Further, what kind of accounting procedure has been followed for effecting debit and credit on the customer accounts and the issue of advices will require to be examined. Whether such money transfer amounts to money laundering in any way or any other financial irregularity will require to be examined. A complex maze of laws, regulations and audit rules will require to be considered under Compliance Audit. Any version change or change of application and data migration should be subject to Audit.

Compliance Audit follows a three-phase-audit route. Compliance with various statutory guidelines, legal and regulatory guidelines and adherence to trade practices and conventions require to be thoroughly tested under Compliance Audit.

In the planning phase or the first phase of Compliance Audit, the various applicable rules, regulations, laws, regulatory fiats etc. will require to be studied and noted down. Appropriate tests, which may verify compliance with these rules, regulations, laws and regulatory fiats, will require to be decided and planned.

In the test/control phase or the second phase of Compliance Audit, the tests, as planned in the first phase, will require to be carried out and the compliance therewith observed. Variations/exceptions/violations will require to be noted down for mention in the audit report.

In the last phase of Compliance Audit, a sample of transactions is tested in detail for compliance.

Compliance Audit is conducted in the banking and financial organisations to ascertain whether various rules and regulations, as laid down by the regulatory authorities such as the Central Bank, Capital Market Regulator, Exchange Control Regulator etc., have been complied with.

IS audit is a systematic process of objectively obtaining and evaluating evidence/ information regarding the proper implementation, operation and control of information and the Information System resources. IS audit could be considered a part of Financial Audit. The lack of physical procedures, which can be easily verified and evaluated, injects a high degree of complexity into IS audit. Therefore, a logical framework for conducting an audit in the IT environment is critical to help the auditor identify all important processes and data files.

IS audit follows a three-phase process, as applicable to Financial Audit and Compliance Audit. The first phase is the audit planning phase, followed by the test of controls phase and finally, the substantive testing phase.

In the planning or first phase, an IS auditor must identify the various risks and exposures and the security controls, which provide safeguards against these exposures. The tests, which need to be conducted to make the second phase of the audit effective, are also planned in detail in the first phase.

In the second phase, the security controls are tested. Control activities in an organization are the policies and procedures used to ensure that appropriate actions are taken to deal with the organisation’s identified risks. One of the primary areas of IS audit is to check the effectiveness of these security controls. Control activities, in turn, are divided into two major areas – Computer Controls and Physical Controls.

Within Computer Controls and the security controls are the general controls and the application controls. General controls pertain to area-wise concerns such as controls over the data center, organizational databases, systems development and program maintenance. Application controls ensure the integrity of specific application software. Physical Controls include access control, transaction authorization, segregation of duties, supervision, accounting records and independent verification.

In the third or the Substantive Testing Phase, individual transactions are tested. The IS audit substantive tests extensively use computer assisted audit tools and techniques. Audit of Information Systems is a very challenging job, specially in the light of the fast changing pace of Information Technology including Communication Systems.

Audit is one of the major controls for monitoring management activities in the banks and financial institutions. In a computerized environment, IS audit is a very effective and necessary activity. Usually the IT implementation in the banking and financial organizations is done by adopting a mix of different methodologies – internal development and deployment and third party product development and deployment.

In case of internally developed and deployed IT systems, IS audit will require to be done by a team of specially trained internal or external auditors. However, it is preferable to have the IS audit conducted with the help of suitable external agencies with the required skills and expertise to ensure independent nature of audit.

In case of development and deployment of the IT systems by third parties, the IS audit requires to be conducted by trusted auditor/s with skills and expertise, required for the purpose. IS audit assumes greater significance because a large number of critical and strategic financial operations in the banking and financial sector are wholly or partly being handled by the computerized systems.

With the help of computer aided audit tools and techniques, an IS audit becomes more scientific and meaningful. There are five basic approaches, as under, for testing the application controls using CAATT (Computer Aided Audit Tools and Techniques).

a) Test Data Method – This method is used to establish application integrity by processing specially prepared sets of input data. The results of each test are compared with the pre-determined expected results. The auditor first obtains the current version of the application and then generates the test transaction files and test master files. Thereafter, the test transaction files are input into the program and the result in the form of routine output reports, transaction listing and error reports are collected.

Further, updated master files are also checked for correct/expected outputs. The test results are compared with the expected results, either manually or again through a computer program.

b) Base Case System Evaluation – Under this method, a base test set of transactions is prepared along with the expected results. This set of transactions is comprehensive and all possible transaction types are included. Whenever testing is done, the results are compared with the results of the base test data results, which were obtained initially.

c) Tracing – Under this method, the test data does a virtual walk through the application logic. The application under review must undergo a special compilation to activate a trace option. The test data, prepared for tracing, is run and the result shows the exact listing of the programmed instructions, executed while the test data was processed.

d) Integrated Test Facility – This is an automated test technique, where the audit module is designed in the application program itself to be run in the normal course of operations by the application program with a specific choice of test data and where the application program distinguishes between the actual transactional data and test transactional data for simultaneous integrated audit and normal operations.

e) Parallel Simulation – This requires the auditor to write a program that simulates the key features and processes of the application. The program is run on the pre-processed actual transactional data and the results obtained are compared with the actual results obtained.

1.4.4.2 For the purpose of Concurrent Audit or Real Time Audit, sometimes an embedded audit module is used to identify important transactions, while they are being processed and copies of such transactions are extracted in real time. Threshold levels and pre-defined conditions are set and all transactions, which cross the threshold or meet the conditions, are segregated and copies thereof audited in real time.

1.4.4.3 Database Auditing is another area of interest for the IS auditors. Data structures vary from flat files to relational database structures. In order to effectively audit databases, a process of data normalization is essential. Database normalization is a technical matter and is usually the responsibility of the Systems Professionals. However, technical knowledge of the same is essential for the IS auditors also. The IS auditors, while performing the software audit, should ensure from the system documents that the database is properly normalized and there is not much redundancies and dependencies, as poorly normalized database could affect the integrity of data. The database constraints will also require to properly examined.

1.4.4.4 With the advent of Corporate Networks, Payment Gateways and new products like Internet Banking, Anywhere Anytime Banking etc., which primarily rely on various public and private networks for their operation, Network Audit forms a key area of IS audit. Network Audit covers all aspects of the network, right from the communication channels, network equipment like switches, bridges, routers, firewalls to internetworking issues and security controls. To ensure continuous adequacy of security controls in networked environment, each organisation will require to regularly conduct penetration testing in respect of the Information Systems with the help of third parties under well specified terms and conditions, agreed therefor with such third parties.

Operations Audit is mostly considered part and parcel of the other types of audit.

A number of regulators regulate the activities in the banking and financial sector. In an ideal situation, each financial market like the call money market, term money market, securities/debt market, capital market, foreign exchange market, derivatives market and commodities market should have independent statutory regulators. However, in most of the countries, more often than not, both the regulatory and supervisory powers rest with the same independent statutory regulatory authority.

The job of the regulator is to ensure the soundness of the financial markets and the financial systems and to work towards their growth. As a part of the regulator’s mandate, various regulations in the form of guidelines, circulars and instructions are issued to the participants in the financial markets from time to time. These guidelines relate to the macro and micro levels. The mandate of the regulator for supervision encompasses the functions of audit. The audit is done to ensure systemic efficiency, efficacy, speed and to prevent frauds.

In case of various kinds of audit in a computerized environment, the regulator will require to issue from time to time, the guidelines, concerning the level of transparency and access to the financial statements, information and information systems. For the specific purpose of audit, the entities in the banking and financial sector will require to adhere to standard practices and policies regarding the development and deployment of computer resources. These guidelines will specify not only the key areas of statutory audit, but will also include the areas of operation, where concurrent audit may be necessary. Further, areas will require to be identified for off-site and on-site inspection and audit by the regulator.

The guidelines will require to provide for sufficient safeguards to be built in the Information Systems to ensure systemic ruggedness to reduce the risk of cyber and digital crimes like hacking, spamming, unauthorised access and destruction or manipulation of the information and the information systems.

The regulator may have to initially take the help of trusted and independent third party Information Systems Auditors, with suitable skills and expertise for the purpose, alongwith its personnel, for auditing inter-institutional applications. The regulator will require to develop a team of expert Information System Auditors in-house for the purpose. Adequate importance will require to be given to security features in the Information Systems such as the use of digital certificates, digital signature, encryption, time stamping and audit trails. These security controls will require to be implemented by the entities in the banking and financial sector only after careful selection and regular audit by trusted independent third party/ ies, well-versed in the latest technology for the same.

The regulator has also to ensure that all kinds of financial risks like operational risks, credit risks, interest rate risks etc. are managed by the banks and the financial institutions through comprehensive and effective means of off-site, on-site and concurrent audit and inspection. This assumes much more significance in an environment, where the speed of financial transactions is very high with much larger ramifications. Better accounting norms, income recognition norms, stricter capital adequacy measures etc. will require to be devised and implemented.

The core function of the banks and the financial institutions is to provide banking and financial services and not Information Technology related services. These organisations may not have the necessary skills and expertise to conduct IS audit on their own. Further, these organisations may procure various third party security products for use in their Information Systems. These security products will require to be IS audited and vetted before deployment as also subsequently, at regular intervals. IS audit is a very specialised task and will require to be carried out by suitably qualified and skilled personnel, prefarably by external agency/ies in association with suitable in-house personnel initially. Therefore, these organisations will require to use Certified Information Systems Auditors (CISA), Certified Information System Security Professionals (CISSP) etc. for conduct of IS audit in their respective organisations. However, they will require to expeditiously develop necessary in-house skills and expertise for the purpose.

2.1 High profile problems, experienced by a variety of organizations in recent years, including the organizations in the banking and financial sector, have focussed attention on the issues relating to the corporate governance of the information systems. It is the management’s responsibility to safeguard all the assets of the organisation. To discharge this responsibility as also to achieve its expectations, the management must establish an adequate system of internal controls. The formal means by which the management discharges its responsibility to establish an effective system of internal controls over an organisation’s operational and financial activities is now subject to increasing public scrutiny and often forms part of the scope of audit for both the internal and the external auditors. During the course of IS audit, the Information Systems Auditor has to obtain sufficient, reliable, relevant and useful information to achieve the audit objectives effectively. The audit findings and conclusions will require to be supported by appropriate analysis and interpretation of this information.

2.2 Reporting on corporate governance of the information systems will involve auditing at the highest level in the organisation and may cross divisional, functional or departmental boundaries. The management/designated authority in the organization will have to, therefore, ensure that the audit charter or the engagement letter for the IS auditor clearly states that the scope of IS audit includes the corporate governance of the information systems and technology togetherwith the reporting line to be used, where corporate governance issues are identified.

2.3 Each organization is required to make available the following information on the corporate governance structure to the IS auditor :

a) Member(s) of staff with responsibility of the information systems.

b) Information, received by such member(s) of staff, to enable them to discharge their responsibilities.

c) Framework of control, adopted by the management of the organization, in policy setting. Policies, approved by the Board of

Directors of the organization, to direct the use and protection of the information and the information systems.

The objectives of an audit of the corporate governance of information systems may be affected by the intended audience’s needs, the level of dissemination intended and the national and industry regulations. The IS auditor will require to consider the following options, while establishing the overall objectives of the audit. The IS audit objectives for the audit of the corporate governance of the information systems will usually depend upon the framework of internal control exercised by the management.

(a) Reporting on the system of governance of the information systems

(b) Reporting on both the system of governance and its effectiveness

(c) Inclusion or exclusion of the financial information systems

(d) Inclusion or exclusion of the non-financial information systems

The IS auditor will require to include in the scope of the audit the relevant processes for planning and organising the information systems activity and the processes for monitoring that activity. The scope of the audit will also include the internal control system(s) for the use and protection of the information and the Information Systems, as under :

a) Data

b) Application systems

c) Technology

d) Facilities

e) People

The IS auditor should review the following :

a) Minutes of the meetings of the Board of Directors for audit information relating to the consideration of the matters concerning the information systems and their control and the supporting materials for any such items.

The IS auditor will require to consider whether the information obtained from the above reviews indicates coverage of the appropriate areas. The various issues / documents / statements / areas, among others, which the IS auditor will require to examine include as under :

a) IS mission statement and agreed goals and objectives for information systems activities.

b) Assessment of the risks associated with the organisation’s use of the information systems and approach to managing those risks.

c) IS strategy, plans to implement the strategy and monitoring of progress against those plans.

d) IS budgets and monitoring of variances.

e) High level policies for IS use and the protection and monitoring of compliance with these policies.

f) Major contract approval and monitoring of supplier’s performance.

g) Monitoring of performance against service level agreements.

h) Acquisition of major systems and decisions on implementation.

i) Impact of external influences on IS such as Internet, merger of suppliers or liquidation etc.

j) Control of self-assessment reports, internal and external audit reports, quality assurance reports or other reports on IS.

k) Business Continuity Planning, Testing thereof and Test results.

l) Compliance with legal and regulatory requirements.

m) Appointment, Performance Monitoring and Succession Planning for senior IS staff including internal IS audit Management and Business Process Owners.

The IS auditor will require to consider whether the policies issued cover all of the appropriate areas for which board-level direction is necessary in order to provide reasonable assurance that the business objectives are met. Such policies on board level direction will require to be documented ones only and such documented policies shall, among others, include the following :

a) Security Policy

b) Human Resources Policy

c) Data Ownership Policy

d) End-user Computing Policy

e) Copyright Policy

f) Data Retention Policy

g) System Acquisition and Implementation Policy

h) Outsourcing Policy

2.8 The IS auditor will require to assess whether the policies issued are appropriate to the information system needs/requirements of the organisation. Further, the IS auditor will require to assess whether the policies are being adequately enforced, including the communication of the policies, existence and awareness of standards, procedures and methodologies to support the policies, allocation of the responsibility for enforcing the policies and the system, put in place by the organization, to monitor and report on the compliance with the policies.

The IS auditor will require to review the responsibilities of the business process owners, as under and assess whether these are appropriate to support the policies set at the Board of Director’s level.

a) Assessment of whether the business process owners have the skills, experience and resources necessary to fulfill this role.

b) Review of the information received by the business process owners and to assess whether it is appropriate to enable them to discharge their responsibilities and to monitor compliance with the policies.

Information that may be considered appropriate includes as under:

i) Reports of attempted access to the systems supporting business processes and follow-up action taken.

ii) Reports of changes to user access rights, including new users and those whose access rights have been removed.

iii) Reports of the results of business continuity tests and follow-up action taken.

iv) Reports on the results of feasibility studies and tendering processes for systems acquisition.

v) Reports of the results of user acceptance testing of new systems or changes to the existing systems.

vi) Reports on performance against agreed service levels.

vii) Statistics on the availability, number of failures, number of system changes requested and implemented etc.

viii) Status of system changes in progress.

ix) Reports of changes to corporate data dictionary entries.

c) Assessment of the system which produces the above information and its reliability, integrity and potential for management override.

d) Where the organisation has internal audit resources, which is an important element of the corporate governance process, assessment whether the appropriate level of the involvement of the internal audit resources has been provided.

Corporate governance of the information systems involves directing as well as controlling. The industry in which the organisation operates, trends in the IS industry and the social and political changes may influence the benefits, which the organisation can obtain from the use of the information systems. The IS auditor will require to verify that the organization has put in place the procedures to monitor the external factors, which are relevant to the organization. The IS auditor will require to also verify whether the material issues, which require all computerised organisations to assess their potential effects well in advance, current at the time of the audit exercise, are under active consideration at the appropriate level. The organisation has to plan appropriate actions to avoid the potential material adverse effects of such issues. In case such issues are not being actively considered at the appropriate level in the organisation, the IS auditor will require to promptly report this matter to the designated authority/ies in the organisation.

The IS auditor will require to consider the position or functions of the IS specialist staff in the organisation and assess whether this is appropriate to enable the organisation to make the best use of IS to achieve its business objectives. The control of the information systems, even in decentralised and end-user run environments, should include segregation of conflicting duties. The IS auditor will require to assess whether the management of the IS specialists and the non-specialists with IS responsibilities is adequate to address the risks to the organisation from the errors, omissions, irregularities or illegal acts.

The IS auditor will require to address reports on the corporate governance of the information systems to the Audit Committee/Board of Directors or any other designated authority in the organisation. In case of detection/identification of failures in corporate governance, the same will require to be urgently reported to the designated authority in the organisation. The IS audit report on corporate governance of information systems should, among others, include the following :

a) A statement that the Board of Directors is responsible for the organisation’s Information Systems and formulation and implementation of the system of internal controls.

b) A statement that a system of internal controls can only provide reasonable and not absolute assurance against material misstatement or loss.

c) A description of the key procedures, which the Board of Directors has approved/established, to provide effective internal control and the related supporting documentation presented to the Board of Directors.

d) Information on any non-compliance with the national or industry codes of practice for corporate governance.

e) Information on any major uncontrolled risks.

f) Information on any ineffective or inefficient control structures or control measures togetherwith the IS auditor’s recommendations for improvement.

g) The IS auditor’s overall conclusion on the corporate governance of the information systems, as defined in the scope of audit.

The weaknesses, if any, in the system of corporate governance of information and information systems can cause wide ranging and high risk effects in the organisation. The IS auditor will require to, therefore, where appropriate, carry out sufficient, timely follow-up work to verify that the management action is taken promptly to address such weaknesses.

3.1 The objectives of IS audit are to identify the risks that an organisation is exposed to in the computerized environment. IS audit evaluates the adequacy of the security controls and informs the Management with suitable conclusions and recommendations. IS audit is an independent subset of the normal audit exercise in an organisation. The overall objectives of the normal audit exercise do not change, when applied to the computerized environment. The major objectives of IS audit include, among others, the following:

a) Safeguarding of Information System Assets/Resources

b) Maintenance of Data Integrity

c) Maintenance of System Effectiveness

d) Ensuring System Efficiency

The Information System Assets of the organisation must be protected by a system of internal controls. It includes protection of hardware, software, facilities, people (knowledge), data files, system documentation and supplies. This is because hardware can be damaged maliciously, software and data files can be stolen, deleted or altered and supplies of negotiable forms can be used for unauthorized purposes. Safeguarding of the Information System Assets is a very important function of each organisation.

The term IT infrastructure is a generic one used to describe the physical computer installations, the system software and the Information Systems process that support them. The IS auditor will require to review the physical security over the facilities, the security over the systems software and the adequacy of the internal controls. The IT facilities must be protected against all hazards. The hazards can be accidental hazards or intentional hazards.

Accidental hazards include fire, flood, power failure etc. Fire starts accidentally or is the result of a deliberate attack. All the computer installations should take adequate precautions to ensure that fire can be prevented, detected and extinguished. Flooding can cause extensive damage to the computer systems. The power supply for the computer installation is a vital service need and the uninterrupted availability thereof has to be ensured to facilitate continuity in processing.

Data Integrity includes the safeguarding of the information against unauthorised addition, deletion, modification or alteration. This includes items such as accounting records, backup, documentation etc. Information Systems are used to capture, store, process, retrieve and transmit the data in a secure and efficient manner. The emphasis is on the accuracy of the data and its transmission in a secured manner. Data Integrity also implies that during the various phases of electronic processing, various features of the data viz. Accuracy, Confidentiality, Completeness, Up-to-date status, Reliability, Availability, Timeliness and Effectiveness are not compromised. In other words, data should remain accurate during electronic processing. The desired features of the data are described hereunder:

a) Accuracy : Data should be accurate. Inaccurate data may lead to wrong decisions and thereby, hindering the business development process.

b) Confidentiality: Information should not lose its confidentiality. It should be protected from being read or copied by anyone who is not authorized to do so. It also includes protecting the individual pieces of information that may seem harmless by the owner, but can be used to infer other confidential information.

c) Completeness: Data should be complete. Incomplete data loses its significance and importance.

d) Up-to-date Status : Data should be updated regularly. If the information is not up-to-date, it presents a false picture of the organization.

e) Reliability: Data should be reliable because all business decisions are taken on the basis of the current database.

f) Availability: Data should be available when an authorized user needs it. It should be ensured that the information services are unavailable to the unauthorised users.

g) Timeliness: Timeliness of the data is very important because if data is not available when required, the very purpose of maintaining the database gets defeated.

h) Effectiveness: Information should be effective, so that it helps in the process of business development and expansion.

If data integrity is not maintained, an organization loses its true representation. Poor data integrity could lead to loss of competitive advantage. Corruption of data would affect many users in a networked environment. If the data is valuable to a competitor, its loss may undermine an organization’s competitive position.

An effective Information System significantly contributes to the achievement of the goals of an organization. Therefore, one of the objectives of IS audit is to verify system effectiveness. It provides input to decide when, what and how the system should be improved, so that its utility to the management is maximum.

The main objective of introducing computerization in the organisations in the banking and financial sector is to achieve the goals effectively and efficiently. The IS auditor’s responsibility is to examine how the Information Systems assist in the achievement of each organisation’s goals. System Effectiveness is a ratio of the actual output to the standard (budgeted) output. If it is more than 100%, effectiveness is achieved; or else, it shall be deemed that ineffectiveness has been introduced in the business process. Major goals and criteria of computerization are:

a) Improved Task Accomplishments: The Information Systems should improve the task accomplishment capacity of its users by enabling them to become more productive.

b) Improved Quality: It should improve overall quality of work and services by increased accuracy of information. It should also reduce the time required for retrieval of information.

c) Operational Effectiveness: The Information System should be operationally effective and easy to use. It should be frequently used and users must be satisfied with its performance.

d) Technical Effectiveness: The Information System should be equipped and upgraded by appropriate hardware and software from time to time.

e) Economic Effectiveness: The Information System should be fully utilized. Benefits derived should exceed the cost of procurement, implementation, operation and maintenance.

The resources used by the Information Systems such as the machines, computer peripherals, software etc. are scarce and costly. Efficient Information Systems use minimum resources to achieve the desired objectives. When computer no longer has excess capacity, system efficiency becomes important. It becomes necessary to know whether the available capacity has been exhausted or the existing allocation of the computer resources are causing the bottlenecks.

The ratio of the output to the input is known as efficiency. If output is more with the same or less actual input, system efficiency is achieved; or else, the system is inefficient. If computerization results in the degradation of efficiency, the effort for making the process automated stands defeated. Hence, the assessment of the capabilities of the hardware and software against the workload of the environment is very essential. The IS auditors are responsible to examine how efficient the application software is in relation to the users and the workload of the environment. The system should assist in management planning and efficient execution thereof. The organisation should get maximum output using minimum resources. In this context, the efficient use of the hardware resources and their upgradation, as per requirements, is very essential. Automation should deliver the planned results with less consumption of computer hardware, software, computerized operations and computer personnel.

The following could be, among others, considered the other objectives of IS audit :

a) Identify the risks that the organisation is exposed to in the existing computerized environment and to prioritize such risks for remedial action.

b) The implementation of Information Technology in the organisation is as per the parameters laid down in the Security Policy, as approved by the Board of Directors of the organisation.

c) Verify whether the Information System procedures and policies have been devised for the entire organisation and that the organisation’s systems, procedures and practices are adhered to and that due prudence is exercised at all times in accordance with the circulars and instructions for a computerized environment, issued by the management of the organisation.

d) Verify whether proper security policies/procedures have been formulated and implemented regarding the duties of the system administrators, system maintainers and persons operating the system for daily operations.

e) Contribute effectively towards the minimization of computer abuses/ crimes by suggesting steps for removing any laxity observed in the physical and logical controls.

f) Suggest improvements in the security controls for the Information Systems.

g) Act as an advisor to the management of the organisation for improving security and IT implementation standards.

h) Adhere to the established norms of ethics and professional standards to ensure quality and consistency of audit work.

The IS audit should cover all the computerized departments/offices of the organisation. The scope of IS audit should include the collection and evaluation of evidence/information to determine whether the Information Systems in use safeguard the assets, maintain data security, integrity and availability, achieve the organizational goals effectively and utilize the resources efficiently. The scope of IS audit should also include the processes for the planning and organization of the Information Systems activity, the processes for the monitoring of such activity and the examination of the adequacy of the organization and management of the IS specialist staff and the non-specialists with IS responsibilities to address the exposures of the organisation.

There are three approaches for conducting Information Systems Audit viz. auditing around the computer, auditing through the computer and auditing with the computer.

Under this approach, the emphasis is on checking the correctness of the output data/documents with reference to the input of a process without going into the details of the processing involved. This approach is preferred, where auditors themselves do not have the desired level of technical skills to adopt the other approaches. This is also preferred, when high reliance is placed on the users rather than the computer controls to safeguard the assets, maintain data integrity and attain effectiveness and efficiency objectives. The focus is on the procedural controls rather than the computer controls. This approach can be used in the following circumstances :

When an application system is simple, logic is straightforward and clear audit trail exists, this approach can be adopted. The process generates the audit trails such as the generation of exception reports along with the main reports. Such systems have very low inherent risk i.e. they are unlikely to be susceptible to material errors or irregularities or to be associated with significant ineffectiveness or inefficiencies in operations. Input transactions in such systems is in batch mode and control is maintained using traditional methods like the separation of duties and management supervision. Further, the task environment in such systems is relatively constant and the system itself is rarely modified.

This approach may be used when an application system uses a generalized package that is well tested and used by many users as its software platform. If the package has been provided by a reputed vendor, has received wide-spread use and appears error free, the auditors may decide to adopt this approach. Auditors should ensure that the organization has not modified the package and adequate controls exist over the source code and documentation to prevent unauthorized modification of the package.

When high reliance is placed on the users rather than the computer controls to safeguard the assets, maintain data integrity and attain effectiveness and efficiency objectives, this approach can be adopted.

Auditing around the computer is a simple approach. It does not provide any information about the system’s ability to cope with the changes. Systems can be designed and programs can be written in certain ways to inhibit their degradation, when user requirements change. Further, this method cannot be used for complex systems. Otherwise, the auditors might fail to understand some aspects of a system that could have a significant effect on the audit approach.

Auditing through the computer requires fair knowledge of the operating system, hardware being used and certain technical expertise in systems development. Under this approach, the computer programs and the data constitute the target of IS audit. Compliance and substantive tests are performed on the computer system, its software (both operating system and application system) and the data. IS auditors can test the application system effectively using this approach. The IS auditors can use computer to test logic and controls existing within the system and also records produced by the system. This approach increases the IS auditor’s confidence in the reliability and applicability of the evidence/information collected and evaluated. This approach is time consuming, as it needs understanding of the internal working of an application system. It also needs some technical expertise.

Under this approach, the computer system and its programs are used as tools in the audit process. The objective is to perform substantive tests using the computers and its programs. The data from the auditee’s computer system are retrieved to an independent environment. Audit interrogation and query is carried out on such data, using special programs designed for the purpose. This method is used where :

a) Application system consists of a large volume of inputs, producing large volume of outputs and where the direct examination of the inputs/outputs is difficult.

b) Logic of the system is complex.

c) There are substantial gaps in the visible trails.

4.3.1 Computers are quite useful in the testing of transactions. Some of the software tools used for this purpose are briefly described hereunder :

4.3.1.1 Computer Assisted Audit Tools (CAATs) are efficient and effective ways to audit system-generated files, records and documents and to evaluate internal controls of an accounting system in many Information Systems. Computer Assisted Audit Tools are a practical means for conducting audit, wherever the information is available on the magnetic media alone. The technical papers relating to the use of the CAATs should be kept separate from the other audit working papers. The IS audit documentation should contain the description of the CAAT application.

4.3.1.2 Audit Software: It is a program, used by the auditors, to process data of audit significance from the auditee’s accounting system. There are three types of such programs as under :

a) Package programs are designed to perform processing functions, creating data files and reports in a format specified by the auditor.

b) Special Purpose Programs are used to perform the audit tasks in specific circumstances and are prepared by the auditors or an outside programmer, engaged by the auditor.

c) Utility Programs are used to perform common data processing functions such as sorting, creating and printing files.

4.3.1.3 Test Data Techniques: A sample of data transactions is entered into the auditee’s computer system and the results are compared with the predetermined results. CAATs are used to test the details of the sample transactions, the balances of the accounts, to identify unusual fluctuations, if any and general EDP controls like accessing the program libraries.

4.3.1.4 General Audit Software: It is the most widely used technique in conducting IS audit. Its use is limited by the skills of the personnel conducting the audit. Audit Command Language (ACL) is one such software. It is a tool for data analysis. It has the capabilities for Compliance and Substantive testing.

ACL is used to access, analyze, summarize or report data. Advantages of the ACL are as under:

a) It creates flexible reports and documents.

b) Auditors are independent of the technical experts for the data, access and process.

c) It increases audit coverage.

d) It saves time, money and effort. e) It helps gain control over and confidence in the audit results.

f) General Audit Software is not useful at application level.

Any Computer Assisted Audit Tool (CAAT) is as good as a data mining tool, which is used for extracting data from a data warehouse for MIS / Audit purposes. The following are a few of the generalized audit software in addition to ACL (ACL Services).

a) Audex 100 (Arthur & Andersons)

b) Pan Audit (Pansophic Systems)

c) Audit Aid (Seymour Schneidman & Co)

d) EDP Auditor (Cullinane Corporation)

e) Probe (Citibank)

The IS audit work includes manual procedures, computer assisted procedures and fully automated procedures, depending on whether it is around, through, with or a combination of all these types of audit. In many cases, a combination of these techniques is required. The IS auditors may utilize the manual procedures when they are more effective than the other alternatives or when these procedures cannot be partially or fully automated. He/She should also use computer assisted procedures known as Computer Assisted Audit Tools (CAATs) because they permit the IS auditors to switch from the procedures based on limited, random and statistical samples of records in a file to a procedure that includes every record in a file.

5.2 Audit activity is broadly divided into 5 major steps for the convenience and effective conduct of audit.

a) Planning IS Audit

b) Tests of Controls

c) Tests of Transactions

d) Tests of Balances

e) Completion of Audit

Planning is the first step of the IS audit. IS auditors should plan the audit work in a manner appropriate for meeting the audit objectives. As a part of the planning process, IS auditors should obtain an understanding of the auditee department/ office/organisation and its processes. It includes understanding of the objectives to be accomplished in the audit, collecting background information, assigning appropriate staff keeping in mind skills, aptitude etc. and identifying the areas of risk. Risk analysis of the operational system is carried out to identify the system with highest risks, considering the critical nature of the information processed through such system as well as the number and the value of the transactions processed. This is to identify the systems having the highest risk and to decide on the extent of the detailed analysis and testing to be conducted on those systems.

In this phase, IS auditors are required to understand the internal controls used within an organization. Various techniques can be used to understand the internal controls viz. review of previous audit reports/papers, interview/interaction with the management and Information Systems personnel, observation of activities carried out within the Information Systems function and review of Information Systems documentation.

During this phase of IS audit, Internal Controls are tested to evaluate whether they operate effectively. This includes testing of management controls and application controls. The objective is to evaluate the reliability of the controls and find out weaknesses of the controls for meeting the IS audit objectives. IS auditor is required to make recommendations to rectify the weaknesses, observed during the course of an IS audit.

While carrying out tests of controls, the IS auditors should satisfy themselves regarding the following aspects of controls.

Identification: Organization should identify the controls to minimize the occurrence of unlawful events.

Implementation: Identified controls should be implemented.

Existence: Sometimes it happens that controls have been implemented, but in reality they do not exist due to various reasons. For example, the organization may have stipulated that the users should change their passwords every week. But, in reality this may not be happening. Physical existence of the controls is equally important.

Adequacy: IS auditors should examine the adequacy of the controls. They should see that the controls are adequate to cover all possible threats.

Documentation: All controls should be documented to make them effective.

Maintenance: Controls should be maintained intact on a continuous basis. For example, only the provision and installation of the fire extinguishers, smoke detectors, UPS etc. do not solve the problem. These instruments should be properly maintained, so that they serve the purpose, as and when needed.

Monitoring: Controls should be monitored by means of strict supervision, surprise checks, periodic inspection etc.

Tests of Transactions are used to evaluate whether erroneous transactions have led to a material misstatement of the financial information and whether the transactions have been handled effectively and efficiently. The objective is to evaluate data integrity. Some of such tests include the tracing of journal entries to their source documents, the examination of the price files, the testing of computational accuracy, the study of the transaction log etc. These tests are used to indicate the database system’s effectiveness. CAATs are quite useful to perform these tests.

During this phase of IS audit, final judgement is made on the extent of the losses or account misstatement that occur when Information Systems fail to safeguard assets, maintain data integrity and achieve system effectiveness and efficiency goals. As regards the safeguarding of assets and data integrity objectives, the typical substantive tests used are confirmation of the receivables, physical verification of inventory and recalculation of depreciation on the fixed assets. Regarding the system effectiveness and system efficiency objectives, the tests to be conducted are in the process of evolution. For example, the shortcomings in the Information Systems Planning may have resulted in the purchase of inappropriate hardware. The system may provide outputs, but not of the required standards to make high quality decisions. During this phase of the IS audit, computer support is often required. General Audit Software can be used to select and print confirmations; expert systems can be used to estimate the likely bad debts and so on.

This is the final stage of IS audit. Auditors are required to form their opinion, clearly indicating their findings, analysis and recommendations. Potential IS audit findings should be discussed with the appropriate/authorised personnel throughout the course of IS auditing. Preliminary conclusions and the audit findings should be presented to the auditee during an exit conference. All potential findings with sufficient merits and preliminary IS audit recommendations should be included for discussion in the exit conference. The exit meeting should document and include the auditee’s comments and questions concerning the preliminary IS audit recommendations. The draft audit report should be the natural extension of the exit conference materials alongwith with the discussions that took place during the exit meeting. Once the auditee’s responses have been received, the final audit report should be prepared and submitted to the designated authority/ management of the organisation.

Work papers used in the auditing should be well organized, clearly written and address all the areas included in IS audit. IS audit work papers should contain sufficient evidence/information of the tasks performed and the conclusions reached, including the results achieved, issues identified and authorized signatures approving the final opinion.

A typical audit report will include, among others, an introduction to the audit objectives, scope, general approach employed, summary of the critical findings, the data to support the critical findings, potential consequences of the weaknesses, auditee’s responses and recommendations to rectify the weaknesses.

IS audit is generally an exercise dealing with the complex Information Systems. In order to understand the complex system, it is always advisable to break the system into sub-systems. A sub-system is a component of a system that performs some basic functions needed by the overall system to attain its basic objectives. The process of breaking a system into sub-systems is called factoring. The process of factoring terminates when it is felt that the system has been broken into sub-systems, small enough to be understood and evaluated. Thus, a complicated system is divided into small sub-systems until it becomes easily understandable.

Once the system has been factored into several easily understandable subsystems, the task of the IS auditors is :

a) To evaluate the effectiveness of the controls in each sub-system.

b) To determine the implications of each sub-system’s reliability visa-vis the overall reliability/effectiveness of the system.

5.4 There are two main sets of systems, which require to be further factored into sub-systems for conducting IS audit.

Management Systems provide stable and basic infrastructure facility on which the Information Systems can be built and operated on a day-to-day basis. Management Systems can be factored into sub-systems that perform Top-level Management, Information Systems Management, Systems Development Management, Programming Management, Data Administration, Quality Assurance Management, Security Administration and Operations Management.

Top-level Management is responsible for long-term policy decisions on the use of the Information Systems in the organisation.

Information Systems Management is responsible for planning and controlling the Information Systems activities in the organisation. It provides assistance to the top management for making long-term policies and translates the long-term policies into short-term goals and objectives.

Systems Development Management designs, implements and maintains the application systems.

Programming Management prepares programs for new systems, maintains old systems and provides general systems support software.

Data Administration addresses the planning and control issues in relation to the use of the database.

Quality Assurance Management ensures that the Information Systems development, implementation, operations and maintenance conform to the established quality standards.

Security Administration is responsible for access control and physical security over the Information Systems.

Operations Management plans and controls the day-to-day operations of the Information Systems.

Application Systems undertake basic transactions processing, management reporting and decision support. They can be broken into sub-systems that perform boundary, input, communication, processing, database and output functions.

Boundary sub-system consists of the components that establish interface between the user and the system.

Input sub-system comprises the components that capture, prepare and enter commands and data into the system.

Communications sub-system consists of the components that transmit data among the sub-systems and systems.

Processing sub-system includes the components that perform decision making, computation, classification, ordering and summarization of the data in the system.

Database Sub-system comprises the components that define, add, access, modify and delete data in the system.

Output Sub-system consists of the components that retrieve and present data to the users of the system.

A broad framework can be formed from the basic objectives of IS audit. In addition to this, IS audit evaluates the organizational set up and quality of administration. It should be noted that IS audit is not limited by laid down procedures. It is also important to keep one’s eyes and ears open. The IS auditors should, therefore, analyze what they observe and hear. The main issue involved in IS audit is confidentiality of programs, files, access rights to files and focus on software application packages. The major concerns of the IS audit, as derived from its objectives, are as under:

One of the prime objectives of any audit is to ensure that the assets of the organisation are safeguarded. In the computerized environment, the assets to be safeguarded are hardware, software, data and users. The yardstick to measure the importance of this objective is the expected loss that may be sustained by the organisation if the asset is destroyed, stolen, lying unutilized, service denied or used for unauthorized purposes. The IS auditors should verify that the assets are put to effective use in a secured environment. In order to determine whether the assets of the organisation are duly safeguarded, the IS auditors should inspect, among others, the following areas :

Environmental Security: It is very important for the effectiveness of all other protective measures stipulated or installed at the sites. The server room houses the all-important hardware. Its location should be a strategic one and not easily accessible. The server room should be exclusively for the server itself and the other items, equipment etc. should not be kept there.

Uninterrupted Power Supply : The uninterrupted power systems are meant for supplying conditioned and stabilized power to computer equipments at all times. It also provides stabilized power from battery storage when electricity fails. It is very important that the UPS functions properly when electricity fails. The UPS should be maintained regularly.

Electrical Lines: Electrical cabling and wiring constitute the basic components. Faulty electrical cabling and wiring are responsible for operational failures. There should be a separate and proper earthing for the dedicated electrical line.

Data Cabling: Information Technology experts estimate that 90 percent of the network problems are cable related. Hence, all possibilities of routing cables, locations of cable closets, sites of Switch, Router installation etc. should be explored before finalizing the plan. Detailed map of the cable lay out including Switches, Routers is very important to guide the hardware service engineer in the event of LAN cable fault. Further, electrical cable and data cable should not cross each other to avoid possible disturbance during data transfer.

Fire Protection: Fire alarm system, smoke detectors and fire extinguishers are very important to deal with the event of fire breaking out. Fire extinguishers are commonly filled with water, carbon dioxide or Halon. Little care is required while operating gas based extinguishers because they replace oxygen and thereby, extinguish the fire. Water is effective. But, it is dangerous to use in proximity to live equipments. Dry powder or foam type extinguishers are not advisable because they leave deposits on the equipments.

Insurance: All critical computer equipments are required to be insured with reputed insurance firm/s to secure the Information System resources/assets of the organisation.

Annual Maintenance Contract: Periodic maintenance of the computers, network etc. is essential to ensure trouble free operations of the equipments. For this purpose, it is required that the annual maintenance contract is awarded and renewed in time. At the same time, it is also essential that the maintenance staff is available in time. There should be a proper record of the activities carried out during maintenance.

Logical Security: It restricts access to the system if the user fails to identify himself/herself to the system correctly . Login name/user ID and password are controls for this security. It is exercised at the operating system level and at the application system level. Logical security at the operating system level ensures the access to the computer system when it is successfully powered on, after its boot operation is completed. Logical security at the application system level gives access rights to specific application software depending on the responsibility and authority of the user. IS auditors should verify the effectiveness of the logical security in place by evaluating its controls. Secrecy and security of the user ID and password, different levels of access rights and their allocation to the users, creation of users, its records, users created for maintenance purpose and their termination on completion of the work, user log in status report, presence of dummy user ID in the system etc. are some of the points which require consideration of the IS auditors.

B. Data Integrity : Data is the most important resource in a computerized environment, which needs to be accurate, complete, consistent, up-to date and authentic. The IS auditors are concerned with the possibility of deviation from the standards. They are required to verify how well data integrity is maintained and find out any laxity therein.

The examination of the following points are very important in respect of data integrity:

Data Input Controls: The largest number of controls is available at the time of data entry in the system. Data Input Controls are error prone because the activities involved in data entry are of routine and monotonous nature. Data entry is also a major area for intentional fraudulent activity. It involves addition, deletion, modification or alteration of the input transactions or data. Hence, the IS auditors should minutely evaluate the effectiveness of the data input controls. The use of the scanner and inputs to the system through floppy should be monitored and controlled.

Data Processing Controls: The application system processes the data on-line on day-to-day basis. The IS auditors are concerned about the Data Processing Controls. They should examine that only designated/authorized officers perform start-of-day operation. The day end process should be completed with the generation of the prescribed reports. It is also required that proper record is maintained in respect of the corrections made in the database under authentication.

Patch Program: It uses the file structure of the existing database files and is capable of effecting changes in a data file. It bypasses the proper menu access controls provided by the application software system and does not leave any audit trail. It can add, modify, alter and delete the data. The behavior of the approved programs are known and certified, but it is uncertain in the case of such patch programs. They usually bypass all the safeguards available to the system programs. They conveniently flout all norms to achieve results at any costs. Therefore, the IS auditors should verify that only approved programs are loaded in the system and the application programs are exactly identical with the list of the approved programs in respect of file name, file size, date and time of compilation. It is also necessary that a record be maintained regarding the patch programs used indicating the reasons under authentication.

Purging of Data Files : It is pruning of the data files of the identified past period for which it is no more necessary to store the data in the current system. Before undertaking the purging activity, it is necessary to take a backup of full data directory. The purging of the static data or master particulars is never taken. The IS auditors should examine that the purged data backup media is stacked in chronological order for easy tracing and also is in safe custody. A manual record of purging activity should also be maintained. The access to the purged data should be restricted and controlled to ensure the integrity of the purged data.

Data Backup : Data backup is an essential aspect of all computer operations. Some commonly used computer media include hard disk, floppy disks, tape cartridges, CD- ROMs, DVD ROMs etc. Off-site back-ups are taken on floppies or tape cartridges, while on-site back-up is taken on hard disks. Back-up is one of the measures of the business continuity planning and is also required for archiving of old records. It is necessary that the backups are taken regularly. One set of the backup requires to be stored off site. The backups have to be tested periodically by restoring the data therefrom. The backup media have to be verified periodically for readability. Backup media should be properly labeled and numbered. This is a very important area and requires proper attention.

Restoration of Data: It is defined as downloading of data afresh from magnetic media, in case of crash of the system, irrecoverable corruption or loss of data, for going back on line. Backup is taken at a particular point of time like beginning of day operations, end of day operations etc. Thus, restoration of data is dependent on the magnetic media and the data stored thereon. Restoration of the data is required in the event of major corruption of data. In the event of a virus attack or total destruction of a server or the computer site, the only option is to fall back upon the restoration option. Restoration of data helps to obtain a position of data as of a particular date, to establish whether any data tampering has taken place. It assists in conducting system audit as of a previous date and generates ledgers of previous years. Transactions of purged period can also be retrieved.

C. Business Continuity Planning: Disruption of operations can occur because of two types of problems. First, some minor problems like power failure, UPS failure, server failure, inability to read/restore backups, cable fault etc. can disrupt the operations. Second type of disruption can occur on account of natural calamities like fire, flood, building collapse or man made calamities like bomb blast, radiation, virus attack, induced data loss etc. Business Continuity Plan is prepared to recover from such kind of interruptions. It relates to a higher level of failure. It is all about anticipating any disastrous event and planning adequately for the business to live through it. The IS auditors should verify the existence and operability of the Business Continuity Plan. They should also examine the awareness of the staff regarding the execution of the plan in a genuine emergency and comment upon its effectiveness. Business Continuity Plan should be documented and tested at regular intervals to assess its effectiveness.

BCP is required to satisfy short, medium and long-term recovery. In the short term, the essential systems and services are restored. Medium term plans are for recovering the organisation’s systems and services on a temporary basis. Long term plans are for total recovery of the processing environment.

There are three methods of recovery namely cold, warm and hot backup sites. A cold site is where a computer room is provided in which equipment can be installed when needed. A warm site is a computer room filled with all the required equipment, but onto which all the software and applications must be loaded when it is needed. A hot site is one where the original installation is duplicated and ready to use when disaster occurs.

BCP should outline the responsibilities for all the recovery processes, procedures for reproducing the computer media, location of the backup media, priorities for recovery, sources of replacement hardware and software and alternative data communication facilities.

Output Reports: One of the basic principles in the computerized environment is known as GIGO i.e. "Garbage in Garbage out". This means that, if the input to the system is garbage (or meaningless), the output will also be garbage. Reports and printouts are generated in computerized environment to ensure the correctness of the inputs and processing. Reports are also important to ensure that the application system programs serve the needs of the organisation. Any lacunae or bugs in the application software can be located by checking the reports and printouts. The importance of checking the reports can never be over emphasized. The IS auditors should scrutinize output reports on sample basis to identify the trend, the quality of follow up and the control exercised by the management. The audit trail report should generate the user ID of the data entry operator and the authorized official for any addition, change, modification and deletion of transactions effected in the database. It should provide the evidence/information of unauthorized access outside the application menu. The IS auditors should verify whether the audit trail reports are generated and checked by the designated officials. Exceptional transaction report is also a very important report.

Version Control: Data integrity is very much dependent on the version of the software running in the system. Authorized Version of the software can lead to accurate processing. Non-standard programs are potential threat to integrity. A complete listing of the programs loaded in the system should be available on record for verification. The IS auditors should verify that licensed copies of the operating system and the application system software are used for computerized operations.

Virus Protection: Computer virus is a program that is self-replicating and can corrupt or destroy data irretrievably. It resembles biological viruses in behavior. It may have a dormancy period and gets activated on a certain date. It is potentially disastrous. Anti-virus software is available and is capable of countering against known viruses, malicious programs. Anti-virus software is updated by the manufacturers on a regular basis to counter against the new viruses coming up. It is necessary to keep the anti-virus software updated at all times. All extraneous floppies and other media should be checked/scanned for virus before use.

It is expected that the Information system should improve the overall quality of work including accuracy and time consumed in performing the tasks. Further, it should be user friendly. The IS auditors should judge how effective the system is in accomplishing the goals with which computerization was introduced.

The IS auditors should examine whether every computer asset is used to its maximum operational capacity.

Efficiency in computerized operations is dependent on the efficiency of the personnel using the computer resources. Computer personnel should do their work completely, timely, accurately and that too, with minimum resources. They should deliver more output quantitatively and qualitatively. Proper placement of the computer personnel on the basis of their aptitude, skill, knowledge and experience is very important. Computer personnel should be used effectively and efficiently with proper security for the organisation to reap maximum advantages.

Segregation of duties, job description for each level, proper training to the staff, dual control aspect in performing important operations, designated system administrator with suitable back-up arrangement etc., are important points to be considered. Records of work assigned to the staff, rotation, training imparted, login name given etc. are to be checked/verified by the IS auditors.

The responsibility, authority and accountability of the information systems audit function, both internal and external, require to be appropriately documented in an audit charter or engagement letter, defining the responsibility, authority and accountability of the IS audit function. The IS auditor will require to determine how to achieve the implementation of the applicable IS audit standards, use professional judgement in their application and be prepared to justify any departure therefrom.

The IS auditor will require to have a clear mandate from the organization to perform the IS audit function. This mandate is ordinarily documented in an audit charter, which will require to be formally accepted by the IS auditor. The audit charter, for the audit function as a whole, will require to include the IS audit mandate.

The audit charter should clearly address the three aspects of responsibility, authority and accountability of the IS auditor. Various aspects to be considered in this connection are as set out hereunder :

6.1.1 ‘Responsibility’ should cover the following :

a) Mission Statement

b) Aims/goals

c) Scope

d) Objectives

e) Independence

f) Relationship with external audit

g) Auditee’s requirements

h) Critical success factors

i) Key performance indicators

j) Other measures of performance

6.1.2 ‘Authority’ should cover the following :

a) Risk Assessment

b) Right of access to information, personnel, locations and systems relevant to the performance of audit.

c) Scope or any limitations of scope

d) Functions to be audited

e) Auditee’s expectations

f) Organisational structure, including reporting lines to the Board of Directors/Senior Management/ Designated Authority.

g) Gradation of IS audit officials/staff

6.1.3 Accountability should cover the following :

a) Reporting lines to senior management / Board of Directors / Designated Authority

b) Assignment performance appraisals

c) Personnel performance appraisals

d) Staffing/Career development

e) Auditees’ rights

f) Independent quality reviews

g) Assessment of compliance with standards

h) Benchmarking performance and functions

i) Assessment of completion of the audit plan

j) Comparison of budget to actual costs

k) Agreed actions e.g. penalties when either party fails to carry out his responsibilities.

6.2.1 Effective communication with the auditees involves consideration of the following :

a) Describing the service, its scope, its availability and timeliness of delivery.

b) Providing cost estimates or budgets, if they are available.

c) Describing problems and possible resolutions for them.

d) Providing adequate and readily accessible facilities for effective communication.

e) Determining the relationship between the service offered and the needs of the auditee.

6.2.2 The audit charter forms a sound basis for communication with the auditee and should include references to the service level agreements for such things as under :

a) Availability for unplanned work

b) Delivery of reports

c) Costs

d) Response to auditee’s complaints

e) Quality of service

f) Review of performance

g) Communication with the auditee

h) Needs assessment

i) Control risk self-assessment

j) Agreement of terms of reference for audit

k) Reporting process

l) Agreement of findings

The IS auditor should consider establishing a quality assurance process (e.g., interviews, customer satisfaction surveys, assignment performance surveys etc.) to understand the auditee’s needs and expectations relevant to the IS audit function. These needs should be evaluated against the charter with a view to improving the service or changing the service delivery or audit charter, as necessary.

Engagement letters are often used for individual assignments, setting out the scope and objectives of a relationship between the external IS audit agency and an organisation. The engagement letter should clearly address the three aspects of responsibility, authority and accountability. The following aspects should be considered while preparing the engagement letter for the IS auditor.

6.4.1.1 Under Responsibility, the following should be addressed :

a) Scope

b) Objectives

c) Independence

d) Risk assessment

e) Specific Auditee requirements

f) Deliverables

6.4.1.2 Under Authority, the following should be addressed :

a) Right of access to information, personnel, locations and systems relevant to the performance of the assignment.

b) Scope or any limitations of scope.

c) Documentary evidence/information of agreement to the terms and conditions of the engagement.

6.4.1.3 Under Accountability, the following should be addressed :

a) Designated/Intended recipients of the reports

b) Auditees’ rights

c) Quality reviews

d) Agreed completion dates

e) Agreed budgets/fees if available