3

Control Objectives
Learning Objectives :
To understand the importance of internal controls and control objectives;
To understand the setting and monitoring of Internal Control systems;
To know about various categories of Control Techniques: System development, System
implementation, Change management, Data integrity, Privacy and Security; and
To have an overview of the entire IS Audit process.
3.1 Information Systems Controls
The increasing use of information technology in a large number of organizations has made it
imperative that appropriate information systems are implemented in an organization.
Information technology covers all key aspects of business processes of an enterprise and has
an impact on its strategic and competitive advantage for its success. The enterprise strategy
outlines the approach it wishes to formulate with relevant policies and procedures on
harnessing the resources to achieve business objectives.
Control is defined as: Policies, procedures, practices and enterprise structure that are
designed to provide reasonable assurance that business objectives will be achieved and
undesired events are prevented or detected and corrected.
Thus an information systems auditing includes reviewing the implemented system or providing
consultation and evaluating the reliability of operational effectiveness of controls.
3.2 Need for Control and Audit of Information Systems
Technology has impacted what can be done in business in terms information and as a
business enabler. It has increased the ability to capture, store, analyze and process
tremendous amounts of data and information by empowering the business decision maker.
With the advent of affordable hardware, technology has become a critical component of
business. Todays dynamic global enterprises need information integrity, reliability and validity
for timely flow of accurate information throughout the organization. Safeguarding assets to
maintain data integrity to achieve system effectiveness and efficiency is a significant control
process.
Factors influencing an organization toward control and audit of computers and the impact of
the information systems audit function on organizations are depicted in the Fig. 3.1.
The Institute of Chartered Accountants of India
3.2 Information Systems Control and Audit

















Fig. 3.1 : Impact of control and audit influencing an organization
(i) Organisational Costs of Data Loss : Data is a critical resource of an organisation for its
present and future process and its ability to adapt and survive in a changing
environment.
(ii) Incorrect Decision Making : Management and operational controls taken by managers
involve detection, investigations and correction of out-of-control processes. These high
level decisions require accurate data to make quality decision rules.
(iii) Costs of Computer Abuse : Unauthorised access to computer systems, computer viruses,
unauthorised physical access to computer facilities and unauthorised copies of sensitive
data can lead to destruction of assets (hardware, software, documentation etc.)
(iv) Value of Computer Hardware, Software and Personnel : These are critical resources of
an organisation which has a credible impact on its infrastructure and business
competitiveness.
(v) High Costs of Computer Error : In a computerised enterprise environment where many
critical business processes are performed a data error during entry or process would
cause great damage.
Organizations
Control and Audit of computer-
based information systems
Information Systems Auditing
Organizational
costs of data loss
Costs of incorrect
decision making
Costs of
computer
abuse
Controlled
evolution of
computer use
High costs
of computer
error
Value of hardware,
software, personnel
Maintena
nce of
privacy
Organizations
Improved
Safeguarding
of assets
Improved
system
effectiveness
Improved
system
efficiency
Improved data
Integrity
The Institute of Chartered Accountants of India
Control Objectives 3.3
(vi) Maintenance of Privacy : Today data collected in a business process contains details
about an individual on medical, educational, employment, residence etc. These data
were also collected before computers but now there is a fear that privacy has eroded
beyond acceptable levels.
(vii) Controlled evolution of computer Use : Technology use and reliability of complex
computer systems cannot be guaranteed and the consequences of using unreliable
systems can be destructive.
(viii) Information Systems Auditing : is the process of attesting objectives (those of the
external auditor) that focus on asset safeguarding and data integrity, and management
objectives (those of the internal auditor) that include not only attest objectives but also
effectiveness and efficiency objectives.
(ix) Asset Safeguarding Objectives : The information system assets (hardware, software,
data files etc.) must be protected by a system of internal controls from unauthorised
access.
(x) Data Integrity Objectives : is a fundamental attribute of IS Auditing. The importance to
maintain integrity of data of an organisation depends on the value of information, the
extent of access to the information and the value of data to the business from the
perspective of the decision maker, competition and the market environment.
(xi) SystemEffectiveness Objectives : Effectiveness of a system is evaluated by auditing the
characteristics and objective of the system to meet substantial user requirements.
(xii) SystemEfficiency Objectives : To optimize the use of various information system
resources (machine time, peripherals, system software and labour) along with the impact
on its computing environment.
3.3 Effect of Computers on Internal Controls
The internal controls within an enterprise in a computerised environment the major areas of
impact with the goal of asset safeguarding, data integrity, system efficiency and effectiveness
are discussed below.
(i) Personnel : Whether or not staffs are trustworthy, if they know what they are doing and, if
they have the appropriate skills and training to carry out their jobs to a competent
standard.
(ii) Segregation of duties : a key control in an information system. Segregation basically
means that the stages in the processing of a transaction are split between different
people, such that one person cannot process a transaction through from start to finish.
The various stages in the transaction cycle are spread between two or more individuals.
However, in a computerised system, the auditor should also be concerned with the
segregation of duties within the IT department.
Within an IT environment, the staff in the computer department of an enterprise will have
a detailed knowledge of the interrelationship between the source of data, how it is
processed and distribution and use of output. IT staff may also be in a position to alter
The Institute of Chartered Accountants of India
3.4 Information Systems Control and Audit
transaction data or even the financial applications which process the transactions. This
gives them the knowledge and means to alter data, all they would then require is a
motive.
(iii) Authorisation procedures : to ensure that transactions are approved. In some on-line
transaction systems written evidence of individual data entry authorisation, e.g. a
supervisors signature, may be replaced by computerised authorisation controls such as
automated controls written into the computer programs (e.g. programmed credit limit
approvals)
(iv) Record keeping : the controls over the protection and storage of documents, transaction
details, and audit trails etc.
(v) Access to assets and records : In the past manual systems could be protected from
unauthorised access through the use of locked doors and filing cabinets. Computerised
financial systems have not changed the need to protect the data. A clients financial data
and computer programs are vulnerable to unauthorised amendment at the computer or
from remote locations. The use of wide area networks, including the Internet, has
increased the risk of unauthorised access. The nature and types of control available have
changed to address these new risks.
(vi) Management supervision and review: Managements supervision and review helps to
deter and detect both errors and fraud.
(vii) Concentration of programs and data : Transaction and master file data (e.g. pay rates,
approved suppliers lists etc.) may be stored in a computer readable form on one
computer installation or on a number of distributed installations. Computer programs
such as file editors are likely to be stored in the same location as the data. Therefore, in
the absence of appropriate controls over these programs and utilities, there is an
increased risk of unauthorised access to, and alteration of financial data.
The computer department may store all financial records centrally. For example, a large
multinational company with offices in many locations may store all its computer data in just
one centralised computer centre. In the past, the financial information would have been spread
throughout a clients organisation in many filing cabinets.
If a poorly controlled computer system was compared to a poorly controlled manual system, it
would be akin to placing an organisations financial records on a table in the street and placing
a pen and a bottle of correction fluid nearby. Without adequate controls anyone could look at
the records and make amendments, some of which could remain undetected.
Internal controls used within an organisation comprise of the following five interrelated
components:
Control environment : Elements that establish the control context in which specific accounting
systems and control procedures must operate. The control environment is manifested in
managements operating style, the ways authority and responsibility are assigned, the
functional method of the audit committee, the methods used to plan and monitor performance
and so on.
The Institute of Chartered Accountants of India
Control Objectives 3.5
Risk Assessment : Elements that identify and analyze the risks faced by an organisation and
the ways the risk can be managed. Both external and internal auditors are concerned with
errors or irregularities cause material losses to an organisation.
Control activities : Elements that operate to ensure transactions are authorized, duties are
segregated, adequate documents and records are maintained, assets and records are
safeguarded, and independent checks on performance and valuation of recorded amounts
occur. These are called accounting controls. Internal auditors are also concerned with
administrative controls to achieve effectiveness and efficiency objectives.
Information and communication : Elements, in which information is identified, captured and
exchanged in a timely and appropriate form to allow personnel to discharge their
responsibilities.
Monitoring : Elements that ensure internal controls operate reliably over time.
3.4 Effect of Computers on Audit
To cope with the new technology usage in an enterprise the Auditor is to be competent to
provide independent evaluation as to whether the business process activities are recorded
and reported according to established standards or criteria. The two basic functions carried
out to examine these changes are summarised under as-
(i) Changes to Evidence Collection; and
(ii) Changes to Evidence Evaluation.
(i) Changes to Evidence Collection : Changes in the audit trail say the existence of an audit
trail is a key financial audit requirement, since without an audit trail, the financial auditor may
have extreme difficulty in gathering sufficient, appropriate audit evidence to validate the
figures in the clients accounts. The performance of evidence collection and understanding the
reliability of controls involves issues like-
Data retention and storage : A clients storage capabilities may restrict the amount of
historical data that can be retained on-line and readily accessible to the auditor. If the
client has insufficient data retention capacities the auditor may not be able to review a
whole reporting periods transactions on the computer system. For example, the clients
computer system may save on data storage space by summarising transactions into
monthly, weekly or period end balances.
If the client uses a computerised financial system all, or part of the audit trail may only exist in
a machine readable form. Where this is the case, the auditor may have to obtain and use
specialised audit tools and techniques which allow the data to be converted and interrogated.
Computerised financial data is usually stored in the form of 1s and 0s, i.e. binary, on magnetic
tapes or disks. It is not immediately obvious to the auditor what the 1s and 0s mean. The data
must be translated into normal text by an additional process before it can be read and
understood by the auditor. Since there are various formats for representing electronic data the
auditor must find out what format the client has used, e.g. simple binary, hexadecimal, ASCII
or EBCDIC, etc. For example, the character A has a decimal have of 65 in ASCII, which can
The Institute of Chartered Accountants of India
3.6 Information Systems Control and Audit
be stored as 1000001 in binary, or 41 in hexadecimal. The representation of client data is
covered in the INTOSAI IT audit training module Data Downloading.
When a client gives the auditor a magnetic tape containing transaction details, the data is not
readily accessible. Unlike receiving a printed transaction listing, the auditor cannot just pick up
a magnetic tape and read off the transactions. The data on the disk or tape may be in a
different format and hence may require conversion and translation. Once the data has been
uploaded onto the auditors machine audit software may be required to interrogate the
information.
Absence of input documents : Transaction data may be entered into the computer
directly without the presence of supporting documentation e.g. input of telephone orders
into a telesales system. The increasing use of EDI will result in less paperwork being
available for audit examination.
Lack of a visible audit trail : The audit trails in some computer systems may exist for only
a short period of time. The absence of an audit trail will make the auditors job very
difficult and may call for an audit approach which involves auditing around the computer
system by seeking other sources of evidence to provide assurance that the computer
input has been correctly processed and output.
Lack of visible output : The results of transaction processing may not produce a hard
copy form of output, i.e. a printed record. In the absence of physical output it may be
necessary for the auditor to directly access the electronic data retained on the clients
computer. This is normally achieved by having the client provide a computer terminal and
being granted read access to the required data files.
Audit evidence. Certain transactions may be generated automatically by the computer
system. For example, a fixed asset system may automatically calculate depreciation on
assets at the end of each calendar month. The depreciation charge may be automatically
transferred (journalised) from the fixed assets register to the depreciation account and
hence to the clients income and expenditure account.
Where transactions are system generated, the process of formal transaction
authorisation may not have been explicitly provided in the same way as in a manual
environment, i.e. each transaction is not supported by the signature of a manager,
supervisor or budget holder. This may alter the risk that transactions may be irregular or
ultra vires. Where human intervention is required to approve transactions the use of
judgement is normally required. Judgement is a feature which computers are generally
not programmed to demonstrate.
Legal issues : The use of computers to carry out trading activities is also increasing.
More organisations in both the public and private sector intend to make use of EDI and
electronic trading over the Internet. This can create problems with contracts, e.g. when is
the contract made, where is it made (legal jurisdiction), what are the terms of the contract
and are the parties to the contract.
The admissibility of the evidence provided by a clients computer system may need
special consideration. The laws regarding the admissibility of computer evidence varies
The Institute of Chartered Accountants of India
Control Objectives 3.7
from one country to another. Within a country laws may even vary between one state and
another. If the auditor intends to gather evidence for use in a court, s(he) should firstly
find out what the local or national laws stipulate on the subject.
In addition, the admissibility of evidence may vary from one court to another. What is
applicable is a civil court may not be applicable in a criminal court.
(ii) Changes to Evidence Evaluation : Evaluation of audit trail and evidence is to trace
consequences of control strength and weakness through the system. The evidence evaluation
function of information systems leads to identify periodic and deterministic errors.
Systemgenerated transactions : Financial systems may have the ability to initiate,
approve and record financial transactions. This is likely to become increasingly common
as more organisations begin to install expert systems and electronic data interchange
(EDI) trading systems. The main reason clients are starting to use these types of system
is because they can increase processing efficiency ( for example, if a computer system
can generate transactions automatically there will be no need to employ someone to do it
manually, and hence lower staff costs)
Automated transaction processing systems can cause the auditor problems. For example
when gaining assurance that a transaction was properly authorised or in accordance with
delegated authorities. The auditor may need to look at the applications programming to
determine if the programmed levels of authority are appropriate.
Automated transaction generation systems are frequently used in just in time (JIT)
inventory and stock control systems : When a stock level falls below a certain number,
the system automatically generates a purchase order and sends it to the supplier
(perhaps using EDI technology)
Systematic Error : Computers are designed to carry out processing on a consistent basis.
Given the same inputs and programming, they invariably produce the same output. This
consistency can be viewed in both a positive and a negative manner.
If the computer is doing the right thing, then with all other things being equal, it will continue to
do the right thing every time. Similarly, if the computer is doing the wrong thing and processing
a type of transaction incorrectly, it will continue to handle the same type of transactions
incorrectly every time. Therefore, whenever an auditor finds an error in a computer processed
transaction, s(he) should be thorough in determining the underlying reason for the error. If the
error is due to a systematic problem, the computer may have processed hundreds or
thousands of similar transactions incorrectly
3.5 Responsibility for Controls
Management is responsible for establishing and maintaining control to achieve the objectives
of effective and efficient operations, and reliable information systems. Management should
consistently apply the internal control standards to meet each of the internal control objectives
and to assess internal control effectiveness. The number of management levels depends on
the company size and organisation structure, but generally there are three such levels senior,
middle and supervisory. Senior management is responsible for strategic planning and
The Institute of Chartered Accountants of India
3.8 Information Systems Control and Audit
objectives thus setting the course in the lines of business that the company will pursue, Middle
management develops the tactical plans, activities and functions that accomplish the strategic
objectives, supervisory management oversees and controls the daily activities and functions of
the tactical plan.
Fig. 3.2 : Structure of the Control environment
(i) Long-range planning : includes documenting goals and objectives, explaining how
strengths will be used and how weakness will be compensated for or corrected. The
elements of long-range planning incorporate:
The goals and objective of the plan-for use in measuring progress,
Revenue and expense estimates,
Time allowance and target dates, and
The Institute of Chartered Accountants of India
Control Objectives 3.9
Strengths and weakness.
(ii) Long-range planning and IT department : The information system managers must take
systematic and proactive measures to
Develop and implement appropriate, cost-effective internal control for results-
oriented management;
Assess the adequacy of internal control in programs and operations;
Separately assess and document internal control over information systems
consistent with the information security policy of the organisation
Identify needed improvements;
Take corresponding corrective action; and
Report annually on internal control through management assurance statements
(iii) Shot-range planning or tactical planning- the functions and activities performed every day
are established to meet the long-range goals. For example, data processing job plan
defines daily activities of developing software and obtaining hardware in sufficient time to
support business activities.
(iv) Personnel Management controls : This involves activities and functions to accomplish the
administration of individuals, salary and benefits costs. The control techniques are-
Job descriptions- Its a management control to communicate management
requirement and provide a standard for performance measurement.
Salary and benefits budget : To identify the cost factors and evolve a strategic plan
for new product and services.
Recruiting standards and criteria-This control is critical for IS positions which
requires technical training and experience to develop and maintain operational
efficiency.
Job performance evaluations : To counsel and motivate employees to maintain
quality of systems design and conformance with deadlines and budget time.
Screening and security standards : In an IS environment an intentionally erroneous
or fraudulent program can damage a company, even causing bankruptcy. Screening
and credit reports are preventive control measures with applicable labour laws and
regulations.
3.6 The IS Audit Process
The Audit of an IS environment to evaluate the systems, practices and operations may include
one or both of the following :
Assessment of internal controls within the IS environment to assure validity, reliability,
and security information.
The Institute of Chartered Accountants of India
3.10 Information Systems Control and Audit
Assessment of the efficiency and effectiveness of the IS environment in economic terms.
The IS audit process is to evaluate the adequacy of internal controls with regard to both
specific computer programs and the data processing environment as a whole. This includes
evaluating both the effectiveness and efficiency. The focus (scope and objective) of the audit
process is not only on security which comprises confidentiality, integrity and availability but
also on effectiveness (result-orientation) and efficiency (optimum utilisation of resources).
3.6.1 Responsibility of IS Auditor: The audit objective and scope has a significant bearing
on the skill and competence requirements of an IS auditor. The set of skills that is generally
expected of an IS auditor include :
Sound knowledge of business operations, practices and compliance requirements,
Should possess the requisite professional technical qualification and certifications,
An good understanding of information Risks and Controls,
Knowledge of IT strategies, policy and procedure controls,
Ability to understand technical and manual controls relating to business continuity, and
Good knowledge of Professional Standards and Best practices of IT controls and
security.
Therefore the audit process begins by defining the scope and objectives to adapt the
standards and benchmarks for developing information model for collecting and evaluating
evidence to execute the audit.
3.6.2 Functions of IS Auditor : IT Auditor often is the translator of business risk, as it relates
to the use of IT, to management, someone who can check the technicalities well enough to
understand the risk (not necessarily manage the technology) and make a sound assessment
and present risk-oriented advice to management.
IT auditors review risks relating to IT systems and processes, some of them are:
(i) Inadequate information security (e.g. missing or out of date antivirus controls, open
computer ports, open systems without password or weak passwords etc.)
(ii) Inefficient use of corporate resources, or poor governance (e.g. huge spending on
unnecessary IT projects like printing resources, storage devices, high power servers and
workstations etc.)
(iii) Ineffective IT strategies, policies and practices (including a lack of policies for use of
Information and Communication Technology (ICT) resources, Internet usage policies,
Security practices etc.)
(iv) IT-related frauds (including phishing, hacking etc)
The Institute of Chartered Accountants of India
Control Objectives 3.11
3.6.3 Categories of IS Audits : IT audits has been categorized in to five types:
(i) Systems and Applications : An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely,
and secure input, processing, and output at all levels of a system's activity
(ii) Information Processing Facilities : An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
(iii) Systems Development : An audit to verify that the systems under development meet the
objectives of the organization and to ensure that the systems are developed in
accordance with generally accepted standards for systems development.
(iv) Management of IT and Enterprise Architecture : An audit to verify that IT management
has developed an organizational structure and procedures to ensure a controlled and
efficient environment for information processing.
(v) Telecommunications, Intranets, and Extranets : An audit to verify that controls are in
place on the client (computer receiving services), server, and on the network connecting
the clients and servers.
3.6.4 Steps in Information Technology Audit: Different audit organizations go about IT
auditing in different ways and individual auditors have their own favourite ways of working. It
can be categorized into six stages-
Fig. 3.3 : Steps in IS Audit process
(i) Scoping and pre-audit survey : the auditors determine the main area/s of focus and any
areas that are explicitly out-of-scope, based normally on some form of risk-based
assessment. Information sources at this stage include background reading and web
browsing, previous audit reports, pre audit interview, observations and, sometimes,
subjective impressions that simply deserve further investigation.
The Institute of Chartered Accountants of India
3.12 Information Systems Control and Audit
(ii) Planning and preparation : during which the scope is broken down into greater levels of
detail, usually involving the generation of an audit work plan or risk-control-matrix.
(iii) Fieldwork : gathering evidence by interviewing staff and managers, reviewing documents,
printouts and data, observing processes etc.
(iv) Analysis : this step involves desperately sorting out, reviewing and trying to make sense of all
that evidence gathered earlier. SWOT (Strengths, Weaknesses, Opportunities, Treats) or
PEST (Political, Economic, Social, Technological) techniques can be used for analysis.
(v) Reporting : reporting to the management is done after analysis of data gathered and
analysis.
(vi) Closure : closure involves preparing notes for future audits and following up
management to complete the actions they promised after previous audits.
Steps 3 and 4 may on occasions involve the use of automated data analysis tools such as ACL or
IDEA, if not Excel, Access and hand-crafted SQL queries. Automated system security analysis,
configuration or vulnerability management and security benchmarking tools are also a boon for
reviewing security parameters, and of course basic security management functions that are built-in
to modern systems can help with log analysis, reviewing user access rights etc.
3.6.5 Audit Standards: IS auditors need guidance and a different yardstick to measure the
3Es (Economy, Efficiency and Effectiveness) of a system. The objective is to determine on
how to achieve implementation of the IS auditing standards, use professional judgement in its
application and be prepared to justify any departure.
He needs guidance on how :
IS should be assessed to plan their audits effectively?
To focus their effort on high-risk areas and;
To assess the severity of any errors or weaknesses found.
The Institute of Chartered Accountants of India has issued AASs covering various aspects.
Although these standards are primarily concerned with the audit of financial information, they
can be adapted for the purposes of IS Audit depending on its scope and objectives. The
following AASs issued by the Institute of Chartered Accountants of India can be adapted for
the IS Audits :
1. Basic Principles Governing an Audit
2. Objective and scope of the Audit of Financial Statements
3. Documentation
4. The Auditor's responsibility to consider detect / error in an Audit of financial Statements
5. Audit Evidence
6. Risk Assessment and Internal Controls
7. Relying Upon the Work of an Internal Auditor
The Institute of Chartered Accountants of India
Control Objectives 3.13
8. Audit Planning
9. Using the Work of an Expert
10. Using the Work of Another Auditor
11. Representations by Management
12. Responsibility of Joint Auditors
13. Audit Materiality
14. Analytical Procedures
15. Audit Sampling
16. Going Concern
17. Quality control for Audit Work
18. Audit of Accounting Estimates
19. Subsequent Events
20. Knowledge of Business
21. Consideration of Laws and Regulations in and audit of Financial Statements
22. Initial Engagements Opening Balances
23. Related Parties
24. Audit considerations relating to Using Service organisations
25. Comparatives
26. Terms of Audit Engagement
27. Communication of Audit Matters With Those Charged with Governance
28. The Auditor's Report on Financial Statements
29. Auditing in a Computer Information Systems Environment
30. External Confirmations
31. Engagements to compile Financial Information
32. Engagements to Perform Agreed upon Procedures regarding Financial Information.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider
them in determining how to achieve implementation of the standards, use professional
judgment in their application and be prepared to justify any departure.
Several well known organizations have given practical and useful information on IS Audit and
few are well known organizations have given practical and useful information on IS Audit are :
The Institute of Chartered Accountants of India
3.14 Information Systems Control and Audit
3.6.6 ISACA (Information Systems Audit and Control Association) is a global leader in
information governance, control, security and audit. ISACA developed the following to assist
IS auditor while carrying out an IS audit.
IS auditing standards : ISACA issued 16 auditing standards which defines the mandatory
requirements for IS auditing and reporting.
IS auditing guidelines : ISACA issued 39 auditing guidelines which provide a guideline in
applying IS auditing standards.
IS auditing procedures : ISACA issued 11 IS auditing procedures which provide examples of
procedure an IS auditor need to follow while conducting IS audit for complying with IS auditing
standards.
COBIT (Control objectives for information and related technology) : is a framework containing
good business practices relating to information technology
3.6.7 ISO 27001: The topic is discussed in chapter-8 of the same study material.
3.6.8 IIA (The Institute of Internal Auditors) is an international professional association.
This association provides dynamic leadership for the global profession of internal auditing. IIA
issued Global Technology Audit Guide (GTAG) GTAG provides management of organisation
about information technology management, control, and security and IS auditors with
guidance on different information technology associated risks and recommended practices.
Following is the list of GTAG developed by IIA.
GTAG 1 : Information Technology Controls
GTAG 2 : Change and Patch Management Controls : Critical for Organizational Success
GTAG 3 : Continuous Auditing : Implications for Assurance, Monitoring, and Risk Assessment
GTAG 4 : Management of IT Auditing
GTAG 5 : Managing and Auditing Privacy Risks
GTAG 6 : Managing and Auditing IT Vulnerabilities
GTAG 7 : Information Technology Outsourcing
GTAG 8 : Auditing Application Controls
GTAG 9 : Identity and Access Management.
3.6.9 ITIL The topic is discussed in chapter-8 of the same study material.
3.6.10 Control objectives for Information related Technology (COBIT): COBIT is
discussed in detail in Chapter 8 of the Study material.

The Institute of Chartered Accountants of India
Control Objectives 3.15
3.6.11 Cost Effectiveness of Control Procedures: No internal control system can provide
foolproof protection against all internal control threats. The cost of a foolproof system would
be prohibitive. In addition, because many controls negatively affect operational efficiency, too
many controls slow the system and make it inefficient. Therefore,
the objective in designing an internal control system is to provide reasonable assurance that
control problems do not take place.













Fig. 3.4 : Cost-Effectiveness of Controls
To determine if a control is effective an auditor must compare the reduction in expected losses
that will occur by virtue of having the control with the costs of designing, implementing,
operating and maintaining the control. Implementing and operating controls in a system
involves the following five costs-
(i) Initial setup cost : This cost is incurred to design and implement controls. For example, a
security specialist must be employed to design a physical security system.
(ii) Executing cost : This cost is associated with the execution of a control. For example, the
cost incurred in using a processor to execute input validation routines for a security
system.
(iii) Correction costs : The control has operated reliably in signalling an error or irregularity,
the cost associated with the correction of error or irregularity.
(iv) Failure cost : The control malfunctions or not designed to detect an error or irregularity.
These undetected or uncorrected errors cause losses.
Cost-
effectiveness
Reduction in Expected losses
Benefits Costs
Costs of
Design
Implementation
Operation
Maintenance
The Institute of Chartered Accountants of India
3.16 Information Systems Control and Audit
(v) Maintenance costs : The cost associated in ensuring the correct working of a control. For
example, rewriting input validation routines as the format of input data changes.
The benefit of an internal control procedure must exceed its cost. Costs are easier to
measure than benefits, however. The primary cost element is personnel, including the time to
perform control procedures, the costs of hiring additional employees to achieve effective
segregation of duties, and the costs of programming controls into an information system.
Internal control benefits stem from reduced losses. One way to calculate benefits involves
expected loss, the mathematical product of risk and exposure.
The benefit of a control procedure is the difference between the expected loss with the control
procedure(s) and the expected loss without it.
Determine Cost-Benefit Effectiveness : After estimating benefits and costs, management
determines if the control is cost beneficial. For example, at one of the multinational company,
data errors occasionally required the entire payroll to be reprocessed, at a cost of ` 10,000.
Management determined that a data validation step would reduce error risk from 15 per cent
to 1 per cent, at a cost of ` 600 per pay period. The cost-benefit analysis that management
used to determine if the validation step should be employed is shown in Table 1.
Without Validation
Procedure
With Validation
Procedure
Net Expected
Difference
Cost to reprocess entire payroll ` 10,000 ` 10,000
Risk of payroll data errors 15% 1%
Expected reprocessing cost
(` 10,000 risk)

` 1,500

` 100

` 1,400
Cost of validation procedure ` 0 ` 600 ` (600)
Net expected benefit of
validation procedure

` 800
Table 3.1 : Cost Effectiveness of Controls
If the proposed payroll validation procedure is not utilised, then the expected loss to the
company is ` 1,500. Because the expected loss with the validation step is ` 100, the control
provides an expected benefit of ` 1,400. After deducting the control costs of ` 600, the
validation step provides a net benefit of ` 800 and clearly should be implemented.
In evaluating the costs and benefits of control procedures, management must consider factors
other than those in the expected benefit calculation. For example, if an exposure threatens an
organisations existence, it may be worthwhile to spend more than indicated by the cost-
benefit analysis to minimize the possibility that the organization will perish. This extra cost
can be viewed as a catastrophic loss insurance premium.
The Institute of Chartered Accountants of India
Control Objectives 3.17
3.7 Information Systems Control Techniques
The basic purpose of information system controls in an organization is to ensure that the
business objectives are achieved and undesired risk events are prevented or detected and
corrected. This is achieved by designing and effective information control framework, which
comprise policies, procedures, practices, and organization structure that gives reasonable
assurances that the business objectives will be achieved.
Controls are defined as The policies, procedures, practices and organizational structures
designed to provide reasonable assurance that business objectives will be achieved and that
undesired events will be prevented or detected and corrected.
3.7.1 Objective of Controls: The objective of controls is to reduce or if possible eliminate
the causes of the exposure to potential loss. Exposures are potential losses due to threats
materializing. All exposures have causes. Some categories of exposures are:
Errors or omissions in data, procedure, processing, judgment and comparison.
Improper authorizations and improper accountability with regards to procedures,
processing, judgment and comparison.
Inefficient activity in procedures, processing and comparison.
Some of the critical control considerations in a computerized environment are:
Lack of management understanding of IS risks and lack of necessary IS and related controls.
Absence or inadequate IS control framework.
Absence of or weak general controls and IS controls.
Lack of awareness and knowledge of IS risks and controls amongst the business users
and even IT staff.
Complexity of implementation of controls in distributed computing environments and
extended enterprises.
Lack of control features or their implementation in highly technology driven environments.
Inappropriate technology implementations or inadequate security functionality in
technologies implemented.
Control objective is defined as A statement of the desired result or purpose to be achieved by
implementing control procedures in particular IT process or activity. Control objectives define
what is sought to be accomplished by implementing the control and the purpose thereof. The
control objectives serve two main purposes:
(i) Outline the policies of the organization as laid down by the management.
The Institute of Chartered Accountants of India
3.18 Information Systems Control and Audit
(ii) A benchmark for evaluating whether control objectives are met.
Fig. 3.5 : Information Systems Controls
3.7.2 Categories of Controls
Internal controls can be classified into various categories to illustrate the interaction of various
groups in the enterprise and their effect on computer controls. These categories are:
The Institute of Chartered Accountants of India
Control Objectives 3.19
Categories of Controls
Objective of controls Nature of IS resource Functional Nature
Preventive
Corrective
Detective
Environmental
IS Operational
Logical Access
Physical Access
Internal Accounting
Operational
Administrative
Compensatory
IS Management
SDLC









Fig. 3.6 : Categories of Controls
Based on the objective with which controls are designed or implemented, controls can be
classified as:
(i) Preventive Controls : Preventive controls are those inputs, which are designed to prevent
an error, omission or malicious act occurring. An example of a preventive control is the use of
passwords to gain access to a financial system. The broad characteristics of preventive
controls are:
(i) A clear-cut understanding about the vulnerabilities of the asset
(ii) Understanding probable threats
(iii) Provision of necessary controls for probable threats from materializing
As has been discussed earlier in this section, any control can be implemented in both a
manual and computerized environment for the same purpose. Only, the implementation
methodology may differ from one environment to the other. Now let us discuss the examples
of preventive controls and how the same control is implemented in different environments.
Examples of preventive controls
Employ qualified personnel
Segregation of duties
Access control
Vaccination against diseases
Documentation
Prescribing appropriate books for a course
Training and retraining of staff
Authorization of transaction
The Institute of Chartered Accountants of India
3.20 Information Systems Control and Audit
Validation, edit checks in the application
Firewalls
Anti-virus software (sometimes this acts like a corrective control also), etc
Passwords
The above list in no way is exhaustive, but is a mix of manual and computerized, preventive
controls. The following table shows how the same purpose is achieved by using manual and
computerized controls.
Purpose Manual Control Computerized Control
Restrict unauthorized entry
into the premises
Build a gate and post a
security guard
Use access control
software, smart card,
biometrics, etc.
Restricted unauthorized
entry into the software
applications
Keep the computer in a
secured location and allow
only authorized person to use
the applications
Use access control, viz.
User ID, password, smart
card, etc.
Table 3.2 : Preventive Controls
(ii) Detective Control : These controls are designed to detect errors, omissions or malicious
acts that occur and report the occurrence. An example of a detective control would be a use of
automatic expenditure profiling where management gets regular reports of spend to date
against profiled spend. The main characteristics of such controls are as follows:
Clear understanding of lawful activities so that anything which deviates from these is
reported as unlawful, malicious, etc.
An established mechanism to refer the reported unlawful activities to the appropriate
person or group
Interaction with the preventive control to prevent such acts from occurring
Surprise checks by supervisor
Examples of detective controls include
Hash totals
Check points in production jobs
Echo control in telecommunications
Error message over tape labels
Duplicate checking of calculations
Periodic performance reporting with variances
Past-due accounts report
The internal audit functions
The Institute of Chartered Accountants of India
Control Objectives 3.21
Intrusion detection system
Cash counts and bank reconciliation
Monitoring expenditures against budgeted amount
(iii) Corrective Controls : Corrective controls are designed to reduce the impact or correct an
error once it has been detected. Corrective controls may include the use of default dates on
invoices where an operator has tried to enter the incorrect date. A business continuity plan is
considered to be a significant corrective control. The main characteristics of the corrective
controls are:
Minimize the impact of the threat
Identify the cause of the problem
Remedy problems discovered by detective controls
Get feedback from preventive and detective controls
Correct error arising from a problem
Modify the processing systems to minimize future occurrences of the problem
Examples of Corrective Controls
Contingency planning
Backup procedure
Rerun procedures
Treatment procedures for a disease
Change input value to an application system
Investigate budget variance and report violations.
(iv) Compensatory Controls : Controls are basically designed to reduce the probability of
threats, which can exploit the vulnerabilities of an asset and cause a loss to that asset. While
designing the appropriate control one thing should be kept in mindthe cost of the lock should
not be more than the cost of the assets it protects. Sometimes while designing and
implementing controls, organizations because of different constraints like financial,
administrative or operational, may not be able to implement appropriate controls. In such a
scenario, there should be adequate compensatory measures which may although not be as
efficient as the appropriate control, can indubitably reduce the probability of threats to the
assets. Such measures are called compensatory controls. Some examples of compensatory
control given below will make the concept more clear.
Another classification of controls is based on the nature of such controls with regard to the
nature of IS resources to which they are applied:
(i) Environmental controls : Controls relating for housing IT resources such as power, air-
conditioning, UPS, smoke detection, fire-extinguishers, dehumidifiers etc.
The Institute of Chartered Accountants of India
3.22 Information Systems Control and Audit
(ii) Physical Access Controls : Controls relating to physical security of the tangible IS
resources and intangible resources stored on tangible media etc. Such controls include
Access control doors, Security guards, door alarms, restricted entry to secure areas, visitor
logged access, video monitoring etc.
(iii) Logical Access Controls : Controls relating to logical access to information resources such
as operating systems controls, Application software boundary controls, networking controls,
access to database objects, encryption controls etc.
(iv) IS Operational Controls : Controls relating to IS operation, administration and its
management such as day begin and day end controls, IS infrastructure management,
Helpdesk operations etc.
(v) IS Management Controls : Controls relating to IS management, administration, policies,
procedures, standards and practices, monitoring of IS operations, Steering committee etc.
(vi) SDLC Controls : Controls relating to planning, design, development, testing,
implementation and post implementation, change management of changes to application and
other software.
Further another category of controls is based on their functional nature. When reviewing a
clients control systems, the auditor will be able to identify three components of internal
control. Each component is aimed at achieving different objectives. The information system
auditor will be most familiar with :
(i) Internal Accounting controls : Controls which are intended to safeguard the clients
assets and ensure the reliability of the financial records;
(ii) Operational controls : These deals with the day to day operations, functions and activities
to ensure that the operational activities are contributing to business objectives.
(iii) Administrative controls : These are concerned with ensuring efficiency and compliance
with management policies, including the operational controls.
3.7.3 Control Techniques
Fig. 3.7 : Control Techniques
3.7.4 Organizational Controls: Enterprise controls are concerned with the decision-making
processes that lead to management authorization of transactions. Companies with large data
processing facilities separate data processing from business units to provide control over its
costly hardware, software, and human resources. Combining data processing into the
Control
Techniques
Organizati
onal
Controls
Management
Controls
Financial
Controls
Data
Processing
Environment
Controls
Physical
Access
Controls
Logical
Access
Controls
SDLA
Controls
BCP
Controls

Application
Controls
The Institute of Chartered Accountants of India
Control Objectives 3.23
business units would be too much responsibility for one manager. Organizational control
techniques include documentation of :
Reporting responsibility and authority of each function,
Definition of responsibilities and objectives of each functions,
Policies and procedures,
Job descriptions, and
Segregation of duties.
(i) Responsibilities and objectives : Each IS function must be clearly defined and
documented, including systems software, application programming and systems development,
database administration, and operations. The senior manager, of all these groups, and
managers of the individual groups make up the IS management team responsible for the
effective and efficient utilization of IS resources. Their responsibilities include:
Providing information to senior management on the IS resources, to enable senior
management to meet strategic objectives.
Planning for expansion of IS resources
Controlling the use of IS resources
Implementing activities and functions that support accomplishment of companys
strategic plan.
(ii) Policies, standards, procedures and practices : These are the standards and instructions
that all IS personnel must follow when completing their assigned duties. Policies establish the
rules or boundaries of authority delegated to individuals in the enterprise.
Procedures establish the instructions that individuals must follow to compete their daily
assigned tasks. Mandating that all requests for changes to existing programs must be
approved by user and IS management before programmers and analyst can work on them is
an example of a policy. Documented instructions for filling out a standard change request
form, how to justify the costs of the change, how to specify the changes needed, how to obtain
approvals, and who to obtain the approvals from are examples of procedures. Documented
policies should exist in IS for:
Use of IS resources,
Physical security,
Data security
On-line security,
Microcomputer use,
Reviewing, evaluating, and purchasing hardware and software,
System development methodology, and
Application program changes.
The Institute of Chartered Accountants of India
3.24 Information Systems Control and Audit
Documented procedures should exist for all data processing activities.
(iii) J ob descriptions : These communicate managements specific expectations for job
performance. Job procedures establish instructions on how to do the job and policies define
the authority of the employee. All jobs must have a current, documented job description
readily available to the employee. Job descriptions establish responsibility and the
accountability of the employees actions.
(iv) Segregation of duties : This is a common control technique aimed at separating
conflicting job duties, primarily to discourage fraud, because separating duties makes
collusion necessary to commit a fraud. Such separation can also force an accuracy check of
one-person work by another, so that employees to some extent police each other. Examples
of segregation of duties are:
Systems software programming group from the application programming group
Database administration group from other data processing activities
Computer hardware operations from the other groups
Application programming group into various subgroups for individual application systems
Systems analyst function from the programming function
Physical, data, and online security group(s) from the other IS functions.
IS Audit
It is the responsibility of the senior management to implement a division of roles and
responsibilities, which should exclude the possibility for a single individual to subvert a critical
process. Management should also make sure that personnel are performing only those duties
stipulated for their respective jobs and positions. From a functional perspective, segregation of
duties should be maintained between the following functions:
Information systems use
Data entry
Computer operation
Network management
System administration
Systems development and maintenance
Change management
Security administration
Security audit
3.7.5 Management Controls: The controls adopted by the management of an enterprise are
to ensure that the information systems function correctly and that they meet the strategic
business objectives. The management has the responsibility to determine whether the controls
that the enterprise system has put in place are sufficient to ensure that the IT activities are
The Institute of Chartered Accountants of India
Control Objectives 3.25
adequately controlled. The scope of control here includes framing high level IT policies,
procedures and standards on a holistic view and in establishing a sound internal controls
framework within the organisation. The high level policies establish a framework on which the
controls for lower hierarchy of the enterprise. The controls flow from the top of an organisation
down (i.e) the responsibility still lies with the senior management.
The controls to consider when reviewing the organisation and management controls in an IS
system shall include:
Responsibility: The strategy to have a senior management personnel responsible for the
IS within the overall organisational structure.
An official IT structure: There should be a prescribed organisation structure with all staff
deliberated on their roles and responsibilities by written down and agreed job
descriptions.
An IT steering committee: The steering committee shall comprise of user
representatives from all areas of the business, and IT personnel. The committee would
be responsible for the overall direction of IT. Here the responsibility lies beyond just the
accounting and financial systems, for example, the telecommunications system (phone
lines, video-conferencing) office automation, and manufacturing processing systems.
3.7.6 Financial Control Techniques: These controls are generally defined as the procedures
exercised by the system user personnel over source, or transactions origination, documents
before system input. These areas exercise control over transactions processing using reports
generated by the computer applications to reflect un-posted items, non-monetary changes,
item counts and amounts of transactions for settlement of transactions processed and
reconciliation of the applications (subsystem) to general ledger. The financial control
techniques are numerous. A few examples are highlighted here:
(i) Authorization : This entails obtaining the authority to perform some act typically access to
such assets as accounting or application entries.
(ii) Budgets : These estimates of the amount of time or money expected to be spent during a
particular period of time, project, or event. The budget alone is not an effective control-
budgets must be compared with the actual performance, including isolating differences and
researching them for a cause and possible resolution.
(iii) Cancellation of documents : This marks a document in such a way to prevent its reuse.
This is a typical control over invoices marking them with a paid or processed stamp or
punching a hole in the document.
(iv) Documentation : This includes written or typed explanations of actions taken on specific
transactions; it also refers to written or typed instructions, which explain the performance of
tasks.
(v) Dual control : This entails having two people simultaneously access an asset. For
example, the depositories of banks 24-hour teller machines should be accessed and emptied
with two people present, many people confuse dual control with dual access, but these are
distinct and different. Dual access divides the access function between two people : once
The Institute of Chartered Accountants of India
3.26 Information Systems Control and Audit
access is achieved, only one person handles the asset. With teller-machines, for example, two
tellers would open the depository vault door together, but only one would retrieve the deposit
envelopes.
(vi) Input/ output verification : This entails comparing the information provided by a computer
system to the input documents. This is an expensive control that tends to be over-
recommended by auditors. It is usually aimed at such non-monetary by dollar totals and item
counts.
(vii) Safekeeping : This entails physically securing assets, such as computer disks, under lock
and key, in a desk drawer, file cabinet storeroom, or vault.
(viii) Segregation of duties : This entails assigning similar functions to separate people to
provide reasonable assurance against fraud and provide an accuracy check of the other
persons work. For example, the responsibilities for making financial entries to the application
and to the general ledger should be separated.
(ix) Sequentially numbered documents : These are working documents with preprinted
sequential numbers, which enables the detection of missing documents.
(x) Supervisory review : This refer to review of specific work by a supervisor : but what is not
obvious is that this control requires a sign-off on the documents by the supervisor, in order to
provide evidence that the supervisor at least handled them. This is an extremely difficult
control to test after the fact because the auditor cannot judge the quality of the review unless
he or she witnesses it, and, even then, the auditor cannot attest to what the supervisor did
when the auditor was not watching.
3.7.7 Data Processing Environment Controls: These controls are hardware and software
related and include procedures exercised in the IS environmental areas. The environmental
areas include system software programming, on-line programming, on-line transaction
systems, database administration, media library, application program change control, the data
center and the media library.
3.7.8 Physical Access Controls: These controls are personnel; hardware and software
related and include procedures exercised on access by employees/outsiders to IT resources.
The controls relate to establishing appropriate physical security and access control measures
for IT facilities, including off-site use of information devices in conformance with the general
security policy.
These Physical security and access controls should address not only the area containing
system hardware, but also locations of wiring used to connect elements of the system,
supporting services (such as electric power), backup media and any other elements required
for the systems operation. Access should be restricted to individuals who have been
authorized to gain such access. Where IT resources are located in public areas, they should
be appropriately protected to prevent or deter loss or damage from theft or vandalism. Further,
IT management should ensure a low profile is kept and the physical identification of the site of
the IT operations is limited. The other measures relate to Visitor Escort, Personnel Health and
Safety, Protection against Environmental Factors and Uninterruptible Power Supply.
The Institute of Chartered Accountants of India
Control Objectives 3.27
3.7.9 Logical Access Controls: These controls are software related and include procedures
exercised in the IS software through access controls through system software and application
software. Logical access controls are implemented to ensure that access to systems, data and
programs is restricted to authorized users so as to safeguard information against unauthorized
use, disclosure or modification, damage or loss. The key factors considered in designing
logical access controls include confidentiality and privacy requirements, authorization,
authentication and access control, user identification and authorization profiles, incident
handling, reporting and follow-up, virus prevention and detection, firewalls, centralized security
administration, user training and tools for monitoring compliance, intrusion testing and
reporting.
3.7.10 SDLC (SystemDevelopment Life Cycle) controls: These are functions and activities
generally performed manually that control the development of application systems, either
through in-house design and programming or package purchase. The first control requirement
is system development standards that specify the activities that should occur in each system
development life cycle (SDLC) phase. For example, these standards specify the type and
quantity of testing that should be conducted. The second element of controls is documented
procedures communicate how the activities in each phase should be accomplished. These
procedures establish control functions in each phase.
3.7.11 Business Continuity (BCP) Controls: These controls relate to having an operational
and tested IT continuity plan, which is in line with the overall business continuity plan, and its
related business requirements so as to make sure IT services are available as required and to
ensure a minimum business impact in the event of a major disruption. The controls include
criticality classification, alternative procedures, back-up and recovery, systematic and regular
testing and training, monitoring and escalation processes, internal and external organizational
responsibilities, business continuity activation, fallback and resumption plans, risk
management activities, assessment of single points of failure and problem management.
3.7.12 Application Control Techniques: These include the programmatic routines within the
application program code. The financial controls, discussed earlier, are performed by the user
to help ensure the accuracy of application formed by the use to help ensure the accuracy of
application processing. The objective of application controls is to ensure that data remains
complete, accurate and valid during its input, update and storage. The specific controls could
include form design, source document controls, input, processing and output controls, media
identification, movement and library management, data back-up and recovery, authentication
and integrity, data ownership, data administration policies, data models and data
representation standards, integration and consistency across platforms, legal and regulatory
requirements. Any function or activity that works to ensure the processing accuracy of the
application can be considered an application control.
3.7.13 Audit Trails : Audit trails are logs that can be designed to record activity at the
system, application, and user level. When properly implemented, audit trails provide an
important detective control to help accomplish security policy objectives. Many operating
systems allow management to select the level of auditing to be provided by the system. This
The Institute of Chartered Accountants of India
3.28 Information Systems Control and Audit
determines which events will be recorded in the log. An effective audit policy will capture all
significant events without cluttering the log with trivial activity.
Audit trail controls attempt to ensure that a chronological record of all events that have
occurred in a system is maintained. This record is needed to answer queries, fulfill statutory
requirements, detect the consequences of error and allow system monitoring and tuning. The
accounting audit trail shows the source and nature of data and processes that update the
database. The operations audit trail maintains a record of attempted or actual resource
consumption within a system.
Applications system Controls involve ensuring that individual application systems safeguard
assets (reducing expected losses), maintain data integrity (ensuring complete, accurate and
authorized data) and achieve objectives effectively and efficiently from the perspective of
users of the system from within and outside the organization.
3.7.14 Audit Trail Objectives: Audit trails can be used to support security objectives in three
ways :
Detecting unauthorized access to the system,
Facilitating the reconstruction of events, and
Promoting personal accountability.
Each of these is described below:
(i) Detecting Unauthorized Access : Detecting unauthorized access can occur in real time or
after the fact. The primary objective of real-time detection is to protect the system from
outsiders who are attempting to breach system controls. A real-time audit trail can also be
used to report on changes in system performance that may indicate infestation by a virus or
worm. Depending upon how much activity is being logged and reviewed, real-time detection
can impose a significant overhead on the operating system, which can degrade operational
performance. After-the-fact detection logs can be stored electronically and reviewed
periodically or as needed. When properly designed, they can be used to determine if
unauthorized access was accomplished, or attempted and failed.
(ii) Reconstructing Events : Audit analysis can be used to reconstruct the steps that led to
events such as system failures, security violations by individuals, or application processing
errors. Knowledge of the conditions that existed at the time of a system failure can be used to
assign responsibility and to avoid similar situations in the future. Audit trail analysis also plays
an important role in accounting control. For example, by maintaining a record of all changes to
account balances, the audit trail can be used to reconstruct accounting data files that were
corrupted by a system failure.
(iii) Personal Accountability : Audit trails can be used to monitor user activity at the lowest
level of detail. This capability is a preventive control that can be used to influence behavior .
Individual are likely to violate an organizations security policy if they know that their actions
are recorded in an audit log.
The Institute of Chartered Accountants of India
Control Objectives 3.29
Implementing an Audit Trail : The information contained in audit logs is useful to accountants
in measuring the potential damage and financial loss associated with application errors, abuse
of authority, or unauthorized access by outside intruders. Logs also provide valuable
evidence or assessing both the adequacies of controls in place and the need for additional
controls. Audit logs, however, can generate data in overwhelming detail. Important information
can easily get lost among the superfluous detail of daily operation. Thus, poorly designed logs
can actually be dysfunctional.
3.8 User Controls
Application system controls are undertaken to accomplish reliable information processing
cycles that perform the processes across the enterprise. Applications represent the interface
between the user and the business functions. For example, a counter clerk at a bank is
required to perform various business activities as part of his job description and assigned
responsibilities. He is able to relate to the advantages of technology when he is able to
interact with the computer system from the perspective of meeting his job objectives. From the
point of view of users, it is the applications that drive the business logic. The following table
lists the user controls that are to be exercised for system effectiveness and efficiency.
Controls Scope Audit Trail
Accounting Operations
Boundary
Controls
Establishes interface
between the user of the
system and the system
itself.
The system must
ensure that it has an
authentic user.
Users must ensure that
they are given authentic
resources.
Users allowed using
resources in restricted
ways.
Authentication of the users of
the system(identity)
Resources and Action privileges
requested/provided/denied.
Number of sign-on attempts
In case of digital signatures for
authentication audit trail
includes- Registration of public
keys, Registration of signatures
and Notification of key
compromises.
Resource usage from
log-on to log-out time.
Say, intrusion-detection
control to monitor the
amount of process time
consumed by a user to
detect deviations from
the past trails for a
similar process by the
user.
Input
Controls
Responsible for the data
and instructions in to the
information system.
Input Controls are
validation and error
detection of data input
into the system.
Originator of the
data/instruction, time and date
the data/instruction entered,
physical device used by the
user, type of data/instruction
and output processed.
Number of read errors,
Number of keying
errors, Frequency of
instruction usage and
time-taken to process
an instruction.
Processing
Controls
Responsible for
computing, sorting,
To trace and replicate the
processing performed on a data
A comprehensive log on
resource consumption
The Institute of Chartered Accountants of India
3.30 Information Systems Control and Audit
classifying and
summarizing data.
It maintains the
chronology of events
from the time data is
received from input or
communication systems
to the time data is
stored into the
database or output as
results.
item.
Triggered transactions to
monitor input data entry,
intermediate results and output
data values.
data with respect to
hardware(processor
time, peripherals,
memory,
communication etc)
Software (programs,
instructions),Data(file
access, frequency of
access)
Output
Controls
To provide functions
that determine the
data content available
to users, data format,
timeliness of data and
how data is prepared
and routed to users.
It shows what output was
presented to users, who
received the output, when the
output was received and what
action were taken with the
output.
Maintains the record
of resources
consumed graphs,
images, report pages,
printing time and
display rate.
Database
Controls
Responsible to
provide functions to
define, create, modify,
delete and read data
in an information
system. It maintains
declarative data-
payroll file storing
information about the
pay rates for each
employee. It
maintains procedural
data-set of rules to
perform operations on
the data to help a
manager to take
decisions.
A unique time stamp to all
transactions, before and after
images of the data item on
which a transaction is applied
and any modifications or
corrections to audit trail
transactions accommodating
the changes that occur within
an application system.
To maintain a
chronology of events
that consumes
resources of the data
base. The response
time on the queries
made on the data
base.
Table 3.3 : User controls and Audit Trail
3.8.1 User controls : Error Identification, Correction and Recovery Controls
(i) Boundary Controls : The major controls of the boundary system are the access control
mechanisms. Access controls are implemented with an access control mechanism and links
the authentic users to the authorized resources they are permitted to access. The access
control mechanism the three steps of identification, authentication and authorization with
The Institute of Chartered Accountants of India
Control Objectives 3.31
respect to the access control policy implemented as shown in the Fig.3.8. The user can
provide three classes of input information for the authentication process and gain access
control to his required resources. The three classes of information with respect to the
corresponding input to the boundary control are summarized in the table below.
Class of information Types of input
Personal Information Name, Birth date, account number, password, PIN
Personal characteristics Fingerprint, voice, hand size, signature, retinal pattern.
Personal objects Identification cards, badge, key, finger ring.
Table 3.4 : Authentic Information

Fig. 3.8 : Identification/Authentication /Authorization Process
Boundary control techniques are:
Cryptography : deals with programs for transforming data into codes that are
meaningless to anyone who does not possess the authentication to access the
respective system resource or file. A cryptographic technique encrypts data (clear text)
The Institute of Chartered Accountants of India
3.32 Information Systems Control and Audit
into cryptograms (cipher text) and its strength depends on the time and cost to decipher
the cipher text by a cryptanalyst. The three techniques of cryptography are transposition
(permute the order of characters within a set of data), substitution (replace text with a
key-text) and product cipher (combination of transposition and substitution)








Fig. 3.9 : Cryptography
Passwords : User identification by an authentication mechanism with personal
characteristics like name, birth date, employee code, function, designation or a
combination of two or more of these can be used as a password boundary access
control. A few best practices followed to avoid failures in this control system are;
minimum password length, avoid usage of common dictionary words, periodic change of
passwords, encryption of passwords and number of entry attempts.
Personal Identification Numbers (PIN) : The personal identification number is similar to a
password assigned to a user by an institution based on the user characteristics and
encrypted using a cryptographic algorithm, or the institute generates a random number
stored in its database independent to a user identification details, or a customer selected
number. Hence a PIN or a digital signature are exposed to vulnerabilities while issuance
or delivery, validation, transmission and storage.
Identification Cards : Identification cards are used to store information required in an
authentication process. These cards used to identify a user are to be controlled through the
application for a card, preparation of the card, issue, use and card return or card termination
phases.




Fig. 3.10 : What you have (Token), what you know(password/PIN) and who you are (Biometric)
(ii) Input Controls : are responsible for ensuring the accuracy and completeness of data and
instruction input into an application system. Input controls are important since substantial time
CLEAR TEXT
(CALL THE MANAGER)
Cryptosystems

(M1) Transposition:
(Reversing words)

(M2) Substitution:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CRYPTOGAPHZSECNIQULMNBDFJK
( Key-text)
Factors : time & cost for decryption,
small key, message size & low error
CIPHER TEXT
(M1) LLAC EHT REGANAM
(M2) YCZZ MAT SCECGTU
Design
Cryptographer
Checks Validity
Cryptanalyst
The Institute of Chartered Accountants of India
Control Objectives 3.33
is spent on input of data, involve human intervention and are therefore error and fraud prone.
Data codes are used to uniquely identify an entity or identify an entity as a member of a group
or set. Poorly designed data codes cause recording and keying errors. Auditors should
evaluate the quality of coding systems to analyze their impact on the integrity and
accurateness of data keyed into the system.
Types of data coding errors:
Addition : Addition of an extra character in a code e.g. 54329 coded as 543219
Truncation : Omission of characters in the code e.g. 54329 coded as 5439
Transcription : Recording wrong characters 54329 coded as 55329
Transposition : Reversing adjacent characters 54329 coded as 453219
Double transposition : Reversing characters separated by one or more characters i.e.,
54329 is entered as 52349.
Factors affecting coding errors as follows:
Length of the code : Long codes are naturally prone to more errors. Long codes should
be broken using hyphens, slashes or spaces to reduce coding errors.
Alphabetic numeric mix : The code should provide for grouping of alphabets and
numerical separately if both are used. Intermingling both would result in more errors.
Choice of characters : Certain alphabets are confused with numerical such as B, I, O, S,
V and Z would be confused with 8,1,0,5,U, 2 when written on source document and
entered into the system. Such as characters should be avoided
Mixing uppercase/lowercase fonts : Upper case and lower case should NOT be mixed
when using codes since they delay the process of keying in due to usage of the shift key.
Further such codes are prone to errors.
Sequence of characters : Character sequence should be maintained as much as
possible. Such as using ABC instead of ACB.
Errors made in transcribing and keying data can have serious consequences on the
enterprise. Control used to guard against these types of errors is a check digit. Check digits
are redundant digits that helps verify the accuracy of other characters in the code that is
checked. The program recalculates the check digits and compares with the check digit in the
code when the code is entered to verify if the code is correct. Check digits may be prefixes or
suffixes to the actual data. When the code is entered, a program recalculates the check digit
to determine the accuracy.
Existence/Recovery Controls : Controls relating to data input are critical. It might be
necessary to reprocess input data in the event master files are lost, corrupted, or
destroyed. Controls relating to instructions are often in the form of changes to data which
are recorded in the audit trail. Thus source documents or transaction listings are to be
stored securely for longer periods for reasons compliance with statutory requirements.
The Institute of Chartered Accountants of India
3.34 Information Systems Control and Audit
(iii) Processing Controls : Data processing controls perform validation checks to identify
errors during processing of data. They are required to ensure both the completeness and the
accuracy of data being processed. Normally the processing controls are enforced through the
database management system that stores the data. However, adequate controls should be
enforced through the front end application system also to have consistency in the control
process.
Data processing controls are:
Run-to-run totals : These help in verifying data that is subject to process through different
stages. If the current balance of an invoice ledger is ` 150,000 and the additional
invoices for the period is of total ` 20,000 then the total sales value should be ` 170,000.
A specific record (probably the last record) can be used to maintain the control total.
Reasonableness verification : Two or more fields can be compared and cross verified to
ensure their correctness. For example the statutory percentage of provident fund can be
calculated on the gross pay amount to verify if the provident fund contribution deducted is
accurate.
Edit checks : Edit checks similar to the data validation controls can also be used at the
processing stage to verify accuracy and completeness of data.
Field initialization : Data overflow can occur, if records are constantly added to a table or
if fields are added to a record without initializing it, i.e., setting all values to zero before
inserting the field or record.
Exception reports : Exception reports are generated to identify errors in data processed.
Such exception reports give the transaction code and why the particular transaction was
not processed or what is the error in processing the transaction. For example, while
processing a journal entry if only debit entry was updated and the credit entry was not up
dated due to absence of one of the important fields, then the exception report would
detail the transaction code, and why it was not updated in the database.
Existence/Recovery Controls : The check-point/restart logs, facility is a short-term
backup and recovery control that enables a system to be recovered if failure is temporary
and localized.
(iv) Output Controls : ensure that the data delivered to users will be presented, formatted and
delivered in a consistent and secured manner. Output can be in any form, it can either be a
printed data report or a database file in a removable media such as a floppy disk or CD-ROM
or it can be a Word document on the computers hard disk. Whatever the type of output, it
should be ensured that the confidentiality and integrity of the output is maintained and that the
output is consistent. Output controls have to be enforced both in a batch-processing
environment as well as in an online environment.
Storage and logging of sensitive, critical forms : Pre-printed stationery should be stored
securely to prevent unauthorized destruction or removal and usage. Only authorized
persons should be allowed access to stationery supplies such as security forms,
negotiable instruments etc.
The Institute of Chartered Accountants of India
Control Objectives 3.35
Logging of output programexecutions : When programs used for output of data are
executed, it should be logged and monitored. In the absence of control over such output
program executions, confidentiality of data could be compromised.
Spooling/Queuing : Spool is an acronym for Simultaneous Peripherals Operations
Online. This is a process used to ensure that the user is able to continue working, even
before the print operation is completed. When a file is to be printed, the operating system
stores the data stream to be sent to the printer in a temporary file on the hard disk. This
file is them spooled to the printer as soon as the printer is ready to accept the data.
This intermediate storage of output could lead to unauthorized disclosure and/or
modification. A queue is the list of documents waiting to be printed on a particular printer.
This queue should not be subject to unauthorized modifications.
Controls over printing : it should be ensured that unauthorized disclosure of information
printed is prevented. Users must be trained to select the correct printer and access
restrictions may be placed on the workstations that can be used for printing.
Report distribution and collection controls : Distribution of reports should be made in a
secure way to ensure unauthorized disclosure of data. It should be made immediately
after printing to ensure that the time gap between generation and distribution is reduced.
A log should be maintained as to what reports were generated and to whom it was
distributed. Where users have to collect reports the user should be responsible for timely
collection of the report especially if it is printed in a public area. A log should be
maintained as to what reports where printed and which of them where collected.
Uncollected reports should be stored securely.
Retention controls : Retention controls consider the duration for which outputs should be
retained before being destroyed. Consideration should be given to the type of medium
on which the output is stored. Retention control requires that a date should be
determined for each output item produced. Various factors ranging from the need of the
output, use of the output, to legislative requirements would affect the retention period
Existence/Recovery Controls : are needed to recover output in the event that it is lost or
destroyed. If the output is written to a spool of files or report files and has been kept, then
recovering and new generation is easy and straight-forward. The state of a transaction at
a point of time with before and after images. Check/restart helps in recovery when a
hardware problem causes a program that prints customer invoices to abort in midstream.
(v) Database Controls : Protecting the integrity of a database when application software acts
as an interface to interact between the user and the database are called the update controls
and report controls.
The update controls are :
Sequence Check Transaction and Master Files : Synchronization and the correct
sequence of processing between the master file and transaction file is critical to maintain
the integrity of updation, insertion or deletion of records in the master file with respect to
the transaction records. If errors in this stage are overlooked it leads to corruption of the
critical data.
The Institute of Chartered Accountants of India
3.36 Information Systems Control and Audit
Ensure All Records on Files are processed : While processing the transaction file records
mapped to the respective master file the end-of-file of the transaction file with respect to
the end-of-file of the master file is to be ensured.
Process multiple transactions for a single record in the correct order : Multiple
transactions can occur based on a single master record (eg. dispatch of a product to
different distribution centers) Here the order in which transactions are processed against
the product master record must be done based on a sorted transaction codes.
Maintain a suspense account : When mapping between the master record to transaction
record results in a mismatch due to failure in the corresponding record entry in the
master record then these transactions are maintained in a suspense account. A non-
zero balance of the suspense accounts reflect the errors to be corrected.
The Report controls are:
Standing Data : Application programs use many internal tables to perform various functions
like say gross pay calculation, billing calculation based on a price table, bank interest
calculation etc,. Maintaining integrity of the pay rate table, price table and interest table is
critical within an organization. Any changes or errors in these tables would have an adverse
effect on the organizations basic functions. Periodic monitoring of these internal tables by
means of manual check or by calculating a control total is mandatory.
Print-Run-to Run control Totals : Run-to-Run control totals help in identifying errors or
irregularities like record dropped erroneously from a transaction file, wrong sequence of
updating or the application software processing errors.
Print Suspense Account Entries : Similar to the update controls the suspense account
entries are to be periodically monitors with the respective error file and action taken on
time.
Existence/Recovery Controls : The back-up and recovery strategies together encompass
the controls required to restore failure in a database. Backup strategies are implemented
using prior version and log of transactions or changes to the database. Recovery
strategies involve roll-forward (current state database from a previous version) or the roll-
back (previous state database from the current version) methods.
3.9 SystemDevelopment and Acquisition Controls
It is important to have a formal, appropriate, and proven methodology to govern the development,
acquisition, implementation, and maintenance of information systems and related technologies.
Methodology should contain appropriate controls for management review and approval, user
involvement, analysis, design, testing, implementation, and conversion. Methodology also should
make it possible for management to trace information inputs from their source to their final
disposition or from their final disposition back to the original source (the audit trail)
Software development is an integrated process spanning the entire IT organization. The term
life cycle can be taken to represent the collection of agreed upon steps to control
development, modification and distribution of code. While change and configuration
The Institute of Chartered Accountants of India
Control Objectives 3.37
management denote separate entities exerting policy over standards for the production
environment, the design of these standards and all efforts between these points can be
characterized as the world of software development and code.
The IT Governance Institute (ITGI) has produced clear and aligned frameworks for the
representation of software development best practice. The newly numbered control process
Acquire and Implement 7 (AI7), Install and accredit solutions and changes of Control Objectives
for Information and related Technology (COBIT)4.0 is the most widely adopted matrix and
measure for all integrated IT and enterprise controls. It aligns with the concepts of the Capability
Maturity Model (CMM), IT Infrastructure Library (ITIL), ISO/IEC 17799 and COSO, COBIT 4.0
advances with increased attention in the areas of SDLC, quality and project risk management.
Install and accredit solutions and changes is the high-level functional area that captures the
greatest number of features representing the activities related to SDLC or release
management. AI7 as stated in the standards document:
Newsystems need to be made operational once development is complete. This requires proper
testing in a dedicated environment with relevant test data, definition of rollout and migration
instructions, release planning and actual promotion to production, and a post-implementation review.
This assures that operational systems are in line with the agreed expectations and outcomes.
AI7 includes inputs and outputs to configuration, project, change, maintenance and acquisition
programs. With handoffs based in triggers, performance goals, measurements and business-
based criteria, documented consensus, and tested results, evidence of their implementation is
best suited to automated systems. For a detail discussions on the standards (COBIT, ITIL and
CMMI) refer to chapter 8.
3.9.1. Controls over the SystemDevelopment phases and Auditors Role: The SDLC
phases define an agenda of issues that stakeholders (management, users, and software
developers) in the system development process must address. The quality of the systems
development will depend on how well the stakeholders come to grips with the issues in the
context of the project. The following subsections will examine the controls that are important in
the major system development phases.
3.9.2. Problemdefinition: In this phase the stakeholders must attempt to come to an
understanding of the nature of the problem or opportunity they are addressing. The information
system requirement can be conceived through a formal process systems planning or a need for
the information system support need felt by chance.
Controls
The need for the information system in the preview of the business requirement.
Support and priority for the information system by the management.
Level of acceptance among the stakeholders on the need for change.
The investigation and strategy by which the need for the system is justified.
The Institute of Chartered Accountants of India
3.38 Information Systems Control and Audit
Auditors Role
The Auditors are concerned with-
If the stakeholders have reached an agreement on the existence of a problem or
opportunity.
An understanding of the threats to asset safeguarding, data integrity, system effectiveness
and system efficiency associated with the solutions proposed for the system.
3.9.3. Management of the change process: Management of the change process runs parallel
to all the phases of SDLC.
Controls: Project Management involves addressing matters as budgeting, exception reporting,
checkpoints and user coordination.
Change-facilitation deals with the following critical activities-
Preparing the organization for an unrestricted change by feedback, training, participatory
decision making and promote the need for change.
Complete changeover to the new system.
To help users adapt to their new roles and re-freezing activities by providing positive
feedback and behavioral patterns.
Auditors Role
To evaluate the quality of decisions made with respect to project management and change
facilitation.
If the proposed system is small, it has a localized impact on users and change
management can be done in-house with less material concerns.
If the proposed system is large, it has high-levels of requirements and technological
uncertainty and organization structures and jobs will have significant effect.
3.9.4. Entry and feasibility assessment: The specific techniques used to evaluate the feasibility
of systems depend on the type and size of the system being proposed as illustrated in the fig 3.11.









Fig. 3.11 : Feasibility criteria for SDLC.
Systems Development process
Behavioral
Economic
Operational
Technical
Stop Proceed
The Institute of Chartered Accountants of India
Control Objectives 3.39
Controls
Technical Feasibility : Can technology be acquired, developed or available to support the
proposed project?
Operational Feasibility : Can the system be designed to process inputs and give required
outputs?
Economic Feasibility : The proposed system is deemed feasible only if the benefits
exceed all the cost requirements.
Behavioral Feasibility : Can the system improve the quality of work life of the users?
Auditors Role
If the change proposed is not imposed upon stakeholders.
The behavioral impact on the users and the problems that arise in the proposed system.
The material losses incurred as result of the development, implementation, operation or
maintenance of the system.
3.9.5. Analysis of the existing system: To design a new system, first it is essential to
understand the existing system. An analysis should include-
A study of the existing organizational history, structure and culture
A study of the existing information flows
Controls: The study of the history of systems in an organization gives an idea of : the types of
systems that have been extremely useful; issues that have not been addressed over a period;
and new issues that require attention. The organizational structure gives an idea of the power
equations within an organization.
The study of the existing information flows is done using formal methodologies like top-down
structured analysis (waterfall), prototyping and agile models to understand the system. The
formal methodology helps to analyze data flows and describes logic and policy. These
methodologies and tools were discussed in detail in chapter 2.
Auditors Role
The need to study the aspects of the present organizational structure, history and culture.
The context in which the decisions for the new proposed system choice was made and its
implications for the conduct of the remainder of the audit.
To evaluate the quality of methodologies used and strengths of the decisions taken.
The usage of high-quality tools in analysis and documentation of the existing product.
3.9.6. Formulation of strategic Requirements (SystemDesign): The strategic requirements
also called as the SRS (System Requirements Specification) document identifies the perceived
deficiencies in the existing system of the existing or perceived new system are evaluated.
Controls: Align the business requirements with the preview of managements objectives,
users goals and elicitation of the requirements and system-design work concurrently.
The Institute of Chartered Accountants of India
3.40 Information Systems Control and Audit
Auditors Role
Evaluate the quality of the SRS design work.
The feasibility of the system-design proposed.
To assess the identified procedures and substantial behavioral impact on the users within
the proposed system.
3.9.7. Organizational and job design: Adapting the organizational structures and job
responsibility with respect to the proposed system often leads to behavioral problems among
its stakeholders and may result in implementation failure.
Controls
The roles and responsibilities of users of the system are to be defined using formal
traditional mechanisms or open-ended structures to facilitate adaptation.
A clear design of the responsibilities in the initial design phase is critical in achieving the
goals; a detail discussion on the roles of responsibilities during SDLC is given in chapter 2.
Auditors Role
The auditor is to assess the assigned responsibility and process used to resolve conflicts.
To assess the control risk associated with the responsibilities during SDLC with
substantive testing.
3.9.8. Information processing systems design: From efficiency viewpoint the reliability of
the controls designed into the system are to be evaluated to meet the strategic requirements
of the proposed system.
Controls: The major control activities in the processing systems design phase are depicted in the Fig. 3.12.












Fig. 3.12 : Controls in processing systems design
User interface
using-
Source
documents of raw
data
Report formats,
Screen layouts,
Logo / Icons.
Software
Optimize the database
design using-
Conceptual modeling
Data modeling
Storage structure
Physical layout
User-
requirements and
Requirement
analysis using-

Interviews,
Group
Discussions,
Prototyping
Requirements
elicitation
User interface
design
Data/information
flow design
Database
design
Physical design
Platform design
Hardware/Software : Design and
requirement to meet the application
system. Modularity and Generality
for future change.
Identify boundaries
Modules, Packages and
Programs with respect to
hardware, batch/real-time
process and periodicity.
The Institute of Chartered Accountants of India
Control Objectives 3.41
Auditors Role
To evaluate the appropriateness of the requirements-elicitation strategy in the scope of
the stakeholder and the quality of the requirements document.
The system design needs to capture all data/information flow within the system.
The structure of the database design and cost evaluation of the data model is to be
evaluated.
User interface is the source of user interactivity with the system and is a critical activity.
The design and quality of the interface needs to follow best design practices.
The efficiency of the tasks assigned to the appropriate hardware and software resources
of the physical design of the system. The performance of a critical system can be
evaluated with simulations.
3.9.9. Application Software Acquisition/Selection Process: Once the information flow and
processing within a system is identified and designed then the application software may be
acquired or developed in-house.
Controls : In case of acquisition of a software system the following controls need to be in
place:
Information and system requirements need to meet business and system goals, system
processes to be accomplished, and the deliverables and expectations for the system.
The techniques are interviews, deriving requirements from existing systems, identifying
characteristics from related system, and discovering them from a prototype or pilot
system.
A feasibility analysis to define the constraints or limitations for each alternative system
from a technical as well as a business perspective. It should also include economic,
technical, operational, schedule, legal or contractual, and political feasibility of the
system within the organization scope.
A detailed Request for Proposal (RFP) document needs to specify the acceptable
requirements (functional, technical, and contractual) as well as the evaluation criteria
used in the vendor selection process. The selection criteria should prevent any
misunderstanding or misinterpretation.
While identifying various alternatives software acquisition involves the critical task of
vendor evaluation. The vendor evaluation process considers the following:
Stability of the supplier company,
Volatility of system upgrades,
Existing customer base,
Suppliers ability to provide support,
Cost-benefits of the hardware/software in support of the supplier application, and
Customized modifications of the application software.
The Institute of Chartered Accountants of India
3.42 Information Systems Control and Audit
Auditors Role









Fig. 3.13 : Auditors Role : Hardware/Software Acquisition
To highlight risks before a vendor contract or a software agreement contract is signed.
Ensure that the decision to acquire software should flow from the thorough feasibility
study, vendor evaluation and RFP (Request for proposal) adequacy checked for.
A RFP would include transaction volume, data base size, turnaround time and response
time requirements and vendor responsibilities.
The auditor needs to also check the criteria for pre-qualification of vendors and sufficient
documentation available to justify the selection of the final vendor / product.
The auditor may also collect information through his own sources on vendor viability,
support infrastructure, service record and the like.
Thorough review of the contract signed with the vendor for adequacy of safeguards and
completeness. The contract should address the contingency plan in case of vendor
failures such as, source code availability and third party maintenance support.
To ensure that the contract went through legal scrutiny before it was signed.
3.10 Control Over Systemand ProgramChanges
3.10.1. Management of the change process: One of the most critical areas of control in an
information systems environment is change control. The complexity of hardware, software, and
application relationships in the operating environment needs well defined, planned, coordinated,
tested, and implemented change management. Management of the change process runs parallel
to all the phases of SDLC. The change process involves the following tasks:
Provide feedback to the system stakeholders
Prevents system disruptions which may lead to business losses
Accepted changeover to a new system across the organization
Helps users to adapt to new roles
Request
for
Proposal
(IS Auditor) Adequacy of the
requirements Specification
Company
Proposal
Document
Vendor
Compliance with requirements?
Quality of documentation?
Vendor stability &support?
Nature of contract negotiations?
(IS Auditor)
The Institute of Chartered Accountants of India
Control Objectives 3.43
Documentation and follow up on the recommended and implemented process changes.
The proposed change need to be reviewed to identify potential conflicts with other
systems.
The change management process is to be reviewed periodically to evaluate its
effectiveness.
All requests for change are set on priority of urgency is the responsibility of a change control board
or IT steering committee. The change board and steering committee communicate their views
through an individual given the role of the change manager. The priority of changes is determined
by assessing the cost of the change and its impact on the business and its resources.
Quality assurance, security, audit, regulatory compliance, network, and end-user personnel should
be appropriately included in change management processes. Risk and security review should be
done whenever a system modification is implemented to ensure controls remain in place.
Change management (sometimes referred to as configuration management) involves
establishing baseline versions of products, services, and procedures and ensuring all changes
are approved, documented, and disseminated. Change controls should address all aspects of
an organizations technology environment including software programs, hardware and
software configurations, operational standards and procedures, and project management
activities. Management should establish change controls that address major, routine, and
emergency software modifications and software patches.
3.10.2 SystemChange Controls: Project Management involves addressing matters as
budgeting, exception reporting, checkpoints and user coordination.
Change-facilitation deals with the following critical activities-
Preparing the organization for an unrestricted change by feedback, training, participatory
decision making and promote the need for change.
Complete changeover to the new system.
To help users adapt to their new roles and re-freezing activities by providing positive
feedback and behavioral patterns.
Auditors Role
To evaluate the quality of decisions made with respect to project management and
change facilitation.
If the proposed system is small, it has a localized impact on users and change
management can be done in-house with less material concerns.
If the proposed system is large, it has high-levels of requirements and technological
uncertainty and organization structures and jobs will have significant effect.


The Institute of Chartered Accountants of India
3.44 Information Systems Control and Audit
C
H
A
N
G
E

F
A
C
I
L
I
T
A
T
I
O
N

SDLC Phases
P
R
O
J
E
C
T

M
A
N
A
G
E
M
E
N
T

Planning-Problem
Definition
System Analysis
System Design
System Development
System Implementation
Fig. 3.14 : Change Management and Control Process
The Change Control process of a system under development is to address the problems not
detected during system design or testing and change in user requirements. A change control
evaluation includes checks on problems reporting, tracking, prioritizing, and resolving, and if
changes are authorized, tested, documented, and communicated through a legitimate
management responsibility. The risks the change control processes deal with are:
System outages due to error, omissions, or malicious intent,
Data loss or errors due to error, omissions, or malicious intent,
Unauthorized changes,
Fraud/abuse to company systems and/or data,
Repeated errors, and
Reruns of system or application processes.
The objective of a change management review are to ensure that changes made to the system
and programs do not adversely affect system, application, or data availability or integrity.
Auditors need to verify that all changes made to the systems and programs are appropriately
authorized and documented.
3.10.3 ProgramChange Controls: Application software programs are designed to support a
specific business operation such as payroll or loan accounting. Implementing controls over the
modification of application software programs is to ensure that only authorized programs and
authorized modifications are implemented. Standard organization level policies, procedures,
and techniques are to be followed to ensure that all programs and program modifications are
properly authorized, tested, and approved and the responsibility of access to implement
changes and distribution of programs is carefully controlled. Failure of proper controls leads to
risks in software security like virus threats deliberately omitted or turned off processing
irregularities or malicious code.

The Institute of Chartered Accountants of India
Control Objectives 3.45

Fig. 3.15 : ProgramChange Controls and Potential Risks
Auditors Role
To ensure maintenance of software program code libraries (archives of code and
executable code) Software updating is to be done from a central repository.
Appropriate backups of the systems data and programs to store the various versions of
files should be made before the change.
Tacking of program changes are to be accounted for through version procedure.
A formal handover process so that authorized personnel are involved in the software
changes testing and updation process with clearly assigned responsibilities skills,
knowledge, and training to perform responsibilities.
Standardized software updation (release) management policies, procedures, and tools;
Updated technology inventory of all hardware, software, and services that are used
based on the criticality of the vulnerability and importance of the system.
Thorough testing before the any new software release is applied in a production
environment.
3.10.4 Authorization Controls: Authorization controls ensure all information and data
entered or used in processing is authorized by management, and responsible representatives
of events that actually occurred.
Auditors Role
Transactions in an application system are manually authorized, the controls that ensure
that no unauthorized modifications take place after authorization and prior to establishing
The Institute of Chartered Accountants of India
3.46 Information Systems Control and Audit
input controls? Determine if the proper level of management is authorizing the
transaction activity.
If transaction authorization is facilitated by logical access restrictions, select a sample of
access rules applying to transaction input and update, and verify if the appropriate
people have these capabilities.
Identify any allowable overrides or bypasses of data validation and edit checks
(authorization, monitoring, etc.) Determine who can do the overrides and verify that they
are in a management position that should have this authority. Are all uses of the override
features automatically logged so these actions can be subsequently analyzed for
appropriateness?
Implement specific procedures to handle urgent matter, such as logging all emergency
changes that required deviations from standard procedures and having management
review and approve them after the fact. Make sure there is as audit trail for all urgent
matters.
Review by IT management to monitor, and approve all changes to hardware, software,
and personnel responsibilities.
Assigned and authorized responsibilities to those involved in the change and monitor
their work with adequate segregation of duties.
3.10.5 Document Controls: The need for procedures for recording all requests for change
(RFC), preferably on standard documents to gain assurance and continuous monitoring that
the systems do what they are supposed to do and the controls continue to operate as
intended. The requests for changes in both hardware and software resource of the system
should be logged and given a unique chronological reference number. All RFCs should be
allocated a priority rating to indicate the urgency with which the change should be considered
and acted upon.
Documentation contains descriptions of the hardware, software, policies, standards,
procedures, and approvals related to the system and formalize the system's security controls.
A user instruction manual document defines responsibilities and actions :
Input controls that identify all data entering the processing cycle;
Processing control information that includes edits, error handling, audit trails and master
file changes;
Output controls that define how to verify the correctness of the reports;
Separation of duties between preparing the input and balancing the output
To provide the user with the tools to achieve their responsibilities, the user instruction manual
should include:
A narrative description of the system (IT and Manual)
A detailed flowchart of all clerical processes.
A detailed document flowchart.
The Institute of Chartered Accountants of India
Control Objectives 3.47
A copy of each input document, completed as an example, together with instructions for
preparation.
A list of approvals required on each input document.
A copy of any batch control forms or other transmittal forms used together with
instructions on their preparation and reconciliation to batch edits reports.
A listing of computerized input and processing edits performed the error messages that
result there from, and instructions for correcting, resubmitting and balancing the
resubmitted items.
A copy of each report produced by the system with a description of its purpose, the
number of copies, distribution and instructions for balancing output to original input
A list of retention periods for : input source documents, data file (tape or disk), output report.
A system recovery section including user responsibilities for assisting in the restoration of
the system.
Auditors Role
Assessing documentation involves evaluating the change boards efforts to complete the
following critical procedures :
There is sufficient documentation that explains how software/hardware is to be used.
There are documented formal security and operational procedures.
To understand document flow, certain background information must be obtained through
discussions with corporate officials, from previous audits or evaluations, or from system
documentation files. The auditor will need to obtain documents with the following details:
Name (title) of the computer product
Purpose of the product System name and identification number
Date the system was implemented
Type of computer used (manufacturers model) and location
Frequency of processing and type of processing (batch, online)
Person(s) responsible for the computer application and database that generates the
computer output.
Point of origin for each source document
Each operating unit or office through which data is processed
Destination of each copy of the source document and the action applied to each copy
(filed, audited, entered into a computer, etc.)
Actions taken by each unit or office in which the data is processed (for e.g. recorded in
books of account, unit prices or extensions added, control numbers recorded and
checked, etc.)
The Institute of Chartered Accountants of India
3.48 Information Systems Control and Audit
Controls over the transfer of source documents between units or offices to assure that no
documents are lost, added, or changed (controls include record counts, control totals,
arithmetic totals of important data, etc.)
3.10.6 Testing and Quality Controls: Testing commences during the design phase, during
which designs and specifications should be subject to quality reviews (non-computer testing),
and continues during the system development and acceptance testing phases of the SDLC.
Computer systems are tested to prove that they perform to the satisfaction of the various
interested parties. This includes the developers, operations staff, and the end-users
(including the System Owner) It may also include system administrators, security personnel,
and auditors. In practice testing can only give reasonable assurance that all is well and that a
system behaves as intended and as predicted; but it cannot give positive proof that any
module/program/system is free from error. This is due in part to the extremely high number of
possible program paths, and in part to the practical impossibility of generating test data that
will adequately test all paths with all combinations of data.
The overall objective of the testing process is therefore to ensure that the delivered system is
of adequate quality. To meet this objective it will be necessary to confirm that the new
system:-
conforms with the organizations technical policies and standards;
performs all the required functions;
can be used by the staff for whom it is intended;
meets it performance objectives;
is reliable in operation.
The requirement to demonstrate that a system is reliable implies that it should be tested, not
to demonstrate that it works, but to uncover as many defects as possible. Tests must therefore
be designed that attempt to demonstrate that the system:
does not do what it is supposed to do;
does what it is not supposed to do;
is not operable by the staff for whom it is intended.
During the testing phase, the system is tested to verify that it works as intended and meets
design specifications. An overall testing strategy should be developed to define the individual
test events, roles and responsibilities, test environment, problem reporting and tracking, and
test deliverables. Although each project may define different test events, in general, test
events include unit testing, integration testing, technical testing, functional testing, and
acceptance testing. Other important principles that should govern testing - and indeed any
quality control - activities are that there is :
no testing without measurable objectives;
no testing without recording;
The Institute of Chartered Accountants of India
Control Objectives 3.49
no recording without analysis;
no analysis without action.
Defects uncovered during testing might be corrected if they are considered to be of sufficient
importance to justify the cost and time involved in taking remedial action. But it may be
preferable to live with a defect if it is trivial, or defer remedial action until a more convenient
time, for example by including a fix in a later release of the software. If a defect is corrected,
the system (or perhaps parts of it) will probably need to be re-tested to ensure that the change
has not introduced other unforeseen problems. This process is known as regression testing.
3.11 Quality Control
Quality control management is a process that impacts the effectiveness, efficiency, integrity, and
availability of information systems and involves IT resources that include people, applications,
technology, and facilities. It describes the controls over the IT process of managing quality that
meets the business requirement. Quality controls encompass the following:
Establishment of a quality culture
Quality plans
Quality assurance responsibilities
Quality control practices
System development life cycle methodology
Program and system testing and documentation
Quality assurance reviews and reporting
Training and involvement of end-user and quality assurance personnel
Development of a quality assurance knowledge base
Benchmarking against industry norms
This control requires regular reviews and audits of the software products and activities to
verify that process and personal within the organization comply with the applicable procedures
and standards. Standards and procedures need to be established for valid quality assurance
measurement processes in a project and its processes. These processes must be
documented and controlled.
3.11.2 Quality Standards: Quality management controls are implemented in-order to drive
maturity into the organizational processes. The best practices that identify the quality and
assurance are governed by two key standards:
(i) Capability Maturity Model Integration (CMMI) : by Software Engineering Institute(SEI); is
a framework for organizing and assessing the maturity level of IT processes for software
development and maintenance of products and services. The software process maturity is the
extent, to which a specific process is explicitly defined, managed, measured, and controlled,
and is effective. A detail discussion on this standard is given in chapter 8.
The Institute of Chartered Accountants of India
3.50 Information Systems Control and Audit
(ii) 9000 Quality Management and Quality Assurance Standards (ISO) : Defines quality
control as the operational techniques and activities that are used to fulfill requirements for
quality.
As quality control is concerned with the quality of individual products produced during the
project - in other words confirming that they fit for their intended purpose - it follows that it is
the responsibility of the Project Manager to ensure that effective quality control is carried out.
Quality control mechanisms include both formal and informal reviews, walkthroughs, testing,
and inspection.
Quality control costs both time and money, and Project Managers are often tempted to
dispense with it, particularly when working to an unrealistic, imposed deadline or where
slippage has occurred in the project time-table. Removing what appears to be a non-
productive activity apparently brings the project back on schedule. This is a false economy. It
stores up greater problems for both the later stages of the system and for the maintenance
and operations activities following project delivery. And there is growing evidence that quality
control and productivity gains, far from being mutually exclusive, are complementary.
3.11.3 Quality Reviews: Quality review covers various non-computer testing activities. For
example, it determines whether a product is:
complete and free from cosmetic and mechanical defects;
is correct (e.g. a specification or plan), is sufficiently comprehensive and is targeted at
the appropriate skill level for each category of user;
Complies with relevant standards.
3.11.4 Auditors Role : The following are the general questions that the auditor will need to
consider for quality control:
Does the system design follow a defined and acceptable standard?
Are completed designs discussed and agreed with the users?
Does the projects quality assurance procedures ensure that project documentation (e.g.
design documents, specifications, test and installation plans) is reviewed against the
organizations technical standards and policies, and the User Requirements
Specification;
Do quality reviews follow a defined and acceptable standard?
Are quality reviews carried out under the direction of a technically competent person who
is managerially independent from the design team;
Are auditors/security staffs invited to comment on the internal control aspects of system
designs and development specifications?
Are statistics of defects uncovered during quality reviews and other forms of quality
control maintained and analyzed for trends? Is the outcome of trend analysis fed back
into the project to improve the quality of other deliverables?
Are defects uncovered during quality reviews always corrected?
The Institute of Chartered Accountants of India
Control Objectives 3.51
Are all system resources (hardware, software, documentation) that have passed quality
review been placed under change control management and version control?
Has a System Installation Plan been developed and quality reviewed?
Has a Training Plan been developed and quality reviewed? Has sufficient time and
resources been allocated to its delivery? (to avoid skills stagnation, the delivery of
training will need to be carefully scheduled);
3.11.5 Copyright Violations: Software programs can easily be copied or installed on multiple
computers. It is necessary for organizations to specifically address software piracy in training,
in policy and procedures, or in the application of general internal controls. Violation of
copyright laws may lead to potential risk. The computing environment needs controlling to
prevent software piracy and copyright violations.
The scope of a Copyright Act is:
The illegal copy of computer programs except for backup or archival purposes.
Any business or individual convicted of illegally copying software is liable for both
compensatory and statutory damages for each illegal copy of software in the premises.
The information from annoyed employees and consultants about organizations that use
illegal software are documented.
The Copyright Notice:
Any information owned/created by the company and considered its intellectual property in a
written, printed, or stored as data, must be labeled with a copyright notice in the following
format : Copyright 2003 [Company Name], Inc. All Rights Reserved.
3.11.6 Contract / Warranties: On Acquisition of Software systems organizations enter into
contracts for computer hardware, software, and services. The need for familiarity and informed
decision with the products and contract terms is mandatory. The management is responsible
for thorough review as todays information systems support strategic and day-today
operations.
IT contracts are to address these issues:
Meet IT users expectations and the systems need to perform as intended;
Able to file litigation in response to dissatisfaction with products or services on the failure
of the selection or acquisition process.
IT auditors can help companies avoid contract failures, especially those lacking in-house
computer contracting expertise in areas as first-time purchases, contract services for
computer maintenance, custom applications, and multiple supplier procurements. The
evidence gathered by auditors can assist the organization in specifying both performance
standards and remedies for nonperformance.

The Institute of Chartered Accountants of India
3.52 Information Systems Control and Audit
The review areas of IT-related contracts are:
Review of supplier contract terms that limit supplier liability.
Review of contract objectives and performance measurements to ensure objectives have
been met.
Review and inclusion in future contracts of contract clauses for protecting customer
interests.
In the development or review of any IT contract, the objectives of the contracting process
are to focus on preparing or examining the acceptance criteria.
The three key goals to achieve while contracting for computer goods and services are:
Preparation of explicit criteria that can be used for acceptance with respect to user
requirements,
The process of negotiating the contract and the inclusion of clauses that assure
supplier compliance, and
The process of monitoring contract compliance is the responsibility of the entire
organization.
To identify a major control weakness, problems and contract issues which require
immediate management and organizational attention.
Does the contract reflect the organizations requirements and have appropriate levels
within the organization verified them?
Have the requirements been translated into measurable acceptance criteria that can be
monitored and verified?
To ensure that the RFP contains the needs and requirements and how they are met.
Was the legal counsel or contracting officer present at all meetings and documentation of
proceedings recorded?
What changes or agreements were reached in refining contract terms and were they
verified with management?
The contract has been executed and monitored to assure customers rights.
Acceptance tests are performed on all products or services provided and tests are
documented and reviewed by management.
Acceptance tests are documented, evaluated, and the results are reviewed and signed
off by customers at affected levels including management.
The organization exercises its right to accept or decline the contract, and documentation
supports its decision.
The Institute of Chartered Accountants of India
Control Objectives 3.53
3.11.7 Service Level Agreements (SLA): The SLA is a formal agreement between a
customer requiring services and the organization that is responsible for providing those
services. It is not a legal contract in itself, but an essential component of it. An SLA is to state
the required performance of the system in terms of its availability to users, response times,
and numbers of transactions processed and any other suitable criteria meaningful to the user.
Performance indicators are to be agreed, and the delivered level of service is to be regularly
monitored against that specified.
Service : A set of deliverables that passes between a provider and a consumer.
Level : The measurement of services agreed upon and delivered and the gap between
the two.
Agreement : Contract between two entitiesthe one providing the service and the
recipient.
An SLA carried out by an organization could include the organizations IT Department, a
facilities management contractor, an external bureau, a telecommunications supplier, or a
hardware maintenance contractor. Users and providers are to formally agree the standards of
service to be provided, and the levels of user demand to be satisfied, before the system is
implemented.
An SLA should also define:
The level of technical support to be provided to users.
The procedures for proposing changes to the system.
Standards of security provision and administration that includes system and data access
controls and monitoring system and network use.
Emergency requirements
And a schedule of charges for the services to be provided.
The auditor is to ensure that the following form a part of the service level agreement:
Service provider should comply with all legal requirements that are applicable to the
outsourced activity.
Should provide for a right to audit clause and requirement of control responsibilities.
Responsibility of the service provider to establish performance monitoring procedures.
Business continuity measures to be put in place to ensure continuity of service.
Non disclosure requirements as regards information and processes of the audited
organization handled and control stipulations in this regard.
Insurance requirements.

The Institute of Chartered Accountants of India
3.54 Information Systems Control and Audit
3.12 Controls over SystemImplementation
The final step to implementing the system includes conversion, documentation, training, and
support. To ensure smooth implementation, it is important that users and technical support
people receive adequate training. To facilitate this training, both system and user
documentation need to define the functionality of the system. Activities during Implementation
stage are discussed below.
3.12.1 Procedures Development: Covers who, what, when, where, and how of the
implementation process. Installation of new hardware / software of the new system interfaces
with the other systems or is distributed across multiple software platforms, some final
commissioning tests of the production environment are carried out to prove end to end
connectivity. The design of procedures must match the job/task responsibility of a user within
the organizational functional framework. It should lay down the activities with respect to a task
stating the input, process and output generated thereof.
The auditor is to assess the following in the procedure document design phase:
The quality of the procedures design must meet the minimum user requirements and the
SRS specifications of the system.
Change management principles implemented and followed within the organization.
The approach followed in testing and implementation of changes into the behavior and
processes of the system.
Quality of the procedures documentation, system manuals etc, in a consistent and formal
style.
3.12.2 Conversion: It involved the following activities :
Defines the procedures for correcting and converting data into the new application,
determining what data can be converted through software and what data manually.
Performing data cleansing before data conversion,
Identifying the methods to access the accuracy of conversion like record counts and
control totals,
Designing exception reports showing the data which could not be converted through
software, and
Establishing responsibility for verifying and signing off and accepting overall conversion
by the system owner.
The conversion strategies are :
Direct implementation / Abrupt change-over : The old system is suspended on a specific
day and the new system is implemented. It reduces cost of redundant processing but in
case of a failure due to say a system crashes, the old system is also not available for
recovery. In case of small applications, or when migrating from a manual to computer
system, this may be used.
The Institute of Chartered Accountants of India
Control Objectives 3.55
Parallel implementation : Both the old and new systems are run in parallel to verify if their
output is the same. Then the old system is suspended. Here redundant processing is
costly but reduces risks associated with conversion. But users will face problems in
working with both systems.
Phased implementation : This strategy consists of implementing the new system in parts.
This makes implementation more manageable. This is also called the phase-in
conversion and provides a steady transition.
Pilot implementation : The new systems is first implemented in modules of non-critical
units and then moved to larger unit.
Except direct implementation, others strategies are not mutually exclusive. A cautious
combination of the strategies can be adopted, depending on the type of application/ system.
3.12.3 Auditors Role
Has a Data Conversion Plan been drawn up?
Does the Data Conversion Plan :
Describe the data conversion strategy to be followed (e.g. the procedures for
reconciling differing charts of accounts; the sequence of files to be converted; the
conversion timetable; keeping converted data up-to-date)?
Allocate staff to each task (the users should be fully involved) and define specific
roles and responsibilities, including that of signing off successful completion of each
task?
Set out the criteria for identifying and resolving problems on the quality of the
existing data (e.g. undertake file interrogation to identify missing or incompatible
data items in the existing system; define procedures to deal with the correction of
data rejected by the new system)?
Acceptance tests any custom-built software that has been developed to support the
data conversion task?
Define the controls that are to give assurance that data has been transferred
completely and accurately, and correctly posted (e.g. hash and control totals, and
record counts; checking a sample of detailed records back to the old system;
reconciling balances between the two systems)?
Implement an effective separation of roles between those involved in transferring
data and those involved in verifying that it has been correctly transferred
(information security should not be neglected, particularly where financial data is
involved)?
Define procedures to ensure that converted data is kept up-to-date following its
transfer to the new system?
The Institute of Chartered Accountants of India
3.56 Information Systems Control and Audit
Define backup and recovery procedures for the converted data on the new system
(these procedures will not relate to any processing cycle so they may differ from the
eventual operational procedures)?
Define how the audit trail is to be preserved after cut over; also, how archived data
from the old system will be processed after de-commissioning?
3.12.4 User Final Acceptance testing: The user acceptance test is performed in a secured
testing environment where both source and executable codes are protected. This helps to
ensure that unauthorized or last minute change to the system does not take place without
going through the standard system maintenance process. Here testing is a complete end-to-
end test of the operational system including all manual procedures. It aims to provide the
system users with confirmation that:
the User Requirement Specification (including system performance criteria) has been met;
end user and operational documentation is accurate, comprehensive, and usable;
supporting clerical procedures work effectively;
a production-line support functions operate correctly in-line with user expectations;
Back-up and recovery procedures work effectively.
The acceptance testing is to be undertaken by the end users supported by IT staff and expert
consultants as necessary, and should continue until no errors or shortcomings remain. In addition
to testing system functions, acceptance testing must also test responsiveness with respect to the
performance criteria defined during the Specification Stage. The acceptance test plan involves :
Performance testing should address:
average response time : usually defined as the time between the user depressing
the transmit key, and the first character of the reply appearing on the screen, with a
further maximum time specified for the screen to be completed;
maximum response time : the response time that must not be exceeded;
other response times : for example the time to : load an application, accept or move
between fields on the screen, perform a single or multiple update or to run a
complex enquiry
Volume testing : subjects the system to heavy volumes of data to test whether it can
handle the volume of data specified in a acceptable time-frame;
Stress testing : subjects the system to heavy loads or stresses (a heavy stress is a peak
volume of data encountered over a short period)
Security testing : attempts to subvert the systems security and internal control checks;
Clerical procedures checking : aims to confirm that all supporting clerical procedures
have been documented and work effectively;
Back-up and recovery : aims to confirm that software, configuration files, data and
transaction logs can be backed up, either completely or selectively; and also restored
from backup;
The Institute of Chartered Accountants of India
Control Objectives 3.57
On satisfactory completion of user acceptance testing, the Project Board should sign off a
System Acceptance Document to signify that the development process has been completed,
and hand over all the items that will comprise the operational system to the System Owner (in
practice the bulk of it will pass to the computer operations and software maintenance teams)
3.12.5 Auditors Role: The auditor is to assure management that both developers and users
have thoroughly tested the system to ensure that it:
possesses the built-in controls necessary to provide reasonable assurance of proper
operation;
provides the capability to track events through the systems and thus supports audit
review of the system in operation;
meets the needs of the user and management;
If the level of testing does not meet standards, the auditor must notify the development
team or management who will then take corrective action;
What arrangements have been made to ensure that the system has been correctly built
(installed, configured, loaded, etc) before user acceptance testing commences?
Has an Acceptance Test Plan been drawn up to cover all aspects of testing?
allocate adequate resources in terms of manpower, time and equipment to acceptance
testing? (A common problem in IT projects is to reduce the time available for acceptance
testing in order to recover from slippage in the overall project timetable. This can easily
result in the implementation of an inadequately tested system and defective system);
allocate individual roles and responsibilities for :
managing the test environment? (i.e. environment design; configuration
management; operation and maintenance)
undertaking individual tests and test cycles?
recording test result?
analysing test results and prioritising errors?
fully involve the end-users in the design and execution of the acceptance testing
programme?
include ancillary procedures? (e.g. clerical control checks, the Help Desk, Network
Support, System Administration);
require the manager in charge to sign off individual tests and test cycles on successful
completion?
Is there an adequate separation of roles to help guard against unauthorized changes
taking place during testing and error correction? (e.g. between individuals involved in
building and modifying items; those involved in testing them; and those involved in
releasing them into live use);
Have test data been prepared for each test? Have the anticipated results for each test
been fully defined?
The Institute of Chartered Accountants of India
3.58 Information Systems Control and Audit
Do tests cover events that ought not to happen, as well as those that should? (e.g. do they
include out of range tests; tests on processing acceptable items occurring in unacceptable
combinations; duplicate transaction processing; incomplete master and standing data files);
Does user the Acceptance Testing Plan cover all aspects of the User Requirements
Specification?
Is an adequate audit trail of changes maintained? (is it possible to back-track on a
change to see how it occurred and whether it was correctly authorized?)
Are regression tests carried out to ensure that previously accepted areas of the new
system continue to work after significant changes have been implemented?
Has the acceptance-testing programme been signed off by the Project Board on
successful completion? If not, is appropriate remedial action being taken?
3.12.6 User training : Training both the end-users and the IS operations personnel is critical
for the efficient and effective implementation of a system being seamless integrated within the
organization business process. Training would involve managers training on overview and
application systems, operational user training on how to use the software, enter the data, and
generate the output and systems training on the technical aspects. Support along with
training, ongoing user support with trained personnel for problem tracking is another important
component needed to ensure a successful implementation.
3.13 SystemMaintenance
System maintenance is an important phase during the implementation of system; day-to-day
operations bring out the strength and weaknesses which may need periodic modification to
meet its objective. Maintenance can be undertaken under the following three categories:
Corrective maintenance : Emergency program fixes and routine debugging-logical errors.
Adaptive maintenance : Accommodations of change-in the user environment.
Perfective maintenance : User enhancements, improved documentation, and recoding for
improving processing efficiency.
The maintenance phase involves making changes to hardware, software, and documentation to
support its operational effectiveness. It includes making changes to improve a systems
performance, correct problems, enhance security, or address user requirements. To ensure
modifications do not disrupt operations or degrade a systems performance or security,
organizations should establish appropriate change management standards and procedures.
Maintaining accurate, up-to-date hardware and software inventories is a critical part of all change
management processes. Management should carefully document all modifications to ensure
accurate system inventories. (If material software patches are identified but not implemented,
management should document the reason why the patch was not installed.)
3.13.1 Auditors Role: The effectiveness and efficiency of the system maintenance process is
evaluated with the following metrics:
The ratio of actual maintenance cost per application/operation versus the average of all
applications/process.
The Institute of Chartered Accountants of India
Control Objectives 3.59
Average time to deliver change requests.
The number of change requests for the system application that were related to bugs,
critical errors, and new functional specifications.
The number of production problems per application and per respective maintenance changes
The instances of divergence from standard procedures such as undocumented
applications, unapproved design, and testing reductions.
The quantity of modules returned to development due to errors discovered in acceptance
testing.
Time elapsed to analyze and fix problems.
The span of maintenance of the information systems is to ensure effective and timely reporting of
the maintenance needs and being carried out in a controlled manner. The Fig. 3.16 highlights the
maintenance control activities widely dispersed throughout the organization when the system
involves end-user participation in the use of the information system. An auditor needs to satisfy the
implementation of maintenance activities and substantial resource consumption.

Fig. 3.16 : Maintenance Controls
The Institute of Chartered Accountants of India
3.60 Information Systems Control and Audit
3.13.2 Performance Measurement: Performance measurement is dependent on the
business strategy and objectives of the organization. The factors for measurement metric
would involve:
the value delivered by the IT system;
the ratio to the cost of IT to the per unit business function;
the responsive time of the system for a new or change in operations; and
the ongoing costs of the system to maintain its effectiveness.
For a system to be evaluated properly, it must be assessed using system performance
measurements. Common measurements include throughput (Output per unit of time),
Utilization (Percentage of time the system is being productively used, and response time (how
long it takes the system to respond)
3.14 Post Implementation Review
After a development project is completed a post implementation review should be performed
to determine if the anticipated benefits were achieved. Reviews help to control project
development activities and to encourage accurate and objective initial cost and benefit
estimates. The full scope of a post implementation review (PIR) will depend largely on the
scale and complexity of the project. The post implementation review should be performed
jointly by the project development team and the appropriate end users or alternatively, an
independent group not associated with the development process, either internal or external,
should carry out the audit, to meet the following objectives:
Business objectives : delivered within budget and deadline; is producing predicted savings
and benefits, etc.;
User expectations : user friendly, carries the workload, produces the required outputs,
good response time, reliable, good ergonomics, etc.;
Technical requirements : capable of expansion, easy to operate and maintain, interfaces
with other systems, low running cost, etc.
The PIR is undertaken after any changes and tuning that are necessary to achieve a stable
system have been completed, and any significant problems have had a chance to surface.
Sufficient time should also be allowed for the systems users to become familiar with it. These
criteria should be met between six and twelve months after implementation. If the PIR is
delayed beyond twelve months there will be an increasing risk that changing requirements -
leading to further releases of the system - will obscure the outcome from the original
development; also, that the need for a PIR will be overtaken by other priorities.
If there are obvious and significant problems with a new system a PIR may need to be
undertaken sooner than would otherwise have been the case in order to identify the nature of
the problem(s), their case(s), and to recommend a suitable course of action.
3.14.1 The PIR team: In order to achieve an impartial outcome, the team should be
substantially independent of the original system development team. It may therefore be
The Institute of Chartered Accountants of India
Control Objectives 3.61
advisable to employ an external IS consultant to manage the review. It may also be
necessary to employ other external support to assist in evaluating the delivery of technical
(e.g. project management, system design) and specialized functions (e.g. in financial and
management accountancy), and to make appropriate recommendations where necessary.
Internal Audit might help assess the effectiveness of internal controls.
In order to facilitate control, the PIR should have terms of reference, authorized by the
approving authority, defining the:-
scope and objectives of the review;
criteria to be employed in measuring the achievement of objectives;
management and organisation of the review team;
Review budget and reporting deadline.
3.14.2 Activities to be undertaken: During a PIR, the team should, according to their terms
of reference, review:-
the main functionality of the operational system against the User Requirements
Specification;
system performance and operation;
the development techniques and methodologies employed;
estimated time-scales and budgets, and identify reasons for variations;
changes to requirements, and confirm that they were considered, authorised and
implemented in accordance with change and configuration management standards;
set out findings, conclusions and recommendations in a report for the authorising authority
to consider.
In addition to reviewing the functionality delivered by the new system, the review team will also
need to look back to the Business Case on which the system was originally based to confirm
that all the anticipated benefits, both tangible and intangible, have been delivered. This will
involve investigating the reasons behind benefits that were not achieved, perhaps involving
recommendations for remedial action, and using survey techniques to establish the extent to
which intangible benefits (such as improved staff morale) have been realised.
It is also possible that the PIR will identify benefits that were not anticipated in the Business
Case. These should be included in the PIR Report as additional justification for the
investment, and to identify benefits that might be realized in other IS development projects.
Following their deliberations on the PIR Report, the authorizing authority may either:
endorse continuation of the system;
approve plans to modify the system;
terminate the system and made arrangements for a new course of action.
The Institute of Chartered Accountants of India
3.62 Information Systems Control and Audit
3.14.3 Auditors Role: The following issues should be considered when judging the
effectiveness either of a PIR, or to form the basis for the auditor to undertake one.
Interview business users in each functional area covered by the system, and assess their
satisfaction with, and overall use of, the system.
Interview security, operations and maintenance staff and, within the context of their particular
responsibilities, assess their reactions to the system.
Based on the User Requirements Specification, determine whether the systems requirements
have been met. Identify the reason(s) why any requirements are not to be provided, are yet to
be delivered, or which do not work properly.
Confirm that the previous system has been de-commissioned or establish the reason(s) why it
remains in use.
Review system problem reports and change proposals to establish the number and nature
(routine, significant, major) of problems, and changes being made to remedy them. The
volume of system change activity can provide an indicator of the quality of systems
development.
Confirm that adequate internal controls have been built into the system, that these are
adequately documented, and that they are being operated correctly. Review the number and
nature of internal control rejections to determine whether there are any underlying system
design weaknesses.
Confirm that an adequate Service Level Agreement has been drawn up and implemented.
Identify and report on any area where service delivery either falls below the level specified, or
is inadequate in terms of what was specified.
Confirm that the system is being backed up in accordance with user requirements, and that it
has been successfully restored from backup media.
Review the Business Case and determine whether:-
anticipate benefits have/are been achieved;
any unplanned benefits have been identified;
costs are in line with those estimated;
benefits and costs are falling with the anticipated time-frame.
Review trends in transaction throughput and growth in storage use to identify the anticipated
growth of the system is in line with that forecast.
Control Category Threats/Risks Controls
System
development and
acquisition controls
System development
projects consume
excessive resources.
Long-range strategic master plan, data
processing schedules, assignment of
each project to a manage and team,
project development plan, project
milestones, performance evaluations,
system performance measurements
The Institute of Chartered Accountants of India
Control Objectives 3.63
(throughput, utilization, response time),
and post-implementation reviews.
Change
management
controls

Systems development
projects consume
excessive resources,
unauthorized systems
changes.
Change management control policies
and procedures, periodic review of all
systems for needed changes,
standardized format for changes, log
and review change requests, assess
impact of changes on system reliability,
categories and rank all, changes,
procedures to handle urgent matters,
communicate changes to management
and users, management approval of
changes, assign specific responsibilities
while maintaining adequate segregation
of duties, control go through all
appropriate steps, these all changes,
develop plan for backing out of mission-
critical system changes, implement a
quality assurance functions and update
documentation and procedures.
Table 3.5 : Summary of Key Maintainability Controls
3.15 Control over Data Integrity, Privacy and Security
3.15.1 Information Classification: Information classification is the conscious decision to
assign a level of sensitivity to information as it is being created, amended, enhanced, stored,
or transmitted. The classification of the information should then determine the extent to which
it needs to be controlled / secured and is also indicative of its value in terms of Business
Assets.
The classification of information and documents is essential if one has to differentiate between
that which is of little (if any) value, and that which is highly sensitive and confidential. When
data is stored, whether received, created or amended, it should always be classified into an
appropriate sensitivity level. For many organizations, a simple 5 scale grade will suffice as
follows:
Information
Classification
Description
Top Secret
Highly sensitive internal information relating to e.g. pending mergers or
acquisitions; investment strategies; plans or designs; that could seriously
damage the organization if such information were lost or made public.
Information classified as Top Secret information has very restricted
distribution and must be protected at all times. Security at this level is the
highest possible.

The Institute of Chartered Accountants of India
3.64 Information Systems Control and Audit
Highly
Confidential
Information that, if made public or even shared around the organization,
could seriously impede the organizations operations and is considered
critical to its ongoing operations. Information would include accounting
information, business plans, sensitive customer information of bank's,
solicitors and accountants etc., patient's medical records and similar highly
sensitive data. Such information should not be copied or removed from the
organizations operational control without specific authority. Security at this
level should be very high.
Proprietary
Information of a proprietary nature; procedures, operational work routines,
project plans, designs and specifications that define the way in which the
organization operates. Such information is normally for proprietary use to
authorized personnel only. Security at this level is high.
Internal Use
only
Information not approved for general circulation outside the organization
where its loss would inconvenience the organization or management but
where disclosure is unlikely to result in financial loss or serious damage to
credibility. Examples would include, internal memos, minutes of meetings,
internal project reports. Security at this level is controlled but normal.
Public
Documents
Information in the public domain; annual reports, press statements etc.;
which has been approved for public use. Security at this level is minimal.
Table 3.6 : Classification of Information
3.15.2 Data Integrity: Once the information is classified, the organization has to decide about
various data integrity controls to be implemented. The primary objective of data integrity
control techniques is to prevent, detect, and correct errors in transactions as they flow through
the various stages of a specific date processing program. In other words, they ensure the
integrity of a specific applications inputs, stored data, programs, data transmissions, and
outputs. .Data integrity controls protect data from accidental or malicious alteration or
destruction and provide assurance to the user that the information meets expectations about
its quality and integrity. Assessing data integrity involves evaluating the following critical
procedures :
Virus detection and elimination software is installed and activated.
Data integrity and validation controls are used to provide assurance that the information
has not been altered and the system functions as intended
Data integrity is a reflection of the accuracy, correctness, validity, and currency of the data.
e primary objective in ensuring integrity is to protect the data against erroneous input from
authorized users. e auditor should be concerned with the testing of user-developed systems;
changes or the release of data, unknown to the user, could occur because of fl awed design.
e user may assume that the visible output is the only system activity. e possibility that
erroneous data could infest the system is strong. A person other than the designer or user
should test any application that has access to the organizations data in more than a read-only
format. Again, this is a critical area if the service desk is outsourcing to an application service
The Institute of Chartered Accountants of India
Control Objectives 3.65
provider. Release of customer information to such an entity must be controlled through
contractual requirements with stiff remedies or penalties if data is compromised.
There are six categories of integrity controls summarized in Table 7.
Control Category Threats/Risks Controls
Source data control Invalid, incomplete, or
inaccurate source data input
Forms design; sequentially
prenumbered forms, turnaround
documents; cancellation and
storage of documents, review for
appropriate authorization;
segregation of duties, visual
scanning; check-digit
verification; and key verification.
Input validation routines Invalid or inaccurate data in
computer-processed
transaction files
As transaction files are
processed, edit programs
check key data fields using
these edit checks, sequence,
field, sign, validity, limit, range,
reasonableness, redundant data,
and capacity checks. Enter
exceptions in an error log;
investigate, correct, and
resubmit chem. On a timely
basis; re-edit them, and prepare
a summary error report.
On-line data entry
controls
Invalid or inaccurate
transaction input entered
through on-line terminals
Field, limit, range,
reasonableness, sign, validity,
and redundant data checks; user
Ids and passwords; compatibility
tests; automatic system date
entry; prompting operators
during data entry, pre-formatting,
completeness test; closed-loop
verification; a transaction log
maintained by the system; clear
error messages, and data
retention sufficient to satisfy
legal requirements.
Data processing and
storage controls
Inaccurate or incomplete data
in computer-processed
master files
Policies and procedures
(governing the activities of data
processing and storage
personnel; data security and
confidentiality, audit trails, and
The Institute of Chartered Accountants of India
3.66 Information Systems Control and Audit
confidentiality agreements);
monitoring and expediting data
entry by data control personnel;
reconciliation of system updates
with control accounts or reports;
reconciliation of database totals
with externally maintained totals;
exception reporting, data
currency checks, default values,
data marching; data security
(data library and librarian,
backup copies of data files
stored at a secure off-site
location, protection against
conditions that could harm
stored data); use of file labels
and write protection
mechanisms, database
protection mechanisms (date
wise administrators, date
dictionaries, and concurrent
update controls); and data
conversion controls.
Output controls Inaccurate or incomplete
computer output
Procedures to ensure that
system outputs conform to the
organizations integrity
objectives, policies, and
standards, visual review of
computer output, reconciliation
of batch totals; proper
distribution of output; confidential
outputs being delivered are
protected from unauthorized
access, modification, and
misrouting; sensitive or
confidential out-put stored in a
secure area; users review
computer output for
completeness and accuracy,
shred confidential output no
longer needed; error and
exception reports.

The Institute of Chartered Accountants of India
Control Objectives 3.67
Data transmission
controls
Unauthorized access to data
being transmitted or to the
system itself; system failures;
errors in data transmission
Monitor network to detect week
points, backup components,
design network to handle peak
processing, multiple
communication paths between
network components, preventive
maintenance, data encryption,
routing verification (header
labels, mutual authentication
schemes, callback systems),
party checking; and message
acknowledgement procedures
(echo checks, trailer labels,
numbered batches)
Table 3.7 : Summary of data Integrity Controls
3.15.3 Data Integrity Policies
Virus-Signature Updating : Virus signatures must be updated immediately when they are
made available from the vendor.
Software Testing : All software must be tested in a suitable test environment before
installation on production systems.
Division of Environments : The division of environments into Development, Test, and
Production is required for critical systems.
Version Zero Software : Version zero software (1.0,2.0, and so on) must be avoided
whenever possible to avoid undiscovered bugs.
Offsite Backup Storage : Backups older than one month must be sent offsite for
permanent storage.
Quarter-End and Year-End Backups : Quarter-end and year-end backups must be done
separately from the normal schedule, for accounting purposes
Disaster Recovery : A comprehensive disaster-recovery plan must be used to ensure
continuity of the corporate business in the event of an outage.
3.15.4 Data Security: Data security encompasses the protection of data against accidental or
intentional disclosure to unauthorized persons as well as the prevention of unauthorized
modification and deletion of the data. Many levels of data security are necessary in an
information systems environment; they include database protection, data integrity, and
security of the hardware and software controls, physical security over the user, and
organizational policies. An IS auditor is responsible to evaluate the following when reviewing
the adequacy of data security controls:
Who is responsible for the accuracy of the data?
Who is permitted to update data?
The Institute of Chartered Accountants of India
3.68 Information Systems Control and Audit
Who is permitted to read and use the data?
Who is responsible for determining who can read and update the data?
Who controls the security of the data?
If the IS system is outsourced, what security controls and protection mechanism does the
vendor have in place to secure and protect data?
Contractually, what penalties or remedies are in place to protect the tangible and
intangible values of the information?
The disclosure of sensitive information is a serious concern to the organization and is
mandatory on the auditors list of priorities.
3.16 Security Concepts and Techniques
3.16.1 Cryptosystems: A cryptosystemrefers to a suite of algorithms needed to implement
a particular form of encryption and decryption. Typically, a cryptosystem consists of three
algorithms : one for key generation, one for encryption, and one for decryption. The term
cipher (sometimes cypher) is often used to refer to a pair of algorithms, one for encryption and
one for decryption. Therefore, the term "cryptosystem" is most often used when the key
generation algorithm is important. For this reason, the term "cryptosystem" is commonly used
to refer to public key techniques; however both "cipher" and "cryptosystem" are used for
symmetric key techniques.
3.16.2 Data Encryption Standard(DES): The Data Encryption Standard (DES) is a cipher (a
method for encrypting information) selected as an official Federal Information Processing
Standard (FIPS) for the United States in 1976, and which has subsequently enjoyed
widespread use internationally. It is a mathematical algorithm for encrypting (enciphering) and
decrypting (deciphering) binary coded information. Encrypting data converts it to an
unintelligible form called cipher. Decrypting cipher converts the data back to its original form
called plaintext. The algorithm described in this standard specifies both enciphering and
deciphering operations which are based on a binary number called a key. A key consists of 64
binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the
algorithm. The other 8 bits, which are not used by the algorithm, are used for error detection.
The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e.,
there is an odd number of "1"s in each 8-bit byte.
Authorized users of encrypted computer data must have the key that was used to encipher the
data in order to decrypt it. The encryption algorithm specified in this standard is commonly
known among those using the standard. The unique key chosen for use in a particular
application makes the results of encrypting data using the algorithm unique. Selection of a
different key causes the cipher that is produced for any given set of inputs to be different. The
cryptographic security of the data depends on the security provided for the key used to
encipher and decipher the data. Data can be recovered from cipher only by using exactly the
same key used to encipher it. Unauthorized recipients of the cipher who know the algorithm
but do not have the correct key cannot derive the original data algorithmically. However,
anyone who does have the key and the algorithm can easily decipher the cipher and obtain
The Institute of Chartered Accountants of India
Control Objectives 3.69
the original data. A standard algorithm based on a secure key thus provides a basis for
exchanging encrypted computer data by issuing the key used to encipher it to those
authorized to have the data.
DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit
key size being too small; DES keys have been broken in less than 24 hours. There are also
some analytical results which demonstrate theoretical weaknesses in the cipher. In recent
years, the cipher has been superseded by the Advanced Encryption Standard (AES) In some
documentation, a distinction is made between DES as a standard, and the algorithm, which is
referred to as the DEA (the Data Encryption Algorithm)
3.16.3 Public Key Infrastructure (PKI): Public key infrastructure, if properly implemented
and maintained, can provide a strong means of authentication. By combining a variety of
hardware components, system software, policies, practices, and standards, PKI can provide
for authentication, data integrity, defenses against customer repudiation, and confidentiality.
The system is based on public key cryptography in which each user has a key paira unique
electronic value called a public key and a mathematically related private key. The public
key is made available to those who need to verify the users identity.
The private key is stored on the users computer or a separate device such as a smart card.
When the key pair is created with strong encryption algorithms and input variables, the
probability of deriving the private key from the public key is extremely remote. The private key
must be stored in encrypted text and protected with a password or PIN to avoid compromise or
disclosure. The private key is used to create an electronic identifier called a digital signature
that uniquely identifies the holder of the private key and can only be authenticated with the
corresponding public key.

Fig. 3.17 : Public key Infrastructure
The certificate authority (CA), which may be the financial institution or its service provider,
plays a key role by attesting with a digital certificate that a particular public key and the
corresponding private key belongs to a specific user or system. It is important when issuing a
digital certificate that the registration process for initially verifying the identity of users is
adequately controlled. The CA attests to the individual users identity by signing the digital
certificate with its own private key, known as the root key. Each time the user establishes a
communication link with the financial institutions systems, a digital signature is transmitted
The Institute of Chartered Accountants of India
3.70 Information Systems Control and Audit
with a digital certificate. These electronic credentials enable the institution to determine that
the digital certificate is valid, identify the individual as a user, and confirm that transactions
entered into the institutions computer system were performed by that user.
The users private key exists electronically and is susceptible to being copied over a network
as easily as any other electronic file. If it is lost or compromised, the user can no longer be
assured that messages will remain private or that fraudulent or erroneous transactions would
not be performed. User AUPs and training should emphasize the importance of safeguarding
a private key and promptly reporting its compromise.
PKI minimizes many of the vulnerabilities associated with passwords because it does not rely
on shared secrets to authenticate customers, its electronic credentials are difficult to
compromise, and user credentials cannot be stolen from a central server. The primary
drawback of a PKI authentication system is that it is more complicated and costly to implement
than user names and passwords. Whether the financial institution acts as its own CA or relies
on a third party, the institution should ensure its certificate issuance and revocation policies
and other controls discussed below are followed.
When utilizing PKI policies and controls, financial institutions need to consider the following:
Defining within the certificate issuance policy the methods of initial verification that are
appropriate for different types of certificate applicants and the controls for issuing digital
certificates and key pairs;
Selecting an appropriate certificate validity period to minimize transactional and
reputation risk exposureexpiration provides an opportunity to evaluate the continuing
adequacy of key lengths and encryption algorithms, which can be changed as needed
before issuing a new certificate;
Ensuring that the digital certificate is valid by such means as checking a certificate
revocation list before accepting transactions accompanied by a certificate;
Defining the circumstances for authorizing a certificates revocation, such as the
compromise of a users private key or the closing of user accounts;
Updating the database of revoked certificates frequently, ideally in real-time mode;
Employing stringent measures to protect the root key including limited physical access to
CA facilities, tamper-resistant security modules, dual control over private keys and the
process of signing certificates, as well as the storage of original and back-up keys on
computers that do not connect with outside networks;
Requiring regular independent audits to ensure controls are in place, public and private
key lengths remain appropriate, cryptographic modules conform to industry standards,
and procedures are followed to safeguard the CA system;
Recording in a secure audit log all significant events performed by the CA system,
including the use of the root key, where each entry is time/date stamped and signed;
Regularly reviewing exception reports and system activity by the CAs employees to
detect malfunctions and unauthorized activities; and
The Institute of Chartered Accountants of India
Control Objectives 3.71
Ensuring the institutions certificates and authentication systems comply with widely
accepted PKI standards to retain the flexibility to participate in ventures that require the
acceptance of the financial institutions certificates by other CAs.
3.17 Data Security and Public Networks
Historically, only large companies could afford secure networks, which they created from
expensive leased lines. Everyone else had to make do with the relatively unsecure Internet.
Nowadays, even huge corporations have to go outside their private nets, because so many
people telecommute or log in while they're on the road. Network administrators as well as
managers must balance security concerns with employees' demand for easy accessibility to
data-grappling with the question : "how do you provide a low-cost, secure electronic network
for your organization?"
One solution is a virtual private network (VPN) : a collection of technologies that creates
secure connections or "tunnels" over regular Internet lines-connections that can be easily used
by anybody logging in from anywhere. Key advantages offered by a VPN include universal
connectivity, security, and low cost.
3.17.1 Firewalls: A firewall is a collection of components (computers, routers, and software) that
mediate access between different security domains. All traffic between the security domains must
pass through the firewall, regardless of the direction of the flow. Since the firewall serves as an
access control point for traffic between security domains, they are ideally situated to inspect and
block traffic and coordinate activities with network intrusion detection systems (IDSs)
They are four primary firewall types from which to choose : packet filtering, stateful inspection,
proxy servers, and application-level firewalls. Any product may have characteristics of one or
more firewall types. The selection of firewall type is dependent on many characteristics of the
security zone, such as the amount of traffic, the sensitivity of the systems and data, and
applications. Additionally, consideration should be given to the ease of firewall administration,
degree of firewall monitoring support through automated logging and log analysis, and the
capability to provide alerts for abnormal activity.
Typically, firewalls block or allow traffic based on rules configured by the administrator. Rule
sets can be static or dynamic. A static rule set is an unchanging statement to be applied to
packet header, such as blocking all incoming traffic with certain source addresses. A dynamic
rule set often is the result of coordinating a firewall and an IDS. For example, an IDS that
alerts on malicious activity may send a message to the firewall to block the incoming IP
address. The firewall, after ensuring the IP is not on a white list, creates a rule to block the
IP. After a specified period of time the rule expires and traffic is once again allowed from that
IP.
Firewalls are subject to failure. When firewalls fail, they typically should fail closed, blocking
all traffic, rather than failing open and allowing all traffic to pass.
(i) Packet Filter Firewalls : Packet filter firewalls evaluate the headers of each incoming
and outgoing packet to ensure it has a valid internal address, originates from a permitted
external address, connects to an authorized protocol or service, and contains valid basic
The Institute of Chartered Accountants of India
3.72 Information Systems Control and Audit
header instructions. If the packet does not match the pre-defined policy for allowed traffic,
then the firewall drops the packet. Packet filters generally do not analyze the packet contents
beyond the header information. Many routers contain access control lists (ACLs) that allow for
packet-filtering capabilities.
Dynamic packet filtering incorporates stateful inspection primarily for performance benefits.
Before re-examining every packet, the firewall checks each packet as it arrives to determine
whether it is part of an existing connection. If it verifies that the packet belongs to an
established connection, then it forwards the packet without subjecting it to the firewall rule set.
Weaknesses associated with packet filtering firewalls include the following:
The system is unable to prevent attacks that exploit application-specific vulnerabilities
and functions because the packet filter does not examine packet contents.
Logging functionality is limited to the same information used to make access control
decisions.
Most do not support advanced user authentication schemes.
Firewalls are generally vulnerable to attacks and exploitation that take advantage of
vulnerabilities in network protocols.
The firewalls are easy to misconfigure, which allows traffic to pass that should be
blocked.
Packet filtering offers less security, but faster performance than application-level firewalls.
The former are appropriate in high-speed environments where logging and user authentication
with network resources are not as important. They also are useful in enforcing security zones
at the network level. Packet filter firewalls are also commonly used in small office/home office
(SOHO) systems and default operating system firewalls.
Institutions internally hosting Internet-accessible services should consider implementing
additional firewall components that include application-level screening.
(ii) Stateful Inspection Firewalls : Stateful inspection firewalls are packet filters that
monitor the state of the TCP connection. Each TCP session starts with an initial handshake
communicated through TCP flags in the header information. When a connection is
established the firewall adds the connection information to a table. The firewall can then
compare future packets to the connection or state table. This essentially verifies that inbound
traffic is in response to requests initiated from inside the firewall.
(iii) Proxy Server Firewalls : Proxy servers act as an intermediary between internal and
external IP addresses and block direct access to the internal network. Essentially, they
rewrite packet headers to substitute the IP of the proxy server for the IP of the internal
machine and forward packets to and from the internal and external machines. Due to that
limited capability, proxy servers are commonly employed behind other firewall devices. The
primary firewall receives all traffic, determines which application is being targeted, and hands
off the traffic to the appropriate proxy server. Common proxy servers are the domain name
The Institute of Chartered Accountants of India
Control Objectives 3.73
server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache
requests and responses, providing potential performance benefits.
Additionally, proxy servers provide another layer of access control by segregating the flow of
Internet traffic to support additional authentication and logging capability, as well as content
filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential
malicious code and application-specific commands (see Malicious Code) They may
implement anti-virus and anti-spam filtering, disallow connections to potentially malicious
servers, and disallow the downloading of files in accordance with the institutions security
policy.
Proxy servers are increasing in importance as protocols are tunneled through other protocols.
For example, a protocol-aware proxy may be designed to allow Web server requests to port 80
of an external Web server, but disallow other protocols encapsulated in the port 80 requests.
(iv) Application-Level Firewalls : Application-level firewalls perform application-level
screening, typically including the filtering capabilities of packet filter firewalls with additional
validation of the packet content based on the application. Application-level firewalls capture
and compare packets to state information in the connection tables. Unlike a packet filter
firewall, an application-level firewall continues to examine each packet after the initial
connection is established for specific application or services such as telnet, FTP, HTTP,
SMTP, etc. The application-level firewall can provide additional screening of the packet
payload for commands, protocols, packet length, authorization, content, or invalid headers.
Application level firewalls provide the strongest level of security, but are slower and require
greater expertise to administer properly.
The primary disadvantages of application-level firewalls are as follows:
The time required to read and interpret each packet slows network traffic. Traffic of
certain types may have to be split off before the application-level firewall and passed
through different access controls.
Any particular firewall may provide only limited support for new network applications and
protocols. They also simply may allow traffic from those applications and protocols to go
through the firewall.
3.17.2 Firewall Services and Configuration: Firewalls may provide some additional
services:
Network address translation (NAT) : NAT readdresses outbound packets to mask the
internal IP addresses of the network. Untrusted networks see a different host IP address
from the actual internal address. NAT allows an institution to hide the topology and
address schemes of its trusted network from untrusted networks.
Dynamic host configuration protocol (DHCP) : DHCP assigns IP addresses to machines
that will be subject to the security controls of the firewall.
Virtual Private Network (VPN) gateways : A VPN gateway provides an encrypted tunnel
between a remote external gateway and the internal network. Placing VPN capability on
the firewall and the remote gateway protects information from disclosure between the
The Institute of Chartered Accountants of India
3.74 Information Systems Control and Audit
gateways but not from the gateway to the terminating machines. Placement on the
firewall, however, allows the firewall to inspect the traffic and perform access control,
logging, and malicious code scanning.

Fig. 3.18 : Firewall
Characteristics Packet Filter
Firewalls
Stateful
Inspection
Firewalls
Proxy Server
Firewalls
Application-Level
Firewalls
Inspection Evaluate packet
headers only
Monitors the
State of TCP
connection
Intermediary
between
internal and
external
networks
Like packet filters
and validate packet
content based on
the application
Information
Updating
Router Access Control
Lists(ACL)
TCP
connection
state table
rewrite packet
headers
Compare packets
based on
connection tables
Usage Small office/Home
Office (SOHO),
Operating systems.
Network
Inbound
traffic
Domain Name
Servers, Web
server and Mail
Servers
Telnet, FTP, HTTP
and SMTP
Scope Enforce security
zones
Based on
requests
from the
firewall
A layer of
access control(
content
filtering)
Additional
screening of packet
payload-
commands,
protocols, packet
length,
authorization and
content.

The Institute of Chartered Accountants of India
Control Objectives 3.75
Advantages Faster performance
than application-level
firewall
Like packet
filters
Cache requests
and responses
to provide
performance
benefits
Strong level of
security, complete
packet
interpretation.
Weakness Unable to prevent
application specific
vulnerabilities, easy to
misconfigure, does
not support advanced
user authentication,
basic security
Stateful
filtering-
predefined
rules
Employed
behind other
firewall devices
Time to interpret
the packet
contents, limited
support for new
network
applications and
protocols.
Table 3.8 : Comparative Analysis between types of firewalls.
3.18 Unauthorised Intrusion
Intrusion detection is the attempt to monitor and possibly prevent attempts to intrude into or
otherwise compromise the system and network resources of an organization. Simply put, it
works like this : The computer systems on an organization are attached to a network, and
perhaps even to the internet. The organization would allow access to that computer system
from the network, by authorized people, for acceptable reasons. For example, if there is a web
server, attached to the internet, only clients, staff, and potential clients, are allowed to access
the web pages stored on that web server. It does not allow unauthorized access to that system
by anyone, be that staff, customers, or unknown third parties. For example, it does not want
people (other than the web designers that the company has employed) to be able to change
the web pages on that computer. Typically, a firewall or authentication system of some kind
will be employed to prevent unauthorized access.
Sometimes, however, simple firewall or authentication systems can be broken. Intrusion
detection is the set of mechanisms that should be put in place to warn of attempted
unauthorized access to the computer. Intrusion detection systems can also take some steps to
deny access to would-be intruders.
3.18.1 Why use Intrusion Detection?
The underlying reasons why one might use intrusion detection systems are relatively straight
forward : One wants to protect the data and systems integrity. The fact that one cannot always
protect that data integrity from outside intruders in today's Internet environment using
mechanisms such as ordinary password and file security, leads to a range of issues. Adequate
system security is of course the first step in ensuring data protection. For example, it is
pointless to attach a system directly to the Internet and hope that nobody will break into it, if it
has no administrator password! Similarly, it is important that the system prevents access to
critical files or authentication databases (such as the NT SAM or the Unix /etc/password or
/etc/shadow files) except by authorized systems administrators.
The Institute of Chartered Accountants of India
3.76 Information Systems Control and Audit
Further measures beyond those normally expected of an intranet system should always be
made on any system connected to the internet. Firewalls and other access prevention
mechanisms should always be put in place. While it may be acceptable to allow NT logon, file
sharing, or telnet access to a system that is entirely internal, an Internet server should always
use more secure mechanisms
Intrusion detection takes that one step further. Placed between the firewall and the system
being secured, a network based intrusion detection system can provide an extra layer of
protection to that system. For example, monitoring access from the internet to the sensitive
data ports of the secured system can determine whether the firewall has perhaps been
compromised, or whether an unknown mechanism has been used to bypass the security
mechanisms of the firewall to access the network being protected.
3.18.2 What types of Intrusion Detection systems are there?
Intrusion Detection systems fall into two broad categories. These are:
Network based systems. These types of systems are placed on the network, nearby the
system or systems being monitored. They examine the network traffic and determine
whether it falls within acceptable boundaries.
Host based systems. These types of systems actually run on the system being monitored.
These examine the system to determine whether the activity on the system is acceptable.
A more recent type of intrusion detection system are those that reside in the operating system
kernel and monitor activity at the lowest level of the system. These systems have recently
started becoming available for a few platforms, and are relatively platform specific.
3.19 Hacking?
Hacking is an act of penetrating computer systems to gain knowledge about the system and
how it works.
3.19.1 What are Hackers?
Technically, a hacker is someone who is enthusiastic about computer programming and all
things relating to the technical workings of a computer. However, most people understand a
hacker to be what is more accurately known as a 'cracker'.
3.19.2 What are Crackers?
Crackers are people who try to gain unauthorized access to computers. This is normally done
through the use of a 'backdoor' program installed on the machine. A lot of crackers also try to
gain access to resources through the use of password cracking software, which tries billions of
passwords to find the correct one for accessing a computer.
3.19.3 What damage can a Hacker do?
This depends upon what backdoor program(s) are hiding on the PC. Different programs can
do different amounts of damage. However, most allow a hacker to smuggle another program
onto your PC. This means that if a hacker can't do something using the backdoor program, he
can easily put something else onto your computer. Hackers can see everything you are doing,
The Institute of Chartered Accountants of India
Control Objectives 3.77
and can access any file on your disk. Hackers can write new files, delete files, edit files, and
do practically anything to a file that could be done to a file. A hacker could install several
programs on to your system without your knowledge. Such programs could also be used to
steal personal information such as passwords and credit card information.
3.19.4 Howdo Hackers hack?
There are many ways in which a hacker can hack. Some are as follows
NetBIOS
ICMP Ping
FTP
rpc.statd
HTTP
(i) NetBIOS : NetBIOS hackers are the worst kind, since they don't require you to have any
hidden backdoor program running on your computer. This kind of hack exploits a bug in
Windows 9x. NetBIOS is meant to be used on local area networks, so machines on that
network can share information. Unfortunately, the bug is that NetBIOS can also be used
across the Internet - so a hacker can access your machine remotely.
(ii) ICMP Ping (Internet Control Message Protocol) : ICMP is one of the main protocols that
make the Internet work. It stands for Internet Control Message Protocol. 'Ping' is one of the
commands that can be sent to a computer using ICMP. Ordinarily, a computer would respond to
this ping, telling the sender that the computer does exist. This is all pings are meant to do. Pings
may seem harmless enough, but a large number of pings can make a Denial-of-Service attack,
which overloads a computer. Also, hackers can use pings to see if a computer exists and does not
have a firewall (firewalls can block pings) If a computer responds to a ping, then the hacker could
launch a more serious form of attack against a computer.
(iii) FTP (File Transfer Protocol) :FTP is a standard Internet protocol, standing for File
Transfer Protocol. It can be used for file downloads from some websites. If you have a web
page of your own, you may use FTP to upload it from your home computer to the web server.
However, FTP can also be used by some hackers. FTP normally requires some form of
authentication for access to private files, or for writing to files. FTP backdoor programs, such as-
Doly Trojan
Fore
Blade Runner
simply turn your computer into an FTP server, without any authentication.
(iv) RPC statd : This is a problem specific to Linux and Unix. The problem is the infamous
unchecked buffer overflow problem. This is where a fixed amount of memory is set aside for
storage of data. If data is received that is larger than this buffer, the program should truncate
the data or send back an error, or at least do something other than ignore the problem.
Unfortunately, the data overflows the memory that has been allocated to it, and the data is
The Institute of Chartered Accountants of India
3.78 Information Systems Control and Audit
SAFETY
INTEGRITY
AVAILABILITY
CONFIDENTIALITY
written into parts of memory it shouldn't be in. This can cause crashes of various different
kinds. However, a skilled hacker could write bits of program code into memory that may be
executed to perform the hacker's evil deeds.
(v) HTTP HTTP stands for Hypertext Transfer Protocol : HTTP hacks can only be harmful
if you are using Microsoft web server software, such as Personal Web Server. There is a bug
in this software called an 'unchecked buffer overflow'. If a user makes a request for a file on
the web server with a very long name, part of the request gets written into parts of memory
that contain active program code. A malicious user could use this to run any program they
want on the server.
3.19.4 Auditors Role: The focus of the IS Auditor is to examine all factors that adversely
bear on the confidentiality, integrity and availability of the information, due to improper
physical access. Confidentiality, Integrity and Availability (CIA Triad) are the core principles of
information safety.





Fig 3.19 : Principles of Information Safety
Confidentiality- Preventing disclosure of information to unauthorized individuals or
systems.
Integrity- Prevent modification of data by unauthorized personnel.
Availability-Information must be available when it is needed.
The table below summarizes the detective, preventive, corrective and supportive control
activities that can ensure the confidentiality, integrity and availability of information/data
across information system networks.
Type of System Intrusion Detection Vulnerability
System Control Features Monitoring Assessment
Controls
D- Detective
P-Preventive
C- Corrective
S-Support
A
p
p
l
i
c
a
t
i
o
n

B
a
s
e
d

H
o
s
t

B
a
s
e
d

T
a
r
g
e
t

B
a
s
e
d

N
e
t
w
o
r
k

B
a
s
e
d

H
o
s
t

B
a
s
e
d

N
e
t
w
o
r
k

B
a
s
e
d

P
a
s
s
w
o
r
d

A
s
s
e
s
s
m
e
n
t

Confidentiality Unauthorized access to files and
system resources
D P P P
The Institute of Chartered Accountants of India
Control Objectives 3.79
Modification to files D D P P P
Violation of enterprise system
access polices
D D P P
Violation of security policies D D D D P P
Weak or non-existent passwords D D D D
Integrity Placement of Trojan horse or
malicious software
D D P P
Presence of Trojan horse or
malicious software
D
Attack Against network services D P
Script based attacks D D P
Availability Denial of Services Attacks D P
Failure or Mis-configuration of
firewalls
D D P P
Attacks Happening Over Encrypted
Links
D D
Unusual activity or variation from
normal data pattern
D D
Other Errors in Network configuration D D
P
C
D
P
C

Liability Exposure associated with
attacker using own resources to
attack others
P P P P P P P
Post incident damage assessment S S S S S S S
Table 3.9 : Network Controls
3.20 Data Privacy
Data privacy refers to the evolving relationship between technology and the legal right to, or public
expectation of privacy in the collection and sharing of data. Privacy problems exist wherever
uniquely identifiable data relating to a person or persons are collected and stored, in digital form or
otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues.
The most common sources of data that are affected by data privacy issues are:
Health information.
Criminal justice.
Financial information.
Genetic information.
Location information.
The Institute of Chartered Accountants of India
3.80 Information Systems Control and Audit
The challenge in data privacy is to share data while protecting the personally identifiable
information. Consider the example of health data which are collected from hospitals in a
district; it is standard practice to share this only in the aggregate. The idea of sharing the data
in the aggregate is to ensure that only non-identifiable data are shared.
The legal protection of the right to privacy in general and of data privacy in particular varies
greatly around the world.
3.20.1 Protecting data privacy in information systems: Increasingly, as heterogeneous
information systems with different privacy rules are interconnected, technical control and
logging mechanisms (policy appliances) will be required to reconcile, enforce and monitor
privacy policy rules (and laws) as information is shared across systems and to ensure
accountability for information use. There are several technologies to address privacy
protection in enterprise IT systems. These falls into two categories : communication and
enforcement.
(i) Policy Communication
P3P - The Platform for Privacy Preferences. P3P is a standard for communicating
privacy practices and comparing them to the preferences of individuals.
(ii) Policy Enforcement
XACML - The eXtensible Access Control Markup Language together with its Privacy
Profile is a standard for expressing privacy policies in a machine-readable language
which a software system can use to enforce the policy in enterprise IT systems.
EPAL - The Enterprise Privacy Authorization Language is very similar to XACML,
but is not yet a standard.
WS-Privacy - "Web Service Privacy" will be a specification for communicating
privacy policy in web services. For example, it may specify how privacy policy
information can be embedded in the SOAP envelope of a web service message.
3.20.2 Data Privacy Policies: Copyright Notice : All information owned by the company and
considered intellectual property, whether written, printed, or stored as data, must be labeled
with a copyright notice in the following format : Copyright 2003 [Company Name], Inc. All
Rights Reserved
E-mail Monitoring : All e-mail must be monitored for the following activity :
Non-business use inflammatory, unethical, or illegal content disclosure of company
confidential information large file attachments or message sizes
Customer Information Sharing : Corporate customer information may not be shared with
outside companies or individuals.
Encryption of Data Backups : All data backups must be encrypted.
Encryption of Extranet Connection : All extranet connections must use encryption to
protect the privacy of the information traversing the network.
The Institute of Chartered Accountants of India
Control Objectives 3.81
Data Access : Access to corporate information, hard copy, and electronic data is
restricted to individuals with a need to know for a legitimate business reason. Each
individual is granted access only to those corporate information resources required for
them to perform their job functions.
3.21 Controlling Against Viruses and other Destructive Programs
Destructive programs such as viruses are responsible for huge amount of corporate losses
annually. The losses are measured in terms of data corruption and destruction, degraded
computer performance, hardware destruction, violations of privacy, and the personnel time
devoted for repairing the damage. We have discussed below Virus- one of the more common
type of destructive program. Worms, Trojan horse, logic bombs and back doors were
discussed in previous sections :
3.21.1 Virus: A virus is a program (usually destructive) that attaches itself to a legitimate
program to penetrate the operating system. The virus destroys application programs, data
files, and operating systems in a number of ways. One common technique is for the virus to
simply replicate itself over and over within the main memory, thus destroying whatever data or
programs are resident. One of the most insidious aspects of a virus is its ability to spread
throughout the system and to other systems before perpetrating its destructive acts. Typically,
a virus will have a built-in counter that will inhibit its destructive role until the virus has copied
itself a specified number of times to other programs and systems. The virus thus grows
geometrically, which makes tracing its origin extremely difficult.
Virus programs usually attach themselves to the following types of files:
An .EXE or .COM program file
The .OVL (overlay) program file
The boot sector of a disk
A device driver program
When a virus-infected program is executed, the virus searches the system for uninfected
programs and copies itself into these programs. The virus in this way thus spreads to the
applications of other users or to the operating system itself.
3.21.2 Anti-virus Software: Among the counter measures against virus attacks, anti-virus
software are the most widely used techniques to detect viruses, and prevent their further
propagation and harm. There are three types of anti-virus software.
(i) Scanners : The software looks for a sequence of bits called virus signatures that are
characteristic of virus codes. They check memory, disk boot sectors, executables and
systems fillies to find matching bit patterns. In this context it may be noted that on an average
1500 newer viruses emerge every month. Hence, it is necessary to frequently update the
scanners with the data on virus code patterns for the scanners to be reasonably effective.
(ii) Active Monitor and Heuristic Scanner : This looks for critical interrupt calls and critical
operating systems functions such as OS calls and BIOS calls, which resemble virus action.
The Institute of Chartered Accountants of India
3.82 Information Systems Control and Audit
However this also makes them inefficient since they cannot differentiate between genuine
systems calls and virus action. These could be annoying and generally do not serve the
purpose.
(iii) Integrity Checkers : These can detect any unauthorized changes to files on the system.
They require the software to take stock of all files resident on the system and compute a
binary check data called the Cyclic Redundancy Check (CRC) When a program is called for
execution, the software computes the CRC again and checks with the parameter stored on the
disk. However, such checks assume that frequent changes to applications and systems
utilities do not occur.
Further, technical controls such as securing systems with hardware based password and
encryption locks and remote booting are also used. However, there is no single control, which
can act as a panacea for all virus attacks. Virus control is in fact a combination of
management, technical, administrative, application and importantly operational controls.
The best policy for virus control is preventive control. Of course, detective and controls should
be in place to ensure complete control over virus proliferation and damage control.
3.21.3 Recommended policy and procedure controls
The Security Policy should address the virus threats, systems vulnerabilities and
controls. A separate section on anti-virus is appropriate to address the various degrees
of risks and suitable controls thereof.
Anti-virus awareness and training on symptoms of attacks, methods of reducing damage,
cleaning and quarantining should be given to all employees.
Hardware installations and associated computing devices should be periodically verified
for parameter settings.
As part of SDLC Controls the develo0ment area should be free of viruses and sufficient
safeguards must be in place to secure the area from viruses.
Provision of derives to read media should be restricted to certain controlled terminals and
should be write-protected.
Network access to the Internet should be restricted preferably to stand-alone computers.
Networks should be protected by means of firewalls that can prevent entry of known
viruses.
The servers and all terminals must have rated anti-virus software installed with sufficient
number of user licenses.
Procedures should ensure that systematic updates are applied to all anti-virus
installations at frequent intervals.
External media such as disks, CDs, tapes need to be avoided. If necessary such media
should be scanned on a stand-alone machine and certified b y the Department.
Vendors and consultants should not be allowed to run their demonstrations and
presentations on organizational systems.
The Institute of Chartered Accountants of India
Control Objectives 3.83
All new software acquisitions should follow a controlled procedure of centralized
acquisition and testing for viruses.
Patches to operating systems and other software and upgrades thereof should be
acquired from authentic sources and scanned before installation.
Reporting and incident handling procedures should be in place to suitably handle virus
incidents and eradicate them at the earliest.
An effective backup plan must be implemented and monitored to ensure that back-up
media is not infected and preferably encrypted. Only new media must be used for back-
up purposes.
3.22 Logical Access Controls
Logical access controls are the system-based mechanisms used to designate who or what is
to have access to a specific system resource and the type of transactions and functions that
are permitted. Assessing logical access controls involves evaluating the following critical
procedures :
Logical access controls restrict users to authorized transactions and functions.
There are logical controls over network access.
There are controls implemented to protect the integrity of the application and the
confidence of the public when the public accesses the system.
3.22.1 Logical Access Paths
(i) Online Terminals -To access an online terminal a user has to provide a valid logon-ID and
password. If additional authentication mechanisms are added along with the password, it will
strengthen the security.
Operator Console The operator console is one of the crucial places where any intruders can
play havoc. Hence, access to operator console must be restricted. This can be done by
Keeping the operator console at a place, which is visible, to all.
By keeping the operator console in a protected room accessible to selected personnel.
(ii) Batch J ob Processing : In a batch processing environment all jobs are processed in a
batch. These batches are processed at regular intervals. The jobs are accumulated and sent
as batches. Thus during an accumulation there is a possibility of an unknown job entering into
a batch which may challenge security of the data. To avoid this access should be granted only
to authorized people i.e., people who can accumulate transactions and who can initiate batch
processing. Even the accumulated jobs, which are waiting to be processed, should be
controlled appropriately.
(iii) Dial-up Ports : Using a dial up port user at one location can connect remotely to another
computer present at an unknown location via a telecommunication media. A modem is a
device, which can convert the digital data transmitted to analog data (the one that the
telecommunication device uses). Thus the modem can act as an interface between remote
The Institute of Chartered Accountants of India
3.84 Information Systems Control and Audit
terminal and the telephone line. Security is achieved by providing a means of identifying the
remote user to determine authorization to access. A dial back line ensures security by
confirming the presence and exactness of the data sent.
(iv) Telecommunication Network : In a Telecommunication network a number of computer
terminals, Personal Computers etc. are linked to the host computer through network or
telecommunication lines. Whether the telecommunication lines could be private (i.e.,
dedicated to one user) or public, security is provided in the same manner as it is applied to
online terminals.
Each of these routes has to be subjected to appropriate means of security in order to secure it
from the possible logical access exposures.












Fig. 3.20 : Logical Access Paths in an Enterprise Information System
3.22.2 Logical Access Issues and Exposures: Controls that reduce the risk of misuse
(intentional or unintentional), theft, alteration or destruction should be used to protect
unauthorized and unnecessary access to computer files. Restricting and monitoring computer
operator activities in a batch-processing environment provide this control. The avenues of
access or more complex and direct in an online system and hence the level of control for this
system must be more complex as shown in Fig.3.20.
Access control mechanisms should be applied not only to computer operators but also to end
users programmers, security administrators, management or any other authorized user.
Access control mechanisms should provide security to the following applications:
Access control software
Application software
User Access
Point/Control
Application Software
Access
Point/Control
Network Operating systems
Access
Point/Control
Access
Point/Control
Database
O.S
The Institute of Chartered Accountants of India
Control Objectives 3.85
Data
Data dictionary/directory
Dial-up lines
Libraries
Logging files
Operator systems exists
Password library
Procedure libraries
Spool queues
System software
Tape files
Telecommunication lines
Temporary disk files.
Utilities.
The above-mentioned utilities should be properly secured to assure security to data.















Fig. 3.21 : Transaction processing-activities subject to logical controls
The Institute of Chartered Accountants of India
3.86 Information Systems Control and Audit
3.22.3 Issues and Revelations related to Logical Access: Logical access controls are
used to increase the organizations potential for the losses that result due to exposures that
may lead to the total shutdown of the computer functions. Intentional or accidental exposure
of logical access control encourage technical exposures and computer crimes.
(a) Technical Exposures : Technical exposures include unauthorized implementation or
modification of data and software. Technical exposures include the following:
(i) Data Diddling : Data diddling involves the change of data before or as they are entered
into the system. A limited technical knowledge is required to data diddle and the worst part
with this is that it occurs before computer security can protect data.
(ii) Bombs : Bomb is a piece of bad code deliberately planted by an insider or supplier of a
program. An event, which is logical, triggers a bomb or time based. The bombs explode when
the conditions of explosion get fulfilled causing the damage immediately. However, these
programs cannot infect other programs. Since these programs do not circulate by infecting
other programs, chances of a widespread epidemic are relatively slim.
Bombs are generally of the following two types:
Time Bomb : This name has been borrowed from its physical counterpart because of
mechanism of activation. A physical time bomb explodes at the time it is set for (unless
somebody forces it to explode early), like wise the computer time bomb causes a
perverse activity, such as, disruption of computer system, modifications, or destructions
of stored information etc. on a particular date and time for which it has been developed.
The computer clock initiates it.
Logic Bomb : They resemble time bombs in their destruction activity. Logic bombs are
activated by combination of events. For example, a code like; If a file named
DELETENOT is deleted then destroy the memory contents by writing ones. This code
segment, on execution, may cause destruction of the contents of the memory on deleting
a file named DELETENOT. These bombs can be set to go off at a future time or event.
(iii) Trojan Horse : These are malicious programs that are hidden under any authorized
program. Typically, a Trojan horse is an illicit coding contained in a legitimate program, and
causes an illegitimate action. The concept of Trojan is similar to bombs but a computer clock
or particular circumstances do not necessarily activate it. A Trojan-may
Change or steal the password or
May modify records in protected files or
May allow illicit users to use the systems.
Trojan Horses hide in a host and generally do not damage the host program. Trojans cannot
copy themselves to other software in the same or other systems. The Trojans may get
activated only if the illicit program is called explicitly. It can be transferred to other system
only if an unsuspecting user copies the Trojan program.
Christmas Card is a well-known example of Trojan. It was detected on internal E-mail of IBM
system. On typing the word Christmas, it will draw the Christmas tree as expected, but in
The Institute of Chartered Accountants of India
Control Objectives 3.87
addition, it will send copies of similar output to all other users connected to the network.
Because of this message on other terminals, other users cannot save their half finished work.
(iv) Worms : A worm does not require a host program like a Trojan to relocate itself. Thus, a
Worm program copies itself to another machine on the network. Since worms are stand-alone
programs, and they can be detected easily in comparison to Trojans and computer viruses.
Worms can help to sabotage systems yet they can also be used to perform some useful tasks.
For example, worms can be used in the installation of a network. A worm can be inserted in a
network and we can check for its presence at each node. A node, which does not indicate the
presence of the worm for quite some time, can be assumed as not connected to the network.
Examples of worms are Existential Worm, Alarm clock Worm etc. The Alarm Clock worm
places wake-up calls on a list of users. It passes through the network to an outgoing terminal
while the sole purpose of existential worm is to remain alive.
Existential worm does not cause damage to the system, but only copies itself to several places
in a computer network.
(v) Rounding Down : This refers to rounding of small fractions of a denomination and
transferring these small fractions into an authorized account. As the amount is small it gets
rarely noticed.
(vi) Salami Techniques : This involves slicing of small amounts of money from a
computerized transaction or account and is similar to the rounding down technique. A Salami
technique is slightly different from a rounding technique in the sense only last few digits are
rounded off here. For example, in the rounding down technique, ` 21,23,456.39 becomes
` 21,23,456.35, while in the Salami technique the transaction amount ` 21,23,456.39 is
truncated to either ` 21,23,456.30 or ` 21,23,456.00, depending on the calculation.
Trap Doors : Trap doors allow the They are exists out of an authorized program and allow
insertion of specific logic, such as program interrupts that permit a review of data. They also
permit insertion of unauthorized logic.
(b) Computer Crime Exposures : Computers can be utilized both constructively and
destructively. Computer systems are used to steal money, goods, software or corporate
information. Crimes are also committed when false data or unauthorized transaction is made.
Crimes that are committed using computers and the information they contain can damage the
reputation, morale and very existence of an organization. Computer crimes generally result in
Loss of customers, embarrassment to management and legal actions against the
organizations.
(i) Financial Loss : Financial losses may be direct like loss of electronic funds or indirect like
expenditure towards repair of damaged electronic components.
(ii) Legal Repercussions : An organization has to adhere to many human rights laws while
developing security policies and procedures. These laws protect both the perpetrator
and organization from trial. The organizations will be exposed to lawsuits from investors
and insurers if there are no proper security measures. The IS auditor should take legal
counsel while reviewing the issues associated with computer security.
The Institute of Chartered Accountants of India
3.88 Information Systems Control and Audit
(iii) Loss of Credibility or Competitive Edge : In order to maintain competitive edge, many
companies, especially service firms such as banks and investment firms, needs
credibility and public trust. This credibility will be shattered resulting in loss of business
and prestige if security violation occurs.
(iv) Blackmail/Industrial Espionage : By knowing the confidential information, the perpetrator
can obtain money from the organization by threatening and exploiting the security
violation.
(v) Disclosure of Confidential, Sensitive or Embarrassing Information : These events can
spoil the reputation of the organization. Legal or regulatory actions against the company
are also a result of disclosure.
(vi) Sabotage : People who may not be interested in financial gain but who want to spoil the
credibility of the company or to will involve in such activities. They do it because of their
dislike towards the organization or for their intemperance.
Logical access violators are often the same people who exploit physical exposures, although
the skills needed to exploit logical exposures are more technical and complex.
Hackers : Hackers try their best to overcome restrictions to prove their ability. They
never try to misuse the computer intentionally.
Employees (authorized or unauthorized)
IS Personnel : they have easiest to access to computerized information since they are
custodians of this information. Segregation of duties and supervision help to reduce the
logical access violations.
End Users
Former Employees : should be cautious of former employees who have left the
organization on unfavorable terms.
Interested or Educated Outsiders.
Competitors
Foreigners
Organized criminals
Crackers
Part-time and Temporary Personnel
Vendors and consultants
Accidental Ignorant Violation done unknowingly.
(vi) Spoofing : A spoofing attack involves forging ones source address. One machine is
used to impersonate the other in spoofing technique. Spoofing occurs only after a
particular machine has been identified as vulnerable. A penetrator makes the user think
that he is interacting with the operating system. For example, a penetrator duplicates the
The Institute of Chartered Accountants of India
Control Objectives 3.89
logon procedure, captures the users password, attempts for a system crash and makes
the user login again. It is only the second time the user actually logs into the system.
(c) Asynchronous Attacks : They occur in many environments where data can be moved
asynchronously across telecommunication lines. Numerous transmissions must wait for the
clearance of the line before data being transmitted. Data that are waiting to be transmitted are
liable to unauthorized access called asynchronous attack. These attacks are hard to detect
because they are usually very small pin like insertions. There are many forms of
asynchronous attacks.
(i) Data Leakage : Data is critical resource for an organization to function effectively. Data
leakage involves leaking information out of the computer by means of dumping files to
paper or stealing computer reports and tape.
(ii) Wire-tapping : This involves spying on information being transmitted over
telecommunication network.







Fig. 3.22 : Wire Tapping
(iii) Piggybacking : This is the act of following an authorized person through a secured door
or electronically attaching to an authorized telecommunication link that intercepts and
alters transmissions. This involves intercepting communication communications between
the operating system and the user and modifying them or substituting new messages. A
special terminal is tapped into the communication for this purpose.






Fig. 3.23 : Piggybacking
Internet
/Communication
Facility
Observe
Message-Read
ContentsfromB
Mr. B
Mr. .A
Hacker
Internet
/Communication
Facility
Modifies message or
Adds contents to
messagefromMr.B
Mr. B
Mr. .A
Hacker
Capture Message
fromMr. B
The Institute of Chartered Accountants of India
3.90 Information Systems Control and Audit
(iv) Shut Down of the Computer/Denial of Service : This is initiated through terminals or
microcomputers that are directly or indirectly connected to the computer. Individuals who
know the high-level systems log on-ID initiate shutting down process. This security
measure will function effectively only if there are appropriate access controls on the
logging on through a telecommunication network. When overloading happens some
systems have been proved to be vulnerable to shutting themselves. Hackers use this
technique to shut down computer systems over the Internet.








Fig 3.24 : Denial of Service
(d) Remote and distributed data processingapplications can be controlled in many ways.
Remote access to computer and data files through the network should be implemented.
Having a terminal lock can assure physical security to some extent.
Applications that can be remotely accessed via modems and other devices should be
controlled appropriately.
Terminal and computer operations at remote locations should be monitored carefully and
frequently for violations.
In order to prevent the unauthorized users gain entry into the system, there should be
proper control mechanisms over system documentation and manuals.
Data transmission over remote locations should be controlled. The location which sends
data should attach needed control information that helps the receiving location to verify
the genuineness and integrity.
When replicated copies of files exist at multiple locations it must be ensured that all are
identical copies contain the same information and checks are also done to ensure that
duplicate data does not exist.
(e) Physical and Environmental Protection : Physical security and environmental security
are the measures taken to protect systems, buildings, and related supporting infrastructures
against threats associated with their physical environment. Assessing physical and
environmental protection involves evaluating the following critical procedures :
Internet
/Communication
Facility
Hacker disrupts
service provided
by server
Mr. B
Server
Hacker
The Institute of Chartered Accountants of India
Control Objectives 3.91
Adequate physical security controls have been implemented and are commensurate with
the risks of physical damage or access.
Data is protected from interception.
Mobile and portable systems are protected.
3.22.4 Logical Access Control Across the System: Logical access controls serve as one
of the means of information security. The purpose of logical access controls is to restrict
access to information assets / resources. They are expected to provide access to information
resources on a need to know and need to have basis using principle of least privileges. It
means that the access should not be so restrictive that it makes the performance of business
functions difficult or it should not be so liberal that it can be misused i.e. it should be just
sufficient for one to perform ones duty without any problem or restraint. The data, an
information asset, can be
Resident on a machine (for use by an application)
Stored in some medium (Back up)
Or it may be in transit.(being transferred from one location to another)
Logical access controls is all about protection of these assets wherever they reside.
User access
management

User registration
Information about every user is documented. The following
questions are to be answered : Why is the user granted the
access? Has the data owner approved the access? Has the user
accepted the responsibility? The de-registration process is also
equally important.
Privilege management
Access privileges are to be aligned with job requirements and
responsibilities. For example, an operator at the order counter shall
have direct access to order processing activity of the application
system. He/she will be provided higher access privileges than
others. However, misuse of such privileges could endanger the
organization's information security. These privileges are to be
minimal with respect to their job functions.
User password management
Passwords are usually the default screening point for access to
systems. Allocations, storage, revocation, and reissue of password
are password management functions. Educating users is a critical
component about passwords, and making them responsible for
their password.
Reviewof user access rights
A user's need for accessing information changes with time and
requires a periodic review of access rights to check anomalies in
the user's current job profile, and the privileges granted earlier.
The Institute of Chartered Accountants of India
3.92 Information Systems Control and Audit
User
responsibilities

User awareness and responsibility is also an important factor:
Password use
Mandatory use of strong passwords to maintain confidentiality.
Unattended user equipment
Users should ensure that none of the equipment under their
responsibility is ever left unprotected. They should also secure their
PCs with a password, and should not leave it accessible to others.
Network access
control

An Internet connection exposes an organization to the entire world.
This brings up the issue of benefits the organization should derive
along with the precaution against harmful elements. This can be
achieved through the following means:
Policy on use of network services
An enterprise wide applicable internet service requirements aligned
with the business need policy based on business needs for using
the Internet services is the first step. Selection of appropriate
services and approval to access them will be part of this policy.
Enforced path
Based on risk assessment, it is necessary to specify the exact path
or route connecting the networks; say for example internet access
by employees will be routed through a firewall. And to maintain a
hierarchical access levels for both internal and external user
logging.
Segregation of networks
Based on the sensitive information handling function; say a VPN
connection between a branch office and the head-office this network is
to be isolated from the internet usage service availability for
employees.
Network connection and routing control
The traffic between networks should be restricted, based on
identification of source and authentication access policies
implemented across the enterprise network facility.
Security of network services
The techniques of authentication and authorization policy
implemented across the organizations network.
Operating system
access control

Operating system provides the platform for an application to use
various IS resources and perform the specific business function. If
an intruder is able to bypass the network perimeter security
controls, the operating system is the last barrier to be conquered
for unlimited access to all the resources. Hence, protecting
operating system access is extremely crucial.
Automated terminal identification
This will help to ensure that a particular session could only be
The Institute of Chartered Accountants of India
Control Objectives 3.93
initiated from a particular location or computer terminal.
Terminal log-on procedures
The log-on procedure does not provide unnecessary help or
information, which could be misused by an intruder.
User identification and authentication
The users must be identified and authenticated in a foolproof
manner. Depending on risk assessment, more stringent methods
like Biometric Authentication or Cryptographic means like Digital
Certificates should be employed.
Password management system
An operating system could enforce selection of good passwords.
Internal storage of password should use one-way encryption
algorithms and the password file should not be accessible to users.
Use of systemutilities
System utilities are the programs that help to manage critical
functions of the operating systemfor example, addition or
deletion of users. Obviously, this utility should not be accessible to
a general user. Use and access to these utilities should be strictly
controlled and logged.
Duress alarmto safeguard users
If users are forced to execute some instruction under threat, the
system should provide a means to alert the authorities. An example
could be forcing a person to withdraw money from the ATM. Many
banks provide a secret code to alert the bank about such
transactions.
Terminal time out
Log out the user if the terminal is inactive for a defined period. This
will prevent misuse in absence of the legitimate user.
Limitation of connection time
Define the available time slot. Do not allow any transaction beyond
this time period. For example, no computer access after 8.00 p.m.
and before 8.00 a.m.or on a Saturday or Sunday.
Application and
monitoring system
access control

Information access restriction
The access to information is prevented by application specific
menu interfaces, which limit access to system function. A user is
allowed to access only to those items he is authorized to access.
Controls are implemented on the access rights of users, For
example, read, write, delete, and execute. And ensure that
sensitive output is sent only to authorized terminals and locations.
Sensitive systemisolation
Based on the critical constitution of a system in an enterprise it
may even be necessary to run the system in an isolated
The Institute of Chartered Accountants of India
3.94 Information Systems Control and Audit
environment.
Monitoring system access and use is a detective control, to check if
preventive controls discussed so far are working. If not, this control
will detect and report any unauthorized activities.
Event logging
In Computer systems it is easy and viable to maintain extensive
logs for all types of events. It is necessary to review if logging is
enabled and the logs are archived properly.
Monitor systemuse
Based on the risk assessment a constant monitoring of some
critical systems is essential. Define the details of types of
accesses, operations, events and alerts that will be monitored. The
extent of detail and the frequency of the review would be based on
criticality of operation and risk factors. The log files are to be
reviewed periodically and attention should be given to any gaps in
these logs.
Clock synchronization
Event logs maintained across an enterprise network plays a
significant role in correlating an event and generating report on it.
Hence the need for synchronizing clock time across as per a
standard time is mandatory.
Mobile computing In todays organizations computing facility is not restricted to a
particular data centre alone. Ease of access on the move provides
efficiency and results in additional responsibility on users and the
need to maintain information security on the management.
Mobile computing
Theft of data carried on the disk drives of portable computers is a
high risk factor. Both physical and logical access to these systems
is critical. Information is to be encrypted and access identifications
like fingerprint, eye-iris, and smart cards are necessary security
features.
Table 3.10 : Logical Access Controls
3.22.5 Role of an IS auditor in evaluating logical access controls: An IS auditor should
keep the following points in mind while working with logical access control mechanisms.
Reviewing the relevant documents pertaining go logical facilities and risk assessment
and evaluation techniques and understanding the security risks facing the information
processing system.
The potential access paths into the system must be evaluated by the auditor and
documented to assess their sufficiency.
Deficiencies or redundancies must be identified and evaluated.
The Institute of Chartered Accountants of India
Control Objectives 3.95
By supplying appropriate audit techniques, he must be in a position to verify test controls
over access paths to determine its effective functioning.
He has to evaluate the access control mechanism, analyze the test results and other
auditing evidences and verify whether the control objectives has been achieved.
The auditor should compare security policies and practices of other organizations with
the policies of their organization and assess its adequacy.
3.22.6 Security Policies: Every organization should have a security policy that defines
acceptable behaviors and the reaction of the organization when such behaviors are violated.
Security policies are not unique and might differ from organization to organization. The
electronic trading, viruses affecting organizations security documents and the misuse of credit
cards have increased and this has augmented the need for security management. Also,
legislation relating to information technology is becoming more prolific, with many countries
enacting laws on issues such as copyright and software privacy, intellectual property and
personal data. These commercial, competitive and legislative pressures require the
implementation of proper security policies.
Control Activity Control Techniques Audit Procedures
User accounts are
appropriately controlled
Resource owners have a list of identified
authorized users and the access they are
authorized to have.
Passwords, tokens, biometric, smartcards etc are
used to identify and authenticate users.
Security administration parameters are set for
access to data files, software code libraries,
security files and important operating system files.
Naming conventions are established for controlling
access to data and programs.
Redundant accounts like default, guest are
removed, disabled or secured.
Segregation of
duties- To ensure
that users do not
have access to inco-
mpatible functions.
Review policies and
procedures which
spell out access
authorization
documentation and
user rights and
privileges in the
information system.
Determine directory
names for sensitive
directories, files and
their access levels
and types of access.
Review access to
- shared files
-emergency or temporary access to files and
hosts
These are to be controlled, documented,
approved by managers and logged.
Review naming
conventions and
their use effectively.
Verify logs of
redundant
accounts.
Interview Security
The Institute of Chartered Accountants of India
3.96 Information Systems Control and Audit
managers.
Periodic review with
appropriate access
documentation with
comparisons on
account expiry,
termination,
temporary access
and timeliness
authorization
policies.
Process and Services
are adequately
controlled
Available processes and services
-Installing only required processes and services
based on least functionality.

-restrict the number of individuals with access to
services based on least privileges.
The function of processes and services are
monitored, documented and approved by
management.
Check procedures
for optimized usage
of processes and
services.
Interview the
system
administrator on
-Services installed
and their
requirement.
-Who possess the
access their rights
and the need?
- Monitoring and
updation of services
and processes.
-Scan for inad-
equately
configured,
redundant and
hazardous
processes and
services.
Access to sensitive
system resources is
restricted and
monitored.
Access and use of sensitive/privileged accounts
have justified need aligned with valid business
purpose.
Logical access to these are to be adequately
controlled-
-Remote maintenance.
-System libraries.

Review policies
and procedures
used for
sensitive/privileged
accounts.

Interview
management
personnel on
The Institute of Chartered Accountants of India
Control Objectives 3.97
access restrictions
by testing the need
and reasons for an
access
-password/authentication services and
directories are controlled and encrypted.
-Access restriction based on time/location.
-Segregation between user interface services
and system management functionality.


Review the
accessing system
activity logs
maintained for
-personnel
accessing system
software, controls
acquired to gain
access.
-Attempt to access
operating system
software, system
libraries etc.
Interview officials
along with review
related system
documentation and
coordinate the
vulnerability
analysis.
Appropriate and
adequate media
controls are to be
implemented.
Only authorized users have access to printed
and digital media removal or movement from the
information system.
Systems media is securely stored with respect
to its sensitivity.
If sensitive data are protected by approved
equipment, techniques and procedures for
disposal or exchange of information.
Ensure entity
practices and
review selected
access logs.
Review selected
media transport
practices and
receipts.
Check if media
storage practices
are adequate and
comply with
security
parameters
associated with
information
exchange.
Effective use of
Cryptographic
For integrity and confidentiality of critical data
and programs are protected using cryptographic
Evaluate the
strength of
The Institute of Chartered Accountants of India
3.98 Information Systems Control and Audit
controls. tools.
Based on risk of data communication encryption
procedures are implemented.
cryptographic tools
by self or expert
help.
Capture
passwords or data
transmitted over
the network to
evaluate their
effectiveness.
Authentication methods are implemented within
the information system along with online or
manual procedures for cryptographic key
exchange and key management.
Interview
appropriate
officials to
compare policies
and procedures
followed along with
supporting
documents.
Evaluate the
practices followed
for cryptographic
key exchange and
management.
Table 3.11 : Logical Access Control Techniques and their Suggested Audit Procedures
3.23 Physical Access Controls
This section enumerates the losses that are incurred as result of perpetrations, accidental or
intentional violation of access paths. The following issues are discussed:
Physical Access Issues and Exposures
Physical Access Controls
Audit and evaluation techniques for physical access
Also various access control mechanisms are discussed in this section.
3.23.1 Physical Access Issues and Exposures: The following points elucidate the results
due to accidental or intentional violation of the access paths:
Abuse of data processing resources.
Blackmail
Embezzlement
Damage, vandalism or theft to equipments or documents.
Modification of semester equipment and information.
The Institute of Chartered Accountants of India
Control Objectives 3.99
Public disclosure of sensitive information.
Unauthenticated entry
(a) Possible perpetrators : Perpetrations may be because of employees who are:
Accidental ignorant-someone who outrageously violates rules
Addicted to a substance or gambling
Discontented
Experiencing financial or emotional problems
Former employee
Interested or informed outsiders, such as competitors, thieves, organized crime and
hackers
Notified or their termination
On strike
Threatened by disciplinary action or dismissal
Exposures to confidential matters may be in form the unaware, accidental or anonymous
person, although the greatest impact may be from those with malicious or frequent intent.
Other questions and areas of concern include the following:
How far the hardware facilities are controlled to reduce the risk of unauthorized access?
Are the hardware facilities protected against forced entry?
Are intelligent computer terminals locked or otherwise secured to prevent illegal removal
of physical components like boards, chips and the computer itself?
When there is a need for the removal of computer equipment from its normal secure
surroundings, are authorized equipment passes required for the removal?
The facilities that need to be protected from the auditors perspective are:
Communication closed
Computer room
Control units and front-end processors
Dedicated telephones/telephone lines
Disposal sites
Input/Output control room
Local area networks
Micro computers and personal computers
Minicomputer establishments
The Institute of Chartered Accountants of India
3.100 Information Systems Control and Audit
Off-site backup file storage facility
On-site and remote printers
Operator consoles and terminals
Portable equipment
Power sources
Programming area
Storage rooms and supplies
Tape library, tapes, disks and all magnetic media
Telecommunications equipment
Apart from the computer facility provided, there must be vulnerable access points within the
organization, organizational restrictions, and external organization to ensure the effectiveness
of the above-mentioned safeguards. Additionally, the IS has to confirm whether similar
controls exist within service providers or other third parties and if there are access points,
which have the possibility of being damaged so that information within the organization can be
sensed.
(b) Access control Mechanisms : An access control mechanism associates with identified,
authorized users the resources they are allowable to access and action privileges. The
mechanism processes the users request for resources in three steps.
Identification
Authentication
Authorization
The following is the sequence in which access control mechanisms operate :
First and foremost, the users have to identify themselves, thereby indicating their intent
to request the usage of system resources.
Secondly, the users must authenticate themselves and the mechanism must authenticate
itself.
Third, the users request for specific resources, their need for those resources and their
areas of usage of these resources.
The mechanism accesses previously stored information about users, the resources they can
access, and the action privileges they have with respect to these resources; it then permits or
denies the request.
(c) Identification and Authentication : Users identify themselves to access control
mechanism by providing information such a name or account number. To validate the user, his
entry is matched with the entry in the authentication file. The authentication process then
proceeds on the basis of information contained in the entry, the user having to indicate prior
knowledge of the information.
The Institute of Chartered Accountants of India
Control Objectives 3.101
Users may provide four classes of authentication information as described in table below:
Remembered information Name, Account number, passwords
Objects Possessed by the user Badge, plastic card, key
Personal characteristics Finger print, voice print, signature
Dialog Through/around computer
Table 3.12 : Classes of Authentication
(d) Authorization : There are two approaches to implementing the authorization module in
an access control mechanism:
(a) a ticket oriented approach
(b) a list oriented approach
Considering the authorization function in terms of a matrix where rows represent the users and
columns represent the resources and the element represents the users privilege on the
resources we can see the distinction between these two approaches.
In a ticket-oriented approach to authorization, the access control mechanism assigns users a
ticket for each resource they are permitted to access. Ticket oriented approach operates via a
row in the matrix. Each row along with the user resources holds the action privileges specific
to that user.
In a list-oriented approach, the mechanism associates with each resource a list of users who
can access the resource and the action privileges that each user has with respect to the
resource.
This mechanism operates via a column in the matrix.
The table given below illustrates the authorization matrix in an access control mechanism
Resource
User
File A Editor File B Program
User P Read Enter
User Q Statistical Read only Enter Enter
User R Enter Append only
User S Enter Read Resource Code only
Table 3.13 : Authorization Matrix
The primary advantage of the ticket oriented or capability system is its run-time efficiency.
When a user process is executing, its capability list can be stored in some fast memory
device. When the process seeks access to a resource, the access control mechanism simply
looks up the capability list to determine if the resource is present in the list and whether if the
user is permitted to take the desired action.
The advantage of list-oriented systemis that it allows efficient administration of capabilities.
The Institute of Chartered Accountants of India
3.102 Information Systems Control and Audit
Each user process has a pointer to the access control list for a resource. Thus the capabilities
for a resource can be controlled since they are stored in one place. It is enough to examine
the access control list just to know who has access over the resource and similarly to revoke
access to a resource, a users entry in the access control list simply needs to be deleted.
3.23.2 Physical Access Controls: Physical access controls are designed to protect the
organization from unauthorized access or in other words, to prevent illegal entry. These
controls should be designed in such a way that it allows access only to authorized persons.
The authorization given by the management may be explicit, as in a door lock for which
management has authorized us to have a key; or implicit, like a job description which confirms
the need to access confidential reports and documents.
Some of the more common access control techniques are discussed categorically as follows :
(a) Locks on Doors
Cipher locks (Combination Door Locks)- The cipher lock consists of a pushbutton panel that is
mounted near the door outside of a secured area. There are ten numbered buttons on the
panel. To enter, a person presses a four digit number sequence, and the door will unlock for a
predetermined period of time, usually ten to thirty seconds.
Cipher locks are used in low security situations or when a large number of entrances and exits
must be usable all the time. More sophisticated and expensive cipher locks can be computer
coded with a persons handprint. A matching handprint unlocks the door.
Bolting Door Locks A special metal key is used to gain entry when the lock is a bolting door
lock. To avoid illegal entry the keys should be not be duplicated.
Electronic Door Locks A magnetic or embedded chip-based plastics card key or token may
be entered into a sensor reader to gain access in these systems. The sensor device upon
reading the special code that is internally stored within the card activates the door locking
mechanism. The following points list the advantages of electronic door locks over bolting and
combinational locks.
Through the special internal code, cards can be made to identity the correct individual.
Individuals access needs can be restricted through the special internal code and sensor
devices. Restrictions can be assigned to particular doors or to particular hours of the day.
Degree of duplication is reduced.
Card entry can be easily deactivated in the event an employee is terminated or a card is
lost or stolen. If unauthorized entry is attempted silent or audible alarms can be
automatically activated.
An administrative process, which may deal with Issuing, accounting for and retrieving the
card keys, are also parts of security. The card key becomes an important item to retrieve
when an employee leaves the firm.
Biometric Door Locks : These locks are extremely secure where an individuals unique body
features, such as voice, retina, fingerprint or signature, activate these locks. This system is
used in instances when extremely sensitive facilities must be protected, such as in the military.
The Institute of Chartered Accountants of India
Control Objectives 3.103
(b) Physical identification medium
Personal Identification numbers (PIN) : A secret number will be assigned to the individual, in
conjunction with some means of identifying the individual, serves to verify the authenticity of
the individual. The visitor will be asked to log on by inserting a card in some device and then
enter their PIN via a PIN keypad for authentication. His entry will be matched with the PIN
number available in the security database.
Plastic Cards : These cards are used for identification purposes. Controls over card seek to
ensure that customers safeguard their card so it does not fall into unauthorized hands.
Cryptographic Control : These types of controls help a lot in scheming
Unauthorized access to data. Cryptography deals with transformation of data into codes that
are meaningless to anyone who does not possess the system for recovering initial data. Only
a crypt analyst can do the translation.
Identification Badges-special identification badges can be issued to personnel as well as
visitors. For easy identification purposes their colour of the badge can be changed.
Sophisticated photo IDs can also be utilized as electronic card keys. Issuing accounting for
and retrieving the badges administrative prices that must carefully controlled.
(c) Logging on utilities
Manual Logging : All visitors should be prompted to sign a visitors log indicating their name,
company represented, their purpose of visit, and person to see. Logging may happen at both
the front reception and entrance to the computer room. A valid and acceptable identification
such as a drivers license, business card or vendor identification tag may also be asked for
before gaining entry inside the company.
Electronic Logging : This feature is a combination of electronic and biometric security systems.
The users logging in can be monitored and the unsuccessful attempts being highlighted.
(d) Other means of controlling Physical Access
Video Cameras : Cameras should be placed at specific locations and monitored by security
guards. Refined video cameras can be activated by motion. The video supervision recording
must be retained for possible future play back.
Security Guards : Extra security can be provided by appointing guards aided with video
cameras and locked doors. Guards supplied by an external agency should be made to sign a
bond to protect the organization from loss.
Controlled Visitor Access : A responsible employee should escort all visitors. Visitors may be
friends, maintenance personnel, computer vendors, consultants and external auditors.
Bonded Personnel : All service contract personnel, such as cleaning people and off-site
storage services, should be asked to sign a bond. This may not be a measure to improve
physical security but to a certain extent can limit the financial exposure of the organization.
Dead man Doors : These systems encompasses are a pair of doors that are typically found in
entries to facilities such as computer rooms and document stations. The first entry door must
The Institute of Chartered Accountants of India
3.104 Information Systems Control and Audit
close and lock, for the second door to operate, with the only person permitted in the holding
area. Only a single person is permitted at a given point of time and this will surely reduce the
risk of piggybacking, when an unauthorized person follows an authorized person through a
secured entry.
Nonexposure of Sensitive Facilities : There should be no explicit indication such as presence
of windows of directional signs hinting the presence of facilities such as computer rooms. Only
the general location of the information processing facility should be identifiable.
Computer Terminal Locks : These locks ensure that the device to the desk is not turned on or
disengaged by unauthorized persons.
Controlled Single Entry Point : All incoming personnel can use controlled Single Entry Point. A
controlled entry point is monitored by a receptionist. Multiple entry points increase the chances
of unauthorized entry. Unnecessary or unused entry points should be eliminated or
deadlocked.
AlarmSystem: Illegal entry can be avoided by linking alarm system to inactive entry point
motion detectors and the reverse flows of enter or exit only doors, so as to avoid illegal entry.
Security personnel should be able to hear the alarm when activated.
Perimeter Fencing : Fencing at boundary of the facility may also enhance the security
mechanism.
Control of out of hours of employee-employees : Employees who are out of office for a longer
duration during the office hours should be monitored carefully. Their movements must be
noted and reported to the concerned officials frequently
Secured Report/Document Distribution Cart : Secured carts, such as mail carts, must be
covered and locked and should always be attended.
(e) Accounting Audit Trial : All the activities taken at the boundary sub systems should be
properly recorded in the accounting audit trial so the source and nature of all changes to the
database can be identified. The following sorts of data must be kept:
Action privileges requested.
Action privileges allowed/deprived of.
Authentication information supplied.
Identity of the would-be user of the system.
Number of log-on attempts.
Resources requested.
Resources provided/denied.
Start and finish time.
Terminal identifier.
The Institute of Chartered Accountants of India
Control Objectives 3.105
This data allows management or auditor to recreate the time series of events that occurs when
a user attempts so gain access to system resources. Periodical evaluation of the audit trial
should happen to detect any control weaknesses in the system.
3.23.3 Audit and Evaluation Techniques for Physical Access: Information Systems
Processing Facility (IPF) is used to gain an overall understanding and perception of the
installation being reviewed. This expedition provides the opportunity to being reviewing the
physical access restriction.
Information processing facility (Computer room, programmers area, tape library, printer
stations and management offices) and any off-site storage facilities should also be included in
this tour.
Much of the testing of physical safeguards can be achieved by visually observation of the
safeguards tested previously. Documents to assist with this effort include emergency
evacuation procedures, inspection tags, fire suppression system test results and key lock logs.
Testing should extend beyond the information processing.
The facility/computer room should include the following related facilities:
Computer storage rooms (this includes equipment, paper and supply rooms
Location of all communication equipment identified on the network diagram.
Location of all operator consoles.
Off-site backup storage facility.
Printer rooms.
Tape library.
UPS/generator.
To do thorough testing, we have to look above the ceiling panels and below the raised floor in
the computer operations centre. Keen observation is done on smoke and water detectors, and
special emphasis is given to general cleanliness and walls that extend all the way to the real
ceiling.
The following paths of physical entry should be evaluated for proper security.
All entrance points.
Glass windows and walls
Movable walls and modular cubicles.
Above suspended ceilings and beneath raised floors.
Ventilation systems.
These security points must be properly governed to avoid illegal entry.
The Institute of Chartered Accountants of India
3.106 Information Systems Control and Audit
3.23.4 Role of IS Auditor in Physical Access Controls: Auditing physical access requires
the auditor to review the physical access risk and controls to form an opinion on the
effectiveness of the physical access controls. This involves the following:
(i) Risk assessment : The auditor must satisfy himself that the risk assessment procedure
adequately covers periodic and timely assessment of all assets, physical access threats,
vulnerabilities of safeguards and exposures there from.
(ii) Controls assessment : The auditor based on the risk profile evaluates whether the physical
access controls are in place and adequate to protect the IS assets against the risks.
(iii) Planning for review of physical access controls. It requires examination of relevant
documentation such as the security policy and procedures, premises plans, building
plans, inventory list and cabling diagrams.
(iv) Testing of controls : The auditor should review physical access controls to satisfy for their
effectiveness. This involves :
Tour of organizational facilities including outsourced and offsite facilities.
Physical inventory of computing equipment and supporting infrastructure.
Interviewing personnel can also provide information on the awareness and
knowledge of procedures.
Observation of safeguards and physical access procedures. This would also include
inspection of :
(i) Core computing facilities
(ii) Computer storage rooms
(iii) Communication closets
(iv) Backup and off site facilities
(v) Printer rooms
(vi) Disposal yards and bins
(vii) Inventory of supplies and consumables.
Some special considerations involve the following:
(i) All points of entry/exit
(ii) Glass windows and walls
(iii) Moveable and modular cubicles
(iv) Ventilation/air-conditioning ducts
(v) False ceiling and flooring panels
Review of physical access procedures including user registration and authorization,
authorization for special access, logging, review, supervision etc. Employee
termination procedures should provide withdrawal of rights such as retrieval of
The Institute of Chartered Accountants of India
Control Objectives 3.107
physical devices like smart cards, access tokens, deactivation of access rights and
its appropriate communication to relevant constituents in the organization.
Examination of physical access logs and reports. This includes examination of
incident reporting logs, problem resolution reports.
Control Activities Control Techniques Audit Procedures
Physical safeguards to
commensurate with the
risks of physical
damage or access.
Identify facilities housing
sensitive and critical resources.
Identify all threats to physical
well-being of sensitive and
critical resources are being
adequately secured using keys,
alarm systems, security devices
and other access control
devices, including-
- the badging system.
- display and output devices.
- data transmission lines.
- power equipment and poser
cabling.
- Mobile or portable systems.
All deposits and withdrawals of
tapes and other storage media
from the library are authorized
and logged.
Emergency exit and reentry
procedures ensure that only
authorized personnel re allowed
to reenter after fire drills, etc.
Review the physical layout
diagram of computer,
telecommunications and cooling
system facilities.

Walk through facilities.

Review risk analysis.

Review procedures for the
removal and return of storage
media from and to the library.

Review of written emergency
procedures.
Observe a fire drill.

Review the knowledge and
awareness of emergency
procedures by employees with
respect to facilities using
interviews, questionnaires etc.
Establish adequate
security at entrance
and exists based on
risk
All employee access is
authorized and credentials
(badges, ID cards, smart cards)
are issued to allow access.
Management conducts regular
reviews of individuals with
physical access to sensitive
facilities.
Visitors to the sensitive areas,
such as the main computer
room and tape/ media library,
are formally signed in and
escorted.
Entry codes are changed
Review procedures and logs of
employee entry and exists during
and after normal business hours.

Review Procedures used by
management to ensure that
individuals having access to
sensitive facilities are adequately
restricted and posses physical
access authorization.
Review visitor entry logs.
Interview guards at the facility
entry.
The Institute of Chartered Accountants of India
3.108 Information Systems Control and Audit
periodically. Review documentation on logs of
entry, code changes and system
maintenance.
Perimeter Security Control/restrict vehicle and
pedestrian traffic with
measures like fences, gates,
locks, guard posts and
inspections.
Installation of closed circuit
system with recording and
warning alarms - 24 hours.
Assess vehicle and pedestrian
traffic around high risk facility.
Inspect guard procedures and
practices for controlling access
to facility grounds.
Inspect the facility surveillance
system to assess its capability in
protecting the facility.
Security control
policies and
procedures are
documented,
approved and
implemented by
management.
Security control policies and
procedures at all levels-
Are document
Address purpose, scope,
roles, responsibilities and
compliance.
Ensure users can be held
accountable for their
actions.
are approved by
management and
Periodically reviewed and
updated.
Review security policies and
procedures at the enterprise
level, system level and process
level are aligned with
business/enterprise stated
objectives.
Table 3.14 : Physical Control Techniques and their Audit Procedures
3.24 Environmental Controls
This section deals with the external factors in the Information System and Preventive
measures to overcome these conflicts. Issues covered are :
Environmental Issues and exposures
Audit and Evaluation Techniques for Environmental Controls
From the perspective of environmental exposures and controls, information systems resources
may be categorized as follows, with the focus primarily on facilities which house:
(i) Hardware and Media : Includes Computing Equipment, Communication equipment, and
Storage Media.
(ii) Information Systems Supporting Infrastructure or Facilities : This typically includes the
following:
Physical Premises, like Computer Rooms, Cabins, Server Rooms/Farms, Data Centre
premises, Printer Rooms, Remote facilities and Storage Areas
Communication Closets
The Institute of Chartered Accountants of India
Control Objectives 3.109
Cabling ducts
Power Source
Heating, Ventilation and Air Conditioning (HVAC)
(iii) Documentation : Physical and geographical documentation of computing facilities with
emergency excavation plans and incident planning procedures.
(iv) Supplies : The third party maintenance procedures for say air-conditioning, fire safety, and
civil contractors whose entry and assess with respect to their scope of work assigned are to
be monitored and logged.
(v) People : The employees, contract employees, visitors, supervisors and third party
maintenance personnel are to be made responsible and accountable for environmental
controls in their respective information processing facility(IPF) Training of employees and
other stake holders on control procedures is a critical component.
3.24.1 Environmental Issues and Exposures: Environmental exposures are primarily due to
elements of nature. However, with proper controls, exposure to these rudiments can be
reduced.
Common occurrences are:
Fire
Natural disasters-earthquake, volcano, hurricane, tornado.
Power spike
Air conditioning failure
Electrical shock
Equipment failure
Water damage/flooding-even with facilities located on upper floors of high buildings.
Water damage is a risk, usually from broken water pipes
Bomb threat/attack
Other environmental issues and revelations include the following:
Is the power supply to the compiler equipment properly controlled so as to ensure that it
remains within the manufacturers specification?
Are the air conditioning, humidity and ventilation control systems protected against the
effects of electricity using static rug or anti-static spray?
Is consumption of food, beverage and tobacco products prohibited, by policy, around
computer equipment?
Are backup media protected from damage due to variation in temperatures or are they
guarded against strong magnetic fields and water damage?
Is the computer equipment kept free of dust, smoke and other particulate matter?
The Institute of Chartered Accountants of India
3.110 Information Systems Control and Audit
In the above section, environmental control is discussed and classifications based on the
controls are illustrated. Also the preventive measures that should be taken are also discussed.
3.24.2 Controls for Environmental Exposures: Water Detectors : In the computer room,
even if the room is on high floor, water detectors should be placed under the raised floor and
near drain holes. Water detectors should be present near any unattended equipment storage
facilities. When activated, the detectors should produce an audible alarm that can be heard by
security and control personnel. For easy identification and reach, the location of the water
detectors should be marked on the raised computer room floor. A remedial action must be
instantiated on hearing the alarm by notifying the specific individuals and allotting the
responsibility for investigating the cause. Other staff should be made aware of the risk of a
possible electrocution.
Hand-Held Fire Extinguishers ; Fire extinguishers should be in calculated locations throughout
the area. They should be tagged for inspection and inspected at least annually.
Manual Fire Alarms : Hand-pull fire alarms should be purposefully placed throughout the
facility. The resulting audible alarm should be linked to a monitored guard station.
Smoke Detectors : Smoke detectors are positioned at places above and below the ceiling tiles.
Upon activation, these detectors should produce an audible alarm and must be linked to a
monitored station (for example a fire station) Fire repression systems should be supplemented
and not replaced by smoke detectors.
Fire Suppression Systems : These alarms are activated when extensive heat is generated due
to fire. Like smoke alarms they are designed to produce audible alarms when activated and
should be regularly monitored. In addition to precautionary measures, the system should be
segmented so that fire in one part of a large facility does not activate the entire system.
The fire suppression techniques vary depending upon the situation but its usually one of the
following :
Dry-Pipe sprinkling systems are typically referred to as sprinkler systems. These pipes
remain dry and upon activation by the electronic fire alarm water is sent through the pipe.
Dry pipe systems have the advantage that any failure in the pipe will not result in water
leaking into sensitive equipment.
Water based systems also function similar to the sprinkler systems. These systems are
effective but also are unpopular because they damage equipment and property. Changed
systems are more reliable but the disadvantage is that in the case of leakage or
breakage of pipes facilities are exposed to extensive water damage,
An alternative method can be usage of Halon. Halon systems contain pressurized halon
gases that remove oxygen from the air. Halon is preferred to others because of its
inertness and it does not damage equipment like water does. There should be an audible
alarm and brief delay before discharge to permit personnel time to evacuate the area or
to override and disconnect the system. The drawback is, since halon adversely affects
the ozone layer, its usage is restricted to some extent and alternative suppression
methods are being explored.
The Institute of Chartered Accountants of India
Control Objectives 3.111
Strategically Locating the Computer Room: The reduce the risk of flooding, the computer
room should not be located in the basement of a multi-storey building. Studies reveal that the
computer room located in the top floors are less prone to the risk of fire, smoke and water.
Regular Inspection by Fire Department : An annual inspection by the fire department should
be carried out to ensure that all fire detection systems act in accordance with building codes.
Also, the fire department should be notified of the location of the computer room, so it should
be equipped with tools and appropriate electrical fires.
Fireproof Walls, Floors and Ceilings surrounding the Computer Room: Information processing
facility should be surrounded by walls that should control or block fire from spreading. The
surrounding walls should have at least a more than one-two-hour fire resistance rating.
Electrical Surge Protectors : The risk of damage due to power spikes can be reduced to a
great extent using electrical surge protectors. The incoming current is measured by the
voltage regulator and depending upon the intensity of electric current regulators can increase
or decrease the charge of electricity and ensures that a consistent current passes through.
Such protectors are typically built into the Uninterruptible Power Supply (UPS) system.
Uninterruptible Power Supply (UPS) / Generator : A UPS system consists of a battery or
gasoline powered generator that interfaces between the electrical power entering the facility
and the electrical power entering the computer. The system typically cleanses the power to
ensure wattage into the computer is consistent. In case of a power failure, the UPS provides
the back up by providing electrical power from the generator to the computer for a certain
span of time. Depending on the sophistication of the UPS, electrical power supply could
continue to flow for days or for just a few minutes to permit an orderly computer shutdown. A
UPS system can be inbuilt or can be an external piece of equipment.
Power Leads fromTwo Substations : Electrical power lines that are exposed to many
environmental dangers such as waters fire, lightning, cutting due to careless digging etc. To
avoid these types of events, redundant power links should feed into the facility. Interruption of
one power supply does not adversely affect electrical supply.
Emergency Power-Off Switch : When there arises a necessity of immediate power shut down
during situations like a computer room fire or an emergency evacuation, a two emergency power-
off switch one at computer room and other near but outside the computer room would serve the
purpose. They should be easily accessible and yet secured from unauthorized people.
Wiring Placed in Electrical Panels and Conduit : Electrical fires are always a risk. To reduce the
risk of such a fire occurring and spreading, wiring should be placed in the fire resistant panels and
conduit. This conduit generally lies under the fire-resistant raised computer room floor.
Prohibitions Against Eating, Drinking and Smoking within the Information Processing Facility :
These things should be prohibited from the information processing facility. This prohibition
should be clear, e.g. a sign on the entry door.
Fire Resistant Office Materials : The materials used in the information processing facility such
as Wastebaskets, curtains, desks, cabinets and other general office materials should be fire
pool.
The Institute of Chartered Accountants of India
3.112 Information Systems Control and Audit
Documented and Tested Emergency Evacuation Plans : Relocation plans should emphasize
human safety, but should not leave information processing facilities physically unsecured.
Procedures should exist for a controlled shutdown of the computer in an emergency situation.
3.24.3 Audit and Evaluation techniques for Environmental Controls
Water and Smoke Detectors : The presence of water and smoke detectors are verified on
visiting the computer room. Also checks relating to adequacy of power supply to these
detectors are done. A visual verification is done to test if the locations are clearly marked.
Hand-Held Fire Extinguishers : The presence of fire extinguishers in strategic locations
throughout the facility is checked for.
Fire Suppressions Systems : Testing of suppressions system becomes more expensive,
hence reviewing documentation that has been inspected and tested within the last year
ensures it.
Regular Inspection by Fire Department : The person responsible for fire equipment
maintenance is contacted and also the employees are queried, whether, fire department
inspector has been invited to tour and inspected the facilities present in the organization.
Fireproof Walls, Floors and Ceilings Surrounding the Computer Room: The assistance of
building management is taken and checks relating to the location and the documentation that
identifies the fire rating of the walls surrounding the information processing facility are done.
These walls should have at least a two-hour fire resistance rating.
Electrical Surge Protectors : In this part the presence of electrical surge protectors for
sensitive and expensive computer equipment is observed.
Power Leads fromTwo Substations : Checking the location and documentation concerning the use
and replacement of redundant power lines into the information processing facility is performed.
Fully Documented and Tested Business Continuity Plan : This section will be discussed
elaborately in chapter 6.
Wiring Placed in Electrical Panels and Conduit : Checking of whether the wiring in the
information processing facility is placed in the fire-resistant panels and conduit is done.
Documented and Tested Emergency Evacuation Plans : A direct interview of the employees is
conducted to test whether the emergency plans are posted through out the facilities, whether
in an organizing manner, that does not leave the facilities physically unsecured.
Humidity/Temperature Control : Visit the information processing facility to visit on regular
intervals and physically determine if temperature and humidity are adequate.
3.24.4 Role of Auditor in Environmental Controls: The attack on the World Trade Centre in
2001 has created a worldwide alert bringing focus on business continuity planning and
environmental controls. Audit of environmental controls it is understood should form a critical
part of every IS audit plan. The IS auditor should satisfy not only the effectiveness of various
technical controls but that the overall controls assure safeguarding the business against
environmental risks. Some of the critical audit considerations that an IS auditor should take
into account while conducting his audit are given below:
The Institute of Chartered Accountants of India
Control Objectives 3.113
3.24.5 Audit planning and assessment: As part of risk assessment
The risk profile should include the different kinds of environmental risks that the organization
is exposed to. These should comprise both natural and man-made threats. The profile
should be periodically reviewed to ensure updation with newer risks that may arise.
The controls assessment must ascertain that controls safeguard the organization against
all acceptable risks including probable ones are in place.
The security policy of the organization should be reviewed to assess policies and
procedures that safeguard the organization against environmental risks.
Building plans and wiring plans need to be reviewed to determine the appropriateness of
location of IPF, review of surroundings, power and cable wiring etc.
The IS auditor should interview relevant personnel to satisfy himself about employees
awareness of environmental threats and controls, role of the interviewee in environmental
control procedures such as prohibited activities in IPF, incident handling, and evacuation
procedures to determine if adequate incident reporting procedures exist.
Administrative procedures such as preventive maintenance plans and their
implementation, incident reporting and handling procedures, inspection and testing plan
and procedures need to be reviewed.
3.24.6 Audit of technical controls : Audit of environmental controls requires the IS auditor
to conduct physical inspections and observe practices. He must verify:
The IPF and the construction with regard to the type of materials used for construction.
The presence of water and smoke detectors, power supply arrangements to such
devices, and testing logs.
The location of fire extinguishers, fire fighting equipment and refilling date of fire extinguishers.
Emergency procedures, evacuation plans and marking of fire exists. If necessary, the IS
Auditor may also use a mock drill to test the preparedness with respect to disaster.
Documents for compliance with legal and regulatory requirements with regards to fire
safety equipment, external inspection certificate and shortcomings pointed out by other
inspectors/auditors.
Power sources and conduct tests to assure the quality of power, effectiveness of the
power conditioning equipment, and generators. Also the power supply interruptions must
be checked to test the effectiveness of the back-up power.
Environmental control equipment such as air-conditioning, dehumidifiers, heaters,
ionizers etc.
Compliant logs and maintenance logs to assess if MTBF and MTTR are within acceptable
levels.
Activities in the IPF. Identify undesired activities such as smoking, consumption of
eatables etc.
The Institute of Chartered Accountants of India
3.114 Information Systems Control and Audit
3.24.7 Documentation: As part of the audit procedures, the IS auditor should also document
all findings. The working papers could include audit assessments, audit plans, audit
procedures, questionnaires, interview sheets, inspection charts etc.
Control Activities Control Techniques Audit Procedures
Safeguards against
the risks of heating,
ventilation and air-
conditioning systems.
Identify systems that provide
constant temperature and
humidity levels within the
organization.
Review a heating, ventilation and air-
conditioning design to verify proper
functioning within an organization.
Control of radio
emissions affect on
computer systems.
Evaluate electronic shielding to
control radio emissions that
affect the computer systems.
Review any shielding strategies against
interference or unauthorized access
through emissions.
Establish adequate
interior security based
on risk
Critical systems have
emergency power supplies for
alarm systems; monitoring
devices, exit lighting,
communication systems.

Verify critical systems (alarm systems,
monitoring devices, entry control
systems) have emergency power
supplies.

Identify back -up systems and
procedures and determine the
frequency of testing. Review testing
results.
Adequately protect
against emerging
threats, based on
risk.
Appropriate plans and
controls such as shelter in
place or for a potential CBR
attack(chemical, biological
and radioactive attack)
Restricting public access and
protect critical entry points-air
intake vents, protective grills
and roofs.

Interview officials, review planning
documents and related test results.
Observe and document the controls
in place to mitigate emerging threats.
Observe location of these devices
and identify security measures
implemented.

Verify the controls existence and
intrusion detection sensors.
Adequate
environmental
controls have been
implemented
Fire detection and
suppression devices are
installed and working.(smoke
detectors, fire extinguishers
and sprinkle systems)

Controls are implemented to
mitigate disasters, such as
floods, earthquakes.

Redundancy exists in critical
systems like, uninterrupted
power supply, air cooling
Interview managers and scrutinize
that operations staff are aware of the
locations of fire alarms,
extinguishers, shut-off power
switches, air -ventilation apparatus
and other emergency devices.


Determine that humidity, temperature
and voltage are controlled within the
accepted levels.

Check cabling, plumbing, room
The Institute of Chartered Accountants of India
Control Objectives 3.115
system, and backup
generators

Humidity, temperature, and
voltage control are maintained
and acceptable levels
Emergency lighting, power
outages and evacuation
routes are appropriately
located.
ceiling smoke detectors, water
detectors on the floor are installed
and in proper working order.
Staff have been
trained to react to
emergencies
Operational and support
personnel are trained and
understand emergency
procedures.

Emergency procedures are
documented and periodically
tested- incident plan,
inspection plan and
maintenance plan.
Interview security personnel to
ensure their awareness and
responsibilities.


Review training records and
documentation. Determine the scope
and adequacy of training.

Review test policies, documentation
and know-how of operational staff.

Review incident handling procedures
and maintenance and inspection
plan.
Table 3.15. Environmental Controls and their Audit Procedures
Appendix-1
Master Checklist on Logical Access Controls
The following is an illustrative questionnaire that could be used to review Logical Access
Controls within application systems and databases.
No Checkpoints
User Access Management Policy and Procedure
1. Whether the user access management policy and procedure are documented?
2. Whether the user access management policy and procedure are approved by the
management?
3. Whether the user access management policy and procedure document includes:
- Scope and objective.
- Procedure for user ID creation, approval, review, suspension, and deletion.
- Granting access to third parties.
- Password management.
The Institute of Chartered Accountants of India
3.116 Information Systems Control and Audit
No Checkpoints
- User access rights assignment & modifications.
- Emergency access Granting.
- Monitoring access violations.
- Review and update of document.
User Access Management
1. Whether User ID & access rights are granted with an approval from appropriate level
of IS and functional head?
(Verify the user ID creation, granting of access right and approval process)
2. Whether the organization follows the principle of segregation of duties adequately in
granting access rights?
(Verify Access rights should be given on need to know and need to do basis without
unchecked concentration of power.)
3. Whether User IDS are in a unique format?
(Verify the naming conventions for the user IDs)
4. Whether invalid log in attempts are monitored and User IDs are suspended on specific
attempt?
(Verify the parameters set for unsuccessful log in attempt)
5. Whether the organisation follows complex composition for password parameters?
(Complex composition of password parameter should be used as to make it difficult
for guess and prevent unauthorised users fromaccess e.g. special character and
numbers should be part of password, Restrict use of organisations name, 123, xyz or
other generic terms as password)
6. Whether granting access to the third parties is according to the User Access
Management policy and procedure?
(The organization should specify and implement a process for granting access to third
parties like contractors, suppliers, auditors, consultants etc.)
7. Whether users are forced to change password on first log-on and at periodic
intervals?
(Verify password parameters for first log on and password aging)
8. Whether the organisation implemented clear screen and clear desk policies?
(Terminals should be automatically logged off if remaining idle for specific time.)
9. Whether the organisation restricted concurrent log- on?
(One user ID should not be allowed to be logged-in for two different terminals at the
same time)
10. Whether users IDs are shared?
(Verify whether users IDs are shared among the employees/ users or not?)
11. Whether multiple user IDs are allocated to a single individual?
12. Are user access policy and procedure documents communicated / available to the
respective users?

The Institute of Chartered Accountants of India
Control Objectives 3.117
No Checkpoints
13. Whether User IDs and Password are communicated to the user in a secured manner?
(Verify the procedure for communicating user ID and password for the first time and
after suspension)
14. Whether the organisation reviews user IDs and access rights at periodic intervals?
15. Whether the organisation monitors logs for the user access?
16. Whether policy and procedure documents reviewed and updated at regular intervals?
17. Whether the access to scheduled job is restricted to the authorised?
18. Whether an emergency user creation is according to the policy and procedure for
User Access Management?
(Verify the emergency access granting procedure, including approvals and
monitoring)
19. Whether periodic review process ensures user accounts align with business needs
and removal on termination/transfer?
(Review and evaluate procedures for creating user accounts and ensure that accounts
are created only when theres a legitimate business need and that accounts are
removed or disabled in a timely fashion in the event of termination or job change.)
20. Whether passwords are shadowed and use strong hash functions? (Ensure the
strength of passwords and access permission to password files. Review and evaluate
the strength of systempasswords and the use of password controls such as aging.)
21. Review the process for setting initial passwords for new users and communicating
those passwords and evaluate the tracking of each account to a specific employee.
22. Whether the use of groups and access levels set for a specific group determines the
restrictiveness of their use?
(Evaluate the use of passwords, access rights at the group level)
23. Ensure that the facility to logon as super/root user is restricted to system console for
security reasons.
24. Check whether the parameters to control the maximum number of invalid logon
attempts has been specified properly in the system according to the security policy.
25. Check whether password history maintenance has been enabled in the system to
disallow same passwords from being used again and again on rotation basis.
26. Verify the parameters in the system to control automatic log-on from a remote system,
concurrent connections a user can have, users logged on to the system at odd times
(midnight, holidays, etc) and ensure whether they have been properly set according to
security policy.
Maintenance of sensitive user accounts
1. Ascertain as to who is the custodian of sensitive passwords such as super/root user
and verify if that person is maintaining secrecy of the password, whether the
password has been preserved in a sealed envelope with movement records for usage
in case of emergency.

The Institute of Chartered Accountants of India
3.118 Information Systems Control and Audit
No Checkpoints
2. From the log file, identify the instances of use of sensitive passwords such as super
user and verify if records have been maintained with reason for the same. Ensure that
such instances have been approved/ authorized by the management.
3. From the log file, identify the instances of unsuccessful logon attempts to super user
account and check the terminal ID / IP address from which it is happening. Check if
appropriate reporting and escalation procedures are in place for such violations
Appendix-2
Master Checklist for Physical and Environmental Security
To ensure IS assets are maintained in a secured manner within a controlled environment.
Sr.
No.
Check points
Secured Physical Access
1. Whether Physical Access Control Policy is documented and approved?
2. Whether the policy on the following is appropriate and covers:
- Lay out of facilities
- Physical Security of the assets
- Access to the assets
- Maintenance of the assets
- Signage on the facilities
- Labels for assets
- Visitors authorization and recording
- Entrance and exit procedures
- Legal & regulatory requirements
3. Whether critical IS facilities (like data center) are located appropriately?
(Verify the location for the following as:-
- Protection against natural disasters like earthquakes, flooding, extreme
weather etc.
- Not in congested places
- Not being on ground or top floor
- Not being below ground level to avoid water leakage etc.
- Not having a showcase window
- Not having a direct access from the outside or through a public hallway
- Place which is not obvious externally)
4. Whether the access to IS facilities is controlled through a secured mechanism?
(Verify the access control mechanism - e.g. access card, lock and key or manned
reception)
5. Whether the access to the IS facilities is limited to approved persons only?
(Approved persons may include employees, vendors and customers)
6. Whether the physical access control procedures are adequate and appropriate for
approved persons?
(Access should be provided on need to do and need to know basis)
The Institute of Chartered Accountants of India
Control Objectives 3.119
7. Whether the visitor to critical IS facilities are escorted by employees?
(Records for visitors access should be maintained)
8. Whether a periodical review of access rights is carried out?
9. Whether the physical security is continually addressed?
10. Whether all access routes are identified and controls are in place?
11. Whether the security awareness is created not only in IS function but also across the
organization?
12. Whether the physical security is ensured at suppliers facilities also in cases where
organization's' assets (either physical or data) are processed at supplier's facilities?
13. Whether the usage of any equipment outside the business premises for information
processing is authorized by the management?
14. Is the security provided to equipment used outside business premises similar to /
same as that offered to equipment used inside the business premises?
15. Whether adequate monitoring equipments are present to monitor the movements of
the personnel inside the facility?
16. In case of outsourced software, whether all maintenance work is carried out only in
the presence of/ with the knowledge of appropriate IS staff?
17. Whether appropriate access controls like password, swipe card, bio-metric devices
etc. are in place and adequate controls exist for storing the data/ information on
them?
Are there controls to ensure that the issue and re-collection of such access devices
are authorized and recorded?
18. Whether access violations are recorded, escalated to higher authorities and
appropriate action taken?
19. Whether employees are required to keep the critical / sensitive documents in
secured places?
20. Check if facility IS related risks with respect to lighting, building orientation, signage
and neighborhood characteristics are identified?
21. Do the network, operating system and application monitoring procedures provide
ample information to identify associated risks?
22. Verify that surveillance systems are designed and operating properly?
23. Ensure that physical access control procedures are comprehensive and being
followed by security staff.
24. Verify if the security controls in place are appropriate to prevent intrusion into
sensitive IS facilities data centre, communication hubs, emergency power services
facilities?
25. Review facility monitoring measures to ensure that alarm conditions are addressed
promptly.
Environmental Controls
1. Whether the Environmental Control policy is documented and approved?
2. Whether IS facilities are situated in a place that is fire resistant?
(Verify for wall, floor, false ceiling, furniture and cabling being noncombustible / fire
resistant / fire retardant)
3. Whether smoking restrictions in IS facilities are in place?
The Institute of Chartered Accountants of India
3.120 Information Systems Control and Audit
4. Whether adequate smoke / temperature detectors are installed, connected to the fire
alarm system and tested?
5. Whether fire instructions are clearly posted and fire alarm buttons clearly visible?
6. Whether emergency power-off procedures are laid down and evacuation plan with
clear responsibilities in place?
7. Whether fire prevention and control measures implemented are adequate and tested
periodically?
8. Whether fire drill and training are conducted periodically?
9. Whether air-conditioning, ventilation and humidity control procedures are in place,
tested periodically and monitored on an ongoing basis?
10. Whether an adequate alternate power arrangement is available?
If so, is it covered under maintenance?
11. Whether alternative water, fuel, air-conditioning and humidity control resources are
available?
12. Check if heating, ventilation, and air-conditioning systems maintain constant
temperatures within a data center and other IS facilities?
13. Evaluate the data centers use of electronic shielding to verify that radio emissions
do not affect computer systems or that system emissions cannot be used to gain
unauthorized access to sensitive information.
14. Verify if there are sufficient battery backup systems providing continuous power
during momentary black-outs and brown-outs along with generators that protect
against prolonged power loss and are in good working.
15. Ensure that a fire alarm is protecting a critical IS facility like data center from the risk
of fire, a water system is configured to detect water in high-risk areas of the data
center and a humidity alarm is configured to notify data center personnel of either
high or low-humidity conditions.
16. Check logs and reports on the alarm monitoring console(s) and alarm systems which
are to be monitored continually by data center/IS facility personnel.
17. Verify that fire extinguishers are placed every 50ft within data center isles and are
maintained properly with fire suppression systems are protecting the data center
from fire.
18. Whether there are emergency plans that address various disaster scenarios for
example backup data promptly from off-site storage facilities?
19. Ensure if there exists a comprehensive disaster recovery plan that key employees
are aware of their roles in the event of a disaster and are updated and tested
regularly.
20. Ensure that detail part inventories and vendor agreements are accurate and current
and maintained as critical assets.

The Institute of Chartered Accountants of India