Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section

CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES

CHAPTER 2:
GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
Governance, Risk and Compliance is a regulatory requirement, and this can be effectively implemented using well established frameworks. ere is need to adapt a macro level and architecture perspective for securing information and
information systems. Senior management have to be involved in providing direction on how governance, risk and control are implemented using a holistic approach encompassing all levels from strategy to execution. e Board of directors
have to evaluate, direct and monitor effective use of I&T to achieve enterprise objectives. Best practices framework can be customized to meet stakeholder requirements. IS Auditors can assist management in implementing these frameworks.
Management have to certify whether Risk management and internal controls have been implemented as per organisation needs and auditors have to certify whether this implementation is appropriate and adequate.
GRC Frameworks Enterprise Risk Management
COBIT 2019 Risk Management
e COBIT 2019 Core Model and its 40 Governance and Management objectives provide the platform for establishing your governance Risk management processes primarily focuses on three major areas viz. Market Risk, Credit risk and
program; the performance management system is updated and allows the exibility to use maturity measurements as well as capability Operational Risk. Most organization addresses rst two risks i.e. market risk and credit risks since
measurements; introductions to design factors and focus areas offer additional practical guidance on exible adoption of COBIT 2019. these are part and parcel of business activities. Whereas operational risks address the issues and
COBIT 2019 can be used as a benchmark for reviewing and implementing governance and management of enterprise I&T. concerns related to operations of a business.
COBIT 2019 enables I&T to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end
business and I&T functional areas of responsibility, considering the I&T related interests of internal and external stakeholders.
Integrating COBIT 2019 with Other Frameworks: Business Risk Strategic Risk IT Risk
COBIT 2019 acts as the single overarching framework, which serves as a consistent and integrated source of guidance in a non-technical,
Enterprise Risk
technology-agnostic common language. Market Risk Competition IT Risk
management
Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) Domain.
Operational Risk IT Risk
Management Objectives are grouped into four Domains:
Align Plan and Organise (APO) Build, Acquire and Implement (BAI) Risk Management in COBIT 2019
Addresses the overall organization strategy and supporting treats the de nition, acquisition and implementation of I&T solutions e Governance Domain contains ve Governance processes and one of the Governance process
activities for I&T. and their integration in business processes. EDM03: Ensured Risk Optimisation primarily focusses on stakeholders’ risk-related objectives.
Deliver, Service and Support (DSS) Monitor, Evaluate and Assess (MEA) Cobit framework 2019 has management domain of Align, Plan and Organise which contains a risk
Addresses the operational delivery and support of I&T Addresses performance monitoring and conformance of I &T with related process APO 12: Managed Risk.ere are 3 broad categories of Risk Management :
Services internal performance targets, internal control objectives and external • Evaluate Risk Management: Continually examine and make judgment on the effect of risk on the
requirements. current and future use of I&T in the enterprise.
ISO 27001 • Direct Risk Management: Direct the establishment of risk management practices to provide
ISO/IEC 27001 formally speci es an Information Security Management System (ISMS). e ISMS ensure that the security arrangements reasonable assurance that I&T risk management practices are appropriate to ensure that the actual
are ne-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts. I&T risk does not exceed the board’s risk appetite
ISO 27001 consists of 114 controls and 10 management system clauses that together support the implementation and maintenance of • Monitor Risk Management: Monitor the key goals and metrics of the risk management
the standard. processes and establish how deviations or problems will be identi ed, tracked and reported on for
remediation.
ISO/IEC 27001: 2013 controls: Metrics of Risk Management
1. A.5 Information security policies 8. A.12 Operational security • Percentage of critical business processes, I&T services and I&T-enabled business programs covered
2. A.6 Organisation of information security 9. A.13 Communications security by risk assessment;
3. A.7 Human resources security 10. A.14 System acquisition, development and maintenance • Number of signi cant I&T related incidents not identi ed
4. A.8 Asset management 11. A.15 Supplier relationships • Percentage of enterprise risk assessments including I&T related risks;
5. A.9 Access control 12. A.16 Information security incident management • Frequency of updating the risk pro le based on status of assessment of risks.
6. A.10 Cryptography 13. A.17 Information security aspects of BCM Key Management Practices of Risk Management (APO 12: Managed Risk)
7. A.11 Physical and environmental security 14. A.18 Compliance • Collect Data: To enable effective I&T related risk identi cation, analysis and reporting.
ISO 31000 • Analyze Risk: Develop a substantiated view on actual I&T risk in support of risk decisions.
e standard primarily adopts AS/NZS 4360 for risk management. Risk management – Guidelines, provides principles, framework and • Maintain a Risk Pro le: Maintain an inventory of known risks and risk attributes
a process for managing risk. • Articulate Risk: Provide information on the current state of I&T- related exposures and
ISO 38500:2015 opportunities in a timely manner to all required stakeholders for appropriate response.
ISO/IEC 38500 is an international standard for Corporate governance of information technology. It provides a framework for effective • De ne a Risk Management Action Portfolio: Manage opportunities and reduce risk to an
governance of IT to assist those at the highest level of organizations to understand and ful ll their legal, regulatory, and ethical obligations acceptable level
in respect of their organizations’ use of IT. • Respond to Risk: Respond in a timely manner with effective measures to limit the magnitude of
Purpose of ISO/IEC 38500:20015 is to promote effective, efficient, and acceptable use of IT in all organizations by assuring stakeholders loss.
standard followed, guiding governing bodies, vocabulary for the governance of IT.

CA Rajat Agrawal www.prokhata.com 19

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES

COBIT*2019 • Enterprise Strategy

• Enterprise Goal
Goals
COBIT Core • Enterprise Size
Inputs to COBIT*2019 • Role of IT
Reference Model of Governance • Sourcing model ffor IT
COBIT 5 and Management Objectives • Compliance
ompliance requirments
• Etc.
EDM01-Ensured
EDM04-Ensured EDM05-Ensured
Governance EDM03-Ensured
Standards Framework Setting Risk Realization
Resource Stakeholder
Optimization Engagement
Framworks and Maintenance
Regulations Design Factors
Community Tailored Enterprise
Contribution APO01-Managed APO03-Managed
IT Management
Framwork
APO02-Managed
Strategy
Enterprise
Architecture
APO04-Managed
Innovation
APO05-Managed
Portfolio
APO06-Managed
Budget and Costs
APO07-Managed
Human Resource
Resources Governance
MEA01-Managed
Performance and System for
Conformance
Co

APO08-Managed
APO09-Managed
APO10-Managed APO11-Managed APO12-Managed APO13-Managed APO14-Managed
Monitoring Information and
Service
Relationships
Agreements
Vendors Quality Risk Security Data
Technology

MEA02-Managed
System of Internal
BAI07-Managed Control
BAI04-Managed BAI05-Managed
BAI01-Managed BAI06-Managed IT Change
Availability
ailability Organizational
Programs IT Changes Acceptance and
and Capacity Change
Transitioning

BAI08-Managed
knowledge
owledge
BAI09-Managed
Assets
BAI11-Managed
Projects
Pr
MEA03-Managed
Compliance With
External
Focus Area
Requirements

• SME
DSS02-Managed DSS05-Managed DSS06-Managed • Security
DSS01-Managed DSS03-Managed DSS04-Managed
Operations
Service
ice Requests
Problems Continuity
Security Business MEA04-Managed
Assurance
• Risk
and incidents Services Process Controls
• DevOps
• Etc.

Note:-

20 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
Risk Factors Elements of Risk Management Developing Strategies for Information
• External risk factors include political situations, the economy, regulations, natural disasters, competition. • Top Management Support: Risk management must start and be supported at the Risk Management
• Internal risk factors include Organization’s culture, Internal environment affecting employee’s moral, policies, highest level within the company. • Two model for risk management:
ethics and values projected senior management, process environment, control environment and so on. • Proactive Approach : Involves the active identi cation, scanning of changes in Centralized & Decentralized model.
Categories of Risks the risk pro le and reports on managing the risk pro le. • e model selection depends upon
• Business Risks: Inherent risks associated with nature of business. • No Ambiguity: clear de nition of the risks, and these must be understood across organization’s particular operations,
• Market Risks: Risks associated with uctuations on market. the organization. signi cant risks culture of the
• Financial Risks: Risk associated with nancial decisions. • Accountability: Responsibility for responding to and managing the risks must be organization, management style etc.
• Operational Risks: Associated with failure of operations of organization. • clearly understood • In a centralized model Information Risk
• Strategic Risks : Associated with incorrect and inappropriate strategy selection and implementation. • Resource Allocation: Appropriate resources need to be made available to Management team develops policies for
• IT Risks: How the company's IT infrastructure relates to business operations. help managers, executive & others to conduct their obligations within the risk the board to consider. Decentralized
• Compliance Risks: When an organization does not comply with legal, regulatory, contractual or internal management framework. model requiring the involvement of
compliance requirements • Cultural Change: e organization’s culture must provide for the active front-line staff in managing the inherent
• Reputational Risk: Chance of losses due to a declining reputation. management of risk. risks.
Risk Management Process
e Objective of risk management process is to ensure that the organization can manage risks within acceptable limits. ese limits are decided by Risk Appetite ad Risk tolerance.
Risk Appetite Risk Tolerance
Ability of organization to sustain losses due to materialization of risk. It also represents the ability of organization to take It is the limit up to which organization can tolerate to sustain loss of business in case risk materializes. If risk
risk while considering new business initiatives. It is a broader concept. materialize ,organization must recover from it within speci c time. It is a narrow concept.
IT risk management process follows following steps: 1. Risk Identi cation
1. Establish the Context • 5. Risk response Some methods of Risk Identi cation:
2. Risk identi cation • 6. Risk mitigation • Workshop and brainstorming sessions with stakeholders and process owners: In case process owners does not
3. Risk evaluation • 7. Risk monitoring agree a method called Delphi technique be used to assess the risks.
4. Risk prioritization • Use of generic risk scenarios based on industry experience and historical data.
• Review and audit of processes and technology. is includes vulnerability assessment:Audit ndings.
(I). Risk Component
It is important to understand all the speci c components of all identi ed risks and these are:
Risk Scenario Likelihood / Probability Response Inherent Risk Risk Pro le Risk Owner
A possible event due to Judgment of possibility that Acton Plan designed by Total risk without any controls is inherent risk. Collective view of all risks an Person or entity that is
materializing of one or more risks threat shall exploit vulnerability. organization to minimize impact Residual Risk organization likely to face. responsible for evaluation
reat Impact / Consequences or likelihood of risk materializing. Controls cannot mitigate the risk completely. It also Risk Register and decision of response for
Reason for risk materialization When threat materializes, it will Four types are: Accept, Transfer, includes accepted risk. A document that is maintained to identi ed risk.
Vulnerability affect normal functioning which Avoid and Mitigate. Risk Aggregation provide information on identi ed risks
Weakness that gets exploited due might result in loss of business, Controls / Mitigation A risk different impact on different business function/ Heat Map
to threat. interruption of services. In order to mitigate risk locations. from organization’s perspective it is Graphical representation of risk
management implements controls necessary to present them as total risk for organization. pro le.
(II). reat Pro le / Inventory (III). Vulnerability Assessment (IV). Asset Inventory (V). Risk Register and Control Catalogue
A list of all possible threats that might have impact on organization. An evaluation to identify gaps and vulnerabilities in your network, ISO27001:2005 also recommends Collective record of all identi ed and evaluated risk
• Physical and Environmental threats like re, the etc. servers, etc. which help you validate your con guration and patch implementing controls around assets along with risk owner and risk response. T
• External threats that are not in control of organization like management,and identify steps to improve your information security. by prioritizing them based on results he structure of risk register must contain risk scenario,
hackers. Assessments are typically performed according to the following steps: of risk evaluation. (ISO27001:2013 likelihood, assets impacted, overall impact on business.
• Internal threats are those are initiated within organization for a. Cataloguing assets and resources in a system. recommend ISO31000 for Risk It must be maintained based on updating process.
example disgruntled employee, unauthorized access etc. b. Assigning quanti able value or rank and importance to those resources management and also states that risk It is used to develop risk pro le for reporting to
• Natural threats like earthquake, oods, and tsunami etc c. Identifying the vulnerabilities or potential threats to each resource management need not be asset based.) management and approval.

Note:-

CA Rajat Agrawal www.prokhata.com 21

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
2. Risk Evaluation 3. Determine Likelihood of Risk 4. Risk Prioritization 5. Risk Response Risk Monitoring
Also called risk assessment, process for assessing Several factors need to be considered when e organizations •Accept the Risk: Some risks may be considered minor, & consciously •Periodic review identi ed
likelihood and impact of identi ed risk. ere determining this likelihood: generally use Risk accepting the risk as a cost of doing business is appropriate. and evaluated risks to
are two methods (a) Consider source of the threat, motivation pro le and Heat map •Avoid the Risk: Some risk are associated with the use of a particular con rm that the evaluation is
Quantitative Risk Analysis behind the threat, and capability of the source. to prioritize evaluated technology, supplier, or vendor. Risk can be avoided/ eliminated by replacing appropriate.
Expressing total risk in monetary terms (b) Determine the nature of the vulnerability risks based on the technology suppliers and vendors. •Review of risks associated
Qualitative Risk Analysis and, criticality of risks and •Transfer the Risk: Risk mitigation approaches can be shared with trading with changes in infrastructure
Expressing total risk with quali cation like (c) e existence and effectiveness of current priorities of business partners and suppliers. •Audit ndings also requires
high, low etc. controls to deter or mitigate the vulnerability. objectives. •Mitigate the Risk: Suitable controls must be devised and implemented to review of risks
prevent the risk.
IS Risks and Risk Management
IS security is de ned as "procedures and practices to assure that computer facilities are available at all required times, that data is processed completely and efficiently and that access to data in. Computer systems is restricted to authorized
people". IS Auditors are required to evaluate whether the available controls are adequate and appropriate to mitigate the risks. If controls are unavailable it has to be reported to auditee management with appropriate recommendations to
mitigate them.
Compliance in Cobit 2019-MEA03:Managed Compliance with External Requirements
Key Management Practices of IT Compliance Key Metrics for Assessing Compliance Process
Identify Compliance with External Laws and Regulations: IT Compliance with Internal Policies:
Identify changes in local and international laws & regulations. • Number of incidents related to non-compliance to policy;
Cost of IT non-compliance • Percentage of stakeholders who understand policies;
Optimize
Consider industry standards, codes of good practice. No. of IT related non-compliance • Percentage of policies supported by effective standards and working
issues reported to board or causing relating to contractual agreements practices; and
Con rm
public comment with IT service providers; • Frequency of policies review and updates.
Con rm compliance of policies, principles, standards, procedures and
methodologies with legal, regulatory and contractual requirements Coverage of compliance assessments.
Obtain Assurance
Corrective actions to address compliance gaps are closed in a timely manner.
Information Technology Act 2000
e Information Technology Act 2000, (Amended 2008) provides that any organization is collecting PII shall be liable in case absence of reasonable security of such information results in identify the.

Addition with Section 43 A Addition with Section 69B Addition with Section 70B Addition with Section 72A General
• Deals with compensation for failure to • Deals with cyber security Power to central government to move india Punishment for disclosure enterprise appointed designated officer/
protect data. • is section gives power to government that computer resource computer emergency response team, this of information in breach of nodal officer/computer-in-charge to
• Body corporate dealing with sensitive frok which data | Information traffic is occuring can monitor | agency will do data collection information careful contacts. comply with the directions of competent
personal data and negligect in security authorise analysis forecast, take emergency measures, authority/agency details of such designated
will have to pay compensation to affected • Subscriber t assist govt by providing data otherwise liasel to pay. ensure coordination issue guidelines. officer/nodal officer readily available online
person

Section 7A Audit of documents i.e. in Electronic Form: Where in any law there is a provision for audit of documents, that provision shall also be applicable for audit of documents, maintained in electronic form. Section 43A of the (Indian)
Information Technology Act, important to note no upper limit speci ed for the compensation. IT Act 2008 punishes offences Section 66 to 66F and 67 deal with the following crimes:
• Sending offensive messages using electronic medium for unacceptable purposes • Violation of privacy
• Dishonestly stolen computer resource • Cyber terrorism/Offences using computer
• Unauthorized Access to computer resources • Publishing or transmitting obscene material
• Identity the/Cheating by personating using computer
Section 72A imprisonment for a term extending to three years or ne extending to INR 5,00,000 or with both.

Note:-

22 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 2 GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
General Data Protection Regulation (GDPR)
Introduction of European Union's ("EU") regulations on protection of natural persons regard to processing of personal data and free movement of such data implications on Indian entities processing personal data of EU Residents. "personal
data" de ned information relating to an identi ed or identi able natural person (i.e. "Data Subject"). An identi able natural person is one who can be identi ed, in particular by reference to an identi er is considered as 'personal data' under
the GDPR. nes of up to EUR 10,00,000 or 20,000,000, or in the case of an undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding nancial year, whichever is higher.
e Personal Data Protection Bill, 2019
e provide for protection of personal data individuals, and establishes a Data Protection Authority for the same.
Bill governs the processing of personal data by: (i) Government, (ii) Companies incorporated in India, and (iii) Foreign companies dealing with personal data of individuals in India.
Personal data includes nancial data, biometric data, caste, religious or political or any other category speci ed by the government.
Obligations of data duciary Rights of the individual Transfer of data outside India Offences
A data duciary is an entity who decides means and purpose of • Obtain con rmation from the duciary • Sensitive personal data • Processing or transferring personal data in violation of the Bill ne
processing personal data. All data duciaries must undertake certain • Seek correction of inaccurate, incomplete, or out-of-date may be transferred outside of Rs 15 crore or 4% of the annual turnover whichever is higher
transparency and accountability measures such as: personal data. India for processing if • Failure to conduct a data audit, ne of ve crore rupees or 2%
• Implementing security safeguards (such as data encryption and • Personal data transferred to any other data duciary explicitly consented to by annual turnover whichever is higher.
preventing misuse of data) • Restrict continuing disclosure of their personal data by the individual, and subject to • Re-identi cation and without consent punishable with
• Instituting grievance redressal mechanisms to address complaints of a duciary, no longer necessary or consent is withdrawn. certain additional conditions. imprisonment of up to three years, or ne, or both.
individuals.

Note:-

CA Rajat Agrawal www.prokhata.com 23

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 3: KEY COMPONENTS OF A GOVERNANCE SYSTEM
CHAPTER 3:
KEY COMPONENTS OF A GOVERNANCE SYSTEM
Components are factors that, individually and collectively, contribute to the good operations of the enterprise’s governance system over I&T.
COBIT 2019 Governance System Principles
Principle 1: Provide Stakeholder Value Principle 5:
COBIT 2019 provides all of the required processes and other components to support business value creation through the use of I&T. Enterprise can Governance Distinct from Management:
customize COBIT 2019 to suit its own context Two disciplines encompass different types of activities require different
Principle 2: End-to-End Governance System: organizational structures and serve different purposes.
COBIT 2019 integrates governance of enterprise IT into enterprise governance. It covers all functions and processes within the enterprise; COBIT 2019 does IT Steering Committee IT Strategy Committee
not focus only on the IT function but treats information and related technologies as assets Evaluate Stakeholder needs PBRM activities
Principle 3: Tailored to Enterprise Needs: Determine Agreed on enterprise Align with direction set by the
objectives governance body
A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance
system components. Set Director Prioritization and Achieve Enterprise
Principle 4: Holistic Approach: decision making objectives
COBIT 2019 de nes a set of components to support the implementation of a comprehensive Enterprise governance system for I&T. Components are broadly Monitor Performance Monitor and Performance and
de ned as anything that can help to achieve objectives of the enterprise. and compliance Report conformance
Principle 6: Dynamic Governance System: Responsibility Board of Responsibility Management at
Each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be directors all levels
considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.

Components of the Governance System as per COBIT 2019

1. Principles, Policies, Procedures 2. Processes: Collection of Practices 3. Organizational Structures
Convey the governing bodies and •Establishing accountability mechanisms through appropriate organisation
Purpose
managements direction & instructions. Process Process activities Inputs and Outputs structure.
Reason for Translate desired strategy into practical practices ‘Guidance’ to achieve C onsidered •RACI chart helps in de ning roles, responsibilities covering risks and controls
implementing guidance for day to day management. ‘G u i d a n c e’ management practices for necessary to support for all critical areas.
to achieve successful governance and operation of the
Difference between Principles need to be limited in Good practices of organizational structure
policies & principles process goals. management of enterprise IT. process.
numbers
Characteristics of good policies
Each process should provide: Operating Principles Level of Authority Escalation Procedures
• Process description, Process purpose statement, IT-related Goals e practical arrangements Decisions that Actions in case of
• Each IT-related goal is associated with a set of generic related regarding how the the structure is problems in making
Be Effective Be Effective Non-Intrusive
metrics structure will operate authorized to decisions.
To Achieve Purpose In implementing Make Sense
• Process Goals take.
Policies should have a framework in place where they • Each process goal is associated with a set of generic metrics.
can be effectively managed • Process contains a set of Management Practices. Span of Control Delegation of Responsibility
• associated with a generic RACI chart (Responsible, Accountable, Boundaries of the organization Delegate a subset of its decision rights
Policy Should be structure’s decision rights. to other structures reporting to it.
Consulted, Informed)
Comrehensive Open & exible Up to date • management practices contains a set of inputs and outputs (called Stake Holders
work products)
•Purpose
Purpose of a policy life cycle is that it must support a policy
• Each management Practice is associated with a set of activities. Board of Directors
framework
• It clearly distinguishes between Governance processes and
•Good
Good practice requirements have to be approved by the Board. CEO
management processes.

Chief People Chief Chief Chief Chief

Officer Financial Operations Technology Marketing
(HR) Officer Officer Officer Officer

Manager Manager Manager Manager Manager

Teams Teams Teams Teams Teams

24 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 3: KEY COMPONENTS OF A GOVERNANCE SYSTEM
Chief Executive Officer 5. Information
Information is the most valuable asset how well information is processed and made available to requisite level of security.
Quality of Information
Chief Internal Chief Technology Officer/ Chief Risk
Auditor Chief Information Officer Officer Relevancy Appropriateness Consistency Ease of Manipulation
Helpful Volume of Information Same format. Apply to Different Tasks
Completeness Conciseness Understandability
IS IT Technical IT Chief Information is not missing Compactly represented understandable
Auditors Development Support Operations Information
manager Managers Manager Security Officer 6. Services, Infrastructure and Applications
Services provided by IT to business and stakeholders to meet internal as well as external requirements. Application helps in providing services
Application Systems End User Database Security by processing information. Application is hosted using IT infrastructure. All three aspects: services, infrastructure and applications must be
Development Support Administrator manager considered together.
Manager Manager Five architecture principles
Application Systems Network Systems Reuse Buy vs. Build Simplicity Agility Openness
Application Systems Analysts Administrator Administrator Components First Preference Purchase As simple as possible Changing business needs Architecture Industry
Programmers Quality Assurance Architecture standards
Manager 7. People, Skills and Competencies
ese are the most valuable asset of an enterprise. Most of the routine transaction processing is automated. It is the people with the required
Organisation and Structure skills and competencies who are the key differentiator. In order to ensure appropriate skills organization, follow various people management
practices like training, motivational programs, career progressions, job rotation. While de ning organization structure organizations also de ne
IT Strategy Committee IT Steering Committee
job description, roles and responsibilities. For successful implementation of EGIT, selecting the right blend of these components customised as
•Composed of board and non-board •Comprise
Comprise of functional heads from key
required is most critical. e components also have the openness of integrating across various frameworks.
members. department including audit and IT deptt.
•Operates at board level. •Situated at Executive level. Designing a Tailored Governance System of COBIT 2019
•Assists board in governing & •Depending
Depending on size appropriate direction to Effective governance over information and technology is critical to business success. e
overseeing the enterprise IT related IT deployment & Information System. design guide is a new offering that includes four steps to design a tailored governance system:
matters. •Role
Role & responsibility of this committees and • Understand the enterprise context and strategy • Re ne the scope of the governance system
•Ensure IT is a regular item on board members document and approved by senior • Determine the initial scope of the governance system • Conclude the governance system design
agenda management. Stakeholder in Implementing EGIT
•Responsibility of implementation of Responsibility of IT Steering Committee
EGIT. •It
It is the responsibility of steering commitee to Board and executive Business management/ Chief information officer (CIO), IT Risk, compliance and Internal audit
Responsibility of IT Strategy Committee approve project plans and budget. management Business process owners management and IT process owners legal experts Value delivery
•Ensures alignment of IT and business •Aligns
Aligns project workings with business De ne enterprise use I&T-related goals for Plan, build, deliver and monitor Risks are identi ed, and risk
objectives. requirement and provide continous of I&T business value information and IT assessed and mitigated. mitigation.
•It identi es exposures to IT risks monitoring.
•It provides strategic directions to •
e steering committee have Overall
management regarding Information responsibility for
Technology. •System development projects

Appointment Responsibilities Objective Chairman Representation

By the Board De ned in a formal IS department is aligned Member of the board of directors Broad-based and Cross-
charter, which should be with the organization’s who understands information section of senior business
approved by the Board. mission and objectives technology risks and issues. managers
4. Culture, Ethics and Behaviour
Culture is shaped and transformed by consistent patterns of senior management action.

Some examples are: Good practices:

• Behaviour towards risk taking. • Communication throughout the enterprise of desired behaviours and corporate values.
• Behaviour towards the enterprise’s principles • Awareness of desired behaviour strengthened by senior management example.
• Behaviour towards negative outcomes • Incentives to encourage and deterrents to enforce desired behaviour.
• Rules and norms which provide more guidance

CA Rajat Agrawal www.prokhata.com 25

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 3: KEY COMPONENTS OF A GOVERNANCE SYSTEM
Using Systematic Approach for Implementing EGIT
Implementing EGIT project within an enterprise with speci c phases, tasks and activities and roles and responsibilities and deliverables of each of these phases. One of the key components of EGIT
implementation is “Culture, ethics and behavior”. is is set by the tone at the top with the senior management.
Phase 1: Establish the Desire to Change Phase 3: Communicate Desired Vision Phase 5: Enable Operation and Use
Current pain points and trigger events can provide a good foundation e communication should include the rationale for and bene ts of the change, As initiatives are implemented within the core implementation life cycle, the
for establishing the desire to change. e ‘wake-up call’, an initial as well as the impacts of not making the change (purpose), the vision (picture), change response plans are implemented. It is important to balance group and
communication on the programme, can be related to real-world issues that the road map to achieving the vision (plan) and the involvement required of individual interventions to increase buy-in and engagement and to ensure that
the enterprise may be experiencing. the various stakeholders (part). Senior management should deliver key messages all stakeholders obtain a holistic view of the change.
Phase 2: Form an Effective Implementation Team (such as the desired vision). Phase 6: Embed New Approaches
Assembling the right core implementation team include involving the Phase 4: Empower Role Players and Identify Quick Wins As concrete results are achieved, new ways of working should become part
appropriate areas from business and IT as well as the knowledge and Change response plans are developed to empower various role players. of the enterprise’s culture and rooted in its norms and values (‘the way we do
expertise, experience, credibility, and authority of team members. e e scope include: things around here’)
essence of the team should be a commitment to: • Organisational design changes. Phase 7: Sustain
• A clear vision of success and ambitious goals • Operational changes. Changes are sustained through conscious reinforcement and an ongoing
• Engaging the best in all team members, all the time • People management changes such as training and reward systems. communication campaign, and they are maintained and demonstrated
• Clarity and transparency of team processes & accountabilities Visible and unambiguous quick wins can build momentum and credibility for by continued top management commitment. Corrective action plans are
• Integrity, mutual support and commitment to each other’s success the programme. It is imperative to use a participative approach in the design and implemented, lessons learned are captured and knowledge is shared with the
• Mutual accountability and collective responsibility building of the core improvements. By engaging those impacted by the change broader enterprise
• Measurement of its own performance & the way it behaves as a team in the actual design, buy-in can be increased.
Implementing EGIT in Speci c Areas

Strategic Alignment of Aligning IT Strategy with Enterprise Strategy Value Optimization Sourcing Processes Capacity Management & Capex and Opex
IT with Business Achieved by ensuring optimization Sourcing is managed through suppliers and Growth Planning Processes Use of IT through
Ensure that IT goals Understand enterprise direction: of the value contribution to the appropriate service agreements. Capacity management is the outside vendors reduces
are aligned with the Consider the current enterprise environment and business from the business processes, Manage service agreements process of planning, sizing and capital expenditure
enterprise goals and business processes, as well as the enterprise strategy and IT services and IT assets. Align IT-enabled services and service continuously optimising IS but increases revenue
there are process goals future objectives. Consider external environment. Bene t of implementing this levels with enterprise needs and capacity in order to meet long expenditure.
are set for the IT goals Assess the current environment, capabilities and process will ensure that enterprise expectations. and short-term business goals Capex stands for Capital
and metrics are designed performance: is able to secure optimal value from Manage Supplier in a cost effective and timely Expenditures and is
for these. Alignment of Assess current internal business and IT capabilities I&T-enabled initiatives services. Ensure that IT-related services provided manner. the money spent of
the IT strategy with the and external IT services develop an understanding Success of the process of ensuring by all types of suppliers meet enterprise Capacity management or generating physical
organizational strategy architecture. business value from use of I&T requirements con guration management assets. Opex stands for
tells us whether IT adds De ne the target IT capabilities: can be measured by evaluating the process is used in order to assess Operating Expenditures
Outsourcing
value to the organization Assessment of the current business process and IT bene ts realized from I&T enabled the effectiveness and efficiency and refers to day to
• IT is one of the key areas which is
or not. environment and issues; consideration of best practices investments and how transparency of the IS operations. day expenses required
outsourced in part or in totality depending
Objective of IT Strategy and validated emerging technologies. of IT costs, bene ts and risk is Capacity includes: to maintain physical
on the criticality of the processes.
Alignment of the Conduct a gap analysis: implemented. • Storage space assets.
• Some of the important tools which are
strategic IT plans with Identify the gaps between the current and target Metrics for value optimization: • Network throughput Capex is what needs to
used to manage and monitor IT service
the business objectives environments and consider the alignment of assets with Percentage of I&T enabled • Human resources be avoided, while Opex
providers are performance targets, service
is done by clearly business outcomes. investments where claimed bene ts • Electronic messaging is something to be kept
level agreements (SLAs), and scorecards.
communicating the De ne the strategic plan and road map: met or exceeded etc. • Customer Relationship under tight control.
• It is critical to note that senior
objectives and associated In cooperation with relevant stakeholders, how IT- Resource Optimization Management
management cannot abdicate its ultimate
accountabilities. related goals will contribute to the enterprise’s strategic e primary objectives of • Quantum of data processed
responsibility for IT service delivery
goals. Include how IT will support IT-enabled investment implementing this process is to Bene ts of good capacity
just because it has been outsourced as
programs, business processes, IT services and IT assets. IT ensure that the resource needs of • Enhanced customer
the responsibility for compliance and
should de ne the initiatives that will be required to close the enterprise are met in the most satisfaction
ensuring performance vests with the
the gaps, the sourcing strategy, and the measurements to optimal manner, I&T costs are • Better justi cation of spending
enterprise.
be used to monitor achievement of goals, then prioritize optimised, and there is an increased
the initiatives and combine them in a high-level road likelihood of bene t realization and
map. readiness for future change.
Communicate the IT strategy and direction:
To appropriate stakeholders and users throughout the
enterprise.

26 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 4: PERFORMANCE MANAGEMENT SYSTEMS
CHAPTER 4:
PERFORMANCE MANAGEMENT SYSTEMS
e Governance processes of ISO 38500 and COBIT 2019 primarily focus on “Evaluate, Direct and Monitor”.
e ‘direct’ function provides what is expected from management, ‘monitor’ function focuses on whether what was expected has been achieved or not.e challange is to ‘evaluate’ what is actually achieved and validate whether it is as per
set objectives. is help to make a realistic assessment of what was achieved, what are the gaps and how to monitor the performance not only on reactive but proactive basis. Performance measurement can be implemented by use of relevant
governance and performance frameworks such as balanced scorecards, maturity models, and quality systems.
Performance Measurement Performance Measurement System
Process of collecting, analysing and/or reporting information regarding the performance of an individual, group, organization, A performance management system which assesses performance against goals by setting right key goals
system or component. indicators and key process indicators. Performance is evaluated at various levels such as: at organization
In developing a performance measurement system identify the enterprise goals and then obtain understanding of the connection. level against goals and objectives, resource level against set performance goals by de ning key performance
Between the entity’s mission, vision and strategies and its operating environment. Phases of performance measurement system: indicators (KPI), risk level based on key risk indicators (KRI). ere are two approaches
• Plan, establish & update performance measures • Report on performance information. • Proactive approach management to provide assurance on achieving goals by implementing best
• Establish the accountability • Take corrective action practices and using lead indicators.
• Collect & Analyse data • Reactive approach were achievements are compared with goals using lag indicators.
Goal Setting Goal Setting and Stakeholder Needs: EGIT is very helpful for three reasons:
Goal setting is the rst pre-requisite of performance management. At a macro level, the Board of directors set • Needs in uence priorities of EGIT. example, focus on cost reduction, compliance or launching a new business product,
the enterprise direction and goals to be achieved. ese are the overall enterprise goals set from a top-down • Needs and objectives focus where attention when improving EGIT
or bottom-up or combination of these two approaches. Once goals set, top-level goals need to be allocated to • Better forward planning of opportunities to add value to the enterprise.
function/business units and speci c goals set for each of them. From a governance perspective, the enterprise Category of Enterprise Goal
goals will have to be shared by the IT department which will prepare the IT strategy in alignment with the
enterprise strategy. ese IT goals facilitate achievement of enterprise goals. Strategic Operational Reporting Compliance
Two type of goals High-level goals, Effectiveness and efficiency of the e effectiveness of the e enterprise’s
aligned with enterprise’s operations, including enterprise’s reporting, including compliance with
Outcome Performance and supporting performance and pro tability goals, internal and external reporting applicable laws
• Evaluated through key goal indicators (KGI). • Evaluated through key performance indicators the enterprise’s which vary based on management’s and involving nancial or and regulations.
• Also called Lag Indicators. (KPI). mission or vision choices about structure and performance. non nancial information.
• Measurment of achievement is aer event or period. • Also called lead indicators. Enterprise goals are set by the board of directors based on the strategy and objectives. ese need to be customised by
• Measure the perfomance selecting by what is relevant for the enterprise and adding speci c dates, values and number to the identi ed goals.
Enterprise and Alignment Goals Category of Enterprise Goal
Enterprise and alignment goals are used as the basis for setting IT objectives & establishing a performance measurement framework. COBIT 2019 provide structures for Enterprise goals include:
de ning goals at three levels: for the enterprise, for IT overall, for IT processes. ese need to be customised by selecting by what is relevant for the enterprise and adding EG01: Portfolio of competitive products and services
speci c dates, values and number to the identi ed goals. EG02: Managed business risk
• AG01: I&T compliance and support for business compliance with external laws • AG07: Security of information, processing infrastructure and applications, and privacy EG03: Compliance with external laws and regulations
and regulations • AG08: Enabling and supporting business processes by integrating applications and technology EG04: Quality of nancial information
• AG02: Managed I&T-related risk • AG09: Delivering programs on time, on budget and meeting requirements and quality standards EG05: Customer-oriented service culture
• AG03: Realized bene ts from I&T-enabled investments and services portfolio • AG10: Quality of I&T management information EG06: Business service continuity and availability
• AG04: Quality of technology-related nancial information • AG11: I&T compliance with internal policies EG07: Quality of management information
• AG05: Delivery of I&T services in line with business requirements • AG12: Competent and motivated staff with mutual understanding of technology and business EG08: Optimization of business process functionality
• AG06: Agility to turn business requirements into operational solutions • AG13: Knowledge, expertise and initiatives for business innovation EG09: Optimization of business process costs
EG10: Staff skills, motivation and productivity
EG11: Compliance with internal policies
EG12: Managed digital transformation programs
EG13: Product and business innovation
Note:-

CA Rajat Agrawal www.prokhata.com 27

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 4: PERFORMANCE MANAGEMENT SYSTEMS
Requirements for Measures: Measures and performance information need to be linked to strategic management processes.
-: Bene ts :- Performance Measurement Processes / Indicators Examples of Performance Measures
•Early warning indicator of problems and the effectiveness of corrective action. What cannot be measured cannot be improved metrics e.g. nancial • Better use of communications bandwidth and computing power
•Input to resource allocation and planning. measurement, benchmarking satisfaction of customers, Performance •Lower
Lower number of non-compliance with prescribed processes
•Provides periodic feedback to employees, customers and stakeholders about the measurement is used to: reported
quality, quantity, cost and timeliness of products • Manage products •Better
Better cost and efficiency of the process
Most important bene t it builds a common results language among all decision • Assure accountability •Lower
Lower numbers of complaints made by stakeholders
makers. • Budgeting decisions •Better quality and increased innovation etc.
Important to make a distinction between outcome measures and performance • Optimise performance i.e. improve the productivity without making •Lower number of errors and rework
drivers. Outcome measures indicate whether goals have been met. unnecessary added investments •Improved staff productivity
Measures De ned: metrics are de ned at three levels:
Enterprise Alignment Governance and management objectives and metrics
De ne the organizational context and objectives and how to measure them De ne what the business expects from IT and how to measure it De ne what the IT-related process must deliver to support IT’s objectives and how to measure it
Balanced Scorecard (BSC)
De ned by Robert S. Kaplan and David P. Norton, focuses the energy of an organization into achieving strategic goals and objectives that are represented by key performance indicators (KPIs)
BSC Perspectives
Financial Perspective BSC has the following characteristics Financial
Whether a strategy is achieving bottom-line • Uses a common language at all levels "To Succeed nancially, how should we
results. Financial metrics are classic lagging of the organization. appear to our shareholders?"
indicators. e more common ones are: • Provides a balance between Financial Objectives
• Pro tability and non- nancial goals, Internal
• Revenue growth and external in uences, Leading and Measures
• Economic value added lagging indicators, Targets
Customer Perspective. Initiatives
De nes target customers and the value proposition it offers whether it is efficiency (low Customer Internal Business Processes
price, high quality), innovation, or exquisite service. "To achieve our vision, how should we "To satisfy our shareholders and customers,
• Customer satisfaction appear to our customers?" what business processes must we excel at?"
• Customer loyalty Vision
• Market share, "share of wallet" Objectives Objectives
Measures
and
Internal Process Perspective Measures
Delivering value to customers including product development, production,
Strategy
Targets Targets
manufacturing, delivery, and service. Organizations may need to create brand new
processes to meet goals outlined in the Customer perspective.Patents pending, ratio of Initiatives Initiatives
new products to total products ,Inventory turnover, stock-outs & Zero defects, on-time Learning and Growth
deliveries "To achieve our vision, how will we sustain
our ability to change and improve?"
Learning and Growth Perspective
Objectives
Measures the internal resources needed to drive the other three perspectives. include
employee skills and information technology. Measures
• Employee satisfaction, turnover rate, absenteeism
Targets
• Training hours, leadership development programs
• Number of cross-trained employees, average years of service Initiatives

Strategic Scorecard
Strategic Scorecard is a pragmatic and exible tool that is designed to help boards to ful l their responsibilities to contribute to and oversee strategy effectively. enterprise governance framework helps understand the importance of both
conformance and performance to the organization’s long-term success. What the scorecard does is to give the board a simple, but effective process that helps it to focus on the key strategic issues.
•Summarizes the key aspects of the environment in which an organization is operating
•Identi es the (key) strategic options that could have a material impact on the strategicdirection of the organization and helps the board to determine which options will be developed further and implemented.
Strategic Position Strategic Option Strategic Implementation Strategic Risk
•Micro environment • Capabilities e.g. SWOT analysis •Scope change e.g. area, product, market sector •Project milestones and timelines •Informing the board on risks and how they are being managed
•reats from changes • Stakeholders •Direction change e.g. high or low growth, price and quality offers •Pursue or abandon the plan etc. •Measurement of risks
•Business position •Internal controls

28 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
CHAPTER 5:
BUSINESS CONTINUITY MANAGEMENT
A Business Continuity Plan outlines a range of disaster scenarios and the steps the business will take in any particular scenario to return to regular trade.
De nitions of Key Terms
1. Business Continuity Planning 9. Recovery Point Objective (RPO): 10.Service Delivery Objective (SDO) 11. Recovery Time Objective (RTO)
Process of developing prior arrangements and procedures that enable an organisation to respond to • RPO is a measure of how much data loss due to a Service Delivery Objective (SDO) RTO is the measure of the user’s
an event in a manner that critical business functions can continue within planned level of disruption. node failure is acceptable to the business. A large is the level of services to be reached tolerance to downtime. For example:
End result of the planning is called a Business Continuity Plan. RPO means that the business can tolerate a great during the alternate process mode until Critical monitoring system must have
2. Crisis: deal of lost data. Depending on the environment, the normal situation is restored. is is very low RTO or zero RTO. RTO may
Abnormal situation which threatens the operations, staff, customers or reputation of the organisation. the loss of data could have a signi cant impact. directly related to the business needs. be measured in minutes or less.
3. Disaster: Disaster Tolerance
Physical event which interrupts business processes sufficiently to threaten the viability of the • It indicates the tolerance level of organisation to accept non availabilty of IT facilities.
organisation. • High RTO/RPO ~ High Disaster Tolerance
• Low RTO/RPO ~ Low Disaster Tolerance
4. Emergency Management Team (EMT):
Comprising of executives at all levels including IT is vested with the responsibility of commanding Some examples of RPO and RTO
the resources which are required to recover the enterprises operations. • A stock exchange trading system must be restored very quickly and cannot afford to lose any data. Since the price of the next trade
depends upon the previous trade, the loss of a trade will make all subsequent transactions wrong. In this case, the RTO may be measured
5. Incident:
as a few minutes or less, but the RPO must be zero.
Event that has the capacity to lead to loss of or a disruption to an organisation’s operations, services,
• A critical monitoring system such as those used by power grids, nuclear facilities, or hospitals for monitoring patients must have a very
or functions
small RTO, but the RPO may be large.
6. Incident Management Plan: • A Web-based online ordering system must have an RPO close to zero (the company does not wish to lose any sales or, even worse,
Documented plan of action covering the key personnel, resources, services and actions needed to acknowledge a sale to a customer and then not deliver the product). However, if shipping and billing are delayed by even a day, there is
implement the incident management process. oen no serious consequence, thus relaxing the RTO for this part of the application.
7. Minimum Business Continuity Objective • A bank’s ATM system is even less critical. If an ATM is down, the customer, although aggravated, will nd another one. If an ATM
Minimum level of services and/or products that is acceptable to an organisation during an incident, transaction is lost, a customer’s account may be inaccurate until the next day when the ATM logs are used to verify and adjust customer
emergency or disaster. accounts. us, neither RPO nor RTO need to be small.
8. Maximum Acceptable Outage (MAO): 12. Resilience: 13. Risk: 14. Vulnerability:
Time frame during which a recovery must become effective before an outage compromises the e ability of an organisation e combination of the e degree to which a person, asset, process, information,
ability of an Organization. MAO is also known as maximum tolerable outage (MTO), maximum to resist being affected by the probability of an event and its infrastructure or other resources are exposed to the actions
downtime (MD), Maximum Tolerable Period of Disruption (MTPD). incident. consequence. or effects of a risk, event or other occurrence.
Key concepts of Disaster Recovery, Business Continuity Plan and Business Continuity Management
Contingency Plan
An organisation’s ability to withstand losses caused by unexpected events depends on proper planning and execution of such plans. Its main goal is to restore normal modes of operation with minimal cost and minimal disruption to normal
business activities aer unexpected event. It should ideally ensure continuous information systems availability despite unexpected events.
1. Components of Contingency Planning IV. Disaster Recovery Plan (DRP) 2. Business Continuity Plan vs. Disaster Recovery Plan
I. Business Impact Analysis (BIA) Disaster Recovery Plan is the set of plans which are to be executed initially at the e primary objective of Business Continuity Plan is to ensure that
e steps involved in impact analysis are risk evaluation, de ning critical moment of crisis. ere are three basic strategies that encompass a disaster recovery plan: mission critical functions and operations are recovered and made
functions in the organisation, identifying critical facilities required for preventive measures, detective measures, and corrective measures. operational in an acceptable time frame. DRP is to re-establish the
providing recovery of the critical functions and their interdependencies and primary site into operation with respect to all business processes
nally setting priorities for all critical business applications which need to be a.Preventive measures of the organisation facing the disaster.
recovered within de ned timelines. Preventive measures will try to prevent a disaster from occurring. ese measures 3. Business Continuity Management
II. Incident Response Plan (IR plan) may include keeping data backed up and off site, using surge protectors, installing BCM is a holistic process that identi es potential threats and
IR Plan includes tasks like incident planning, incident detection, incident generators and conducting routine inspections. the impacts on normal business operations should those threats
reaction, incident recovery etc. Incident Response plan gives an entity a set of b. Detective measures actualize. BCM provides a framework to develop and build
procedures and guidelines that is needed by an entity to handle an incident. Detective measures are taken to discover the presence of any unwanted events within the organisation's resilience with the capability for an effective
III. Business Continuity Plan (BCP) the IT infrastructure. ese measures include installing re alarms, using up-to-date response. e purpose of BCM is to minimize the operational,
BC Plan includes tasks like establishing continuity strategies, planning antivirus soware, holding employee training sessions, and installing server and nancial, legal, reputational and other material consequences
for continuity of critical operations, continuity management etc. Business network monitoring soware. arising from a disruption due to an undesired event (Basel
Continuity Plans on a whole is about re-establishing existing business c.Corrective measures Committee on Banking Supervision, 2005), minimizing losses and
processes and functions, communications with the business contacts and Corrective measures are aimed to restore a system aer a disaster or otherwise restoring normal, regular operations in the shortest, possible time.
resuming business processes at the primary business location. unwanted event takes place.

CA Rajat Agrawal www.prokhata.com 29

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
Objectives of BCP and BCM Phases of Disaster
Objectives of Business Continuity Plan 1. Crisis Phase
Key objectives of BCP are: e Crisis Phase is under the overall responsibility of the Incident Control Team (ICT). It comprises the rst few
• Manage the risks • Minimize the risks in recovery process. hours aer a disruptive event starts or the threat of such an event is rst identi ed; and is caused by, for example:
• Reduce the time taken to recover • Reduce costs involved in reviving • Ongoing physical damage to premises which may be life threatening, such as a re; or
e pre-requisites in developing a Business Continuity Plan (BCP) includes planning for all phases & making it • Restricted access to premises, such as a police cordon aer a bomb incident.
part of business process.
2. Emergency Response Phase
Objectives of Business Continuity Management (BCM)
e Emergency Response Phase may last from a few minutes to a few hours aer the disaster. During the Emergency
• Reduce likelihood of a disruption occurring that affects the business through a risk management process.
Response Phase, the Business Continuity Team (BCT) will assess the situation; and decide if and when to activate
• Enhance organisation’s ability to recover following a disruption to normal operating conditions.
the BCP.
• Minimize the impact of that disruption, should it occur.
• Protect staff and their welfare and ensure staff knows their roles and responsibilities. 3. Recovery Phase
• Tackle potential failures within organisation’s I.S. Environment e Recovery Phase may last from a few days to several months aer a disaster and ends when normal operations
• Protect the business. can restart in the affected premises or replacement premises. During the recovery phase, essential operations will
• Preserve and maintain relationships with customers. be restarted (this could be at temporary premises) by one or more recovery teams using the BCP; and the essential
• Mitigate negative publicity. operations will continue in their recovery format until normal conditions are resumed.
• Safeguard organisation’s market share and/or competitive advantage. 4. Restoration Phase
• Protect organisation’s pro ts or revenue and avoid nancial losses. is phase restores conditions to normal. During the restoration phase, any damage to the premises and facilities
Need for BCM at Various Levels of I&T Environment will be repaired.
Disaster Recovery is an essential phase to critical IT Resources. IT Infrastructure generally includes Servers,
Workstations, Network and Communication, Operating system soware, business applications soware, essential Examples of Disaster
utility soware, Data Centers, Support Desks, IT Personnel, Disks, Tapes etc. In this technologically driven world, Serious re during working Hours All phases in full
IT Infrastructure has essentially become an integral part of an entity’s anatomy. Mail Servers and communication Serious re outside during working hours All the phases, however, no staff and public evacuation
lines like Internet, Phone and Fax are also essentially the important components of the Infrastructure. It is therefore Very minor re during working hours Crisis Phase only, staff and public evacuation but perhaps no removal of
critical to get these components up and running for a successful Recovery of the business. erefore when critical valuable objects, Fire Service Summoned to deal with the re
industries like Banks, Insurance Companies, Stock Exchanges, Airline Companies, Railways, Multinational Gas leak outside or during working hours, Only emergency response phase is appropriate
Companies, Government Agencies rely on IT Infrastructure for its daily operations, it is crucial to maintain BCM repaired aer some hours
for such organisations. Soware like the Core Banking Systems, SWIFT Financial Messaging Services, Airline
Communication Services like AMADEUS, Stock Market Trading Applications, ERP Systems, e-commerce sites Impact of Disaster
and many more are critical where no downtime is tolerated. ese applications are used to conduct transactions • • Total destruction of the premises and its contents. For example as a result of a terrorist attack;
worldwide and are run only on extensive IT Resources. BCM therefore is a much needed requirement for a quick • • Partial damage, preventing use of the premises. For example through ooding; or
recovery from a crisis to ensure survival of the business. • • No actual physical damage to the premises but restricted access for a limited period, such as enforced evacuation due to
Need for BCM at Business Level the discovery nearby of an unexploded bomb.
• Need to provide access to potentially millions of new customers. Loss of Human Life
• Need to ensure security, privacy and con dentiality. e extent of loss depends on the type and severity of the disaster. Protection of human life is of utmost importance
• Need to integrate business processes onto web. and, the overriding principle behind continuity plans.
• Need to integrate business partners into key business processes.
• Increased pressure on delivering quality customer service 24x7. Loss of productivity
• Emerging pervasive computer devices. When a system failure occurs, employees may be handicapped in performing their functions. is could result in
productivity loss for the organisation.
Various Types of Disaster
BCM or BCP is all about planning in advance to meet future unforeseen events which may two major categories Loss of revenue
as: For many organisations like banks, airlines, railways, stock brokers, effect of even a relatively short breakdown may
lead to huge revenue losses.
1. Natural Disasters 2. Man-Made Disasters Loss of market share
Natural Disasters are those which are a result Man-made disasters are arti cial disasters which arise due to the In a competitive market, inability to provide services in time may cause loss of market share. For example, a prolonged
of natural environment factors. A natural actions of human beings. Arti cial disasters has its impact on a non-availability of services from services providers, such as Telecom Company or Internet Service Providers, will
disaster has its impact on the business’s business entity speci c to which it has occurred. Arti cial disasters cause customers to change to different service providers.
that is present in a geographical area where arising due to human beings Include Terrorist Attack, Bomb reat,
the natural disaster has struck. Natural Chemical Spills, Civil Disturbance, Electrical Failure, Fire, HVAC Loss of goodwill and customer services
disasters are caused by natural events and Failure, Water Leaks, Water Stoppage, Strikes, Hacker attacks, Viruses, In case of a prolonged or frequent service disruption, customers may lose con dence resulting in loss of faith and
include re, earthquake, tsunami, typhoon, Human Error, Loss Of Telecommunications, Data Center outrage, goodwill.
oods, tornado, lightning, blizzards, freezing lost data, Corrupted data, Loss of Network services, Power failure, Litigation
temperatures, heavy snowfall, pandemic, Prolonged equipment outrage, UPS loss, generator loss and anything Laws, regulations, contractual obligation in form of service level agreement govern the business operations. Failure
severe hailstorms, volcano etc. that diminishes or destroys normal data processing capabilities. in such compliance may lead the company to legal litigations and lawsuits.

30 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
Invoking a DR Phase / BCP Phase Key Disaster Recovery Activities
Operating Teams of Contingency Planning Declaring of an incident/event is done by assigned personnel of management. Declaration of a disaster means:
Contingency Planning Team: 1. Activating the recovery plan 7. Recon guring the network
is team collects data about information systems and threats, conducts business impact 2. Notifying team leaders 8. Reinstalling soware and data
analysis, and creates contingency plans for incident response, disaster recovery, business 3. Notifying key management contacts 9. Keeping management informed
continuity. 4. Redirecting information technology service to an alternate location 10. Keeping users informed
5. Securing a new location for the data centre 11. Keeping the public informed
Incident Response Team:
6. Ordering and con guring replacement equipment
is team Manages/executes IR plan & is rst team to arrive during the outbreak of an
incident. If unsuccessful, then summons the Disaster Recovery Team. DRP
Disaster Recovery Team: A DRP should contain information about the vital records where it is stored, who is in charge of that record. It contains information about what
is team manages/executes DR plan by detecting, evaluating, responding to disasters; re- is stored offsite such as: Current copy of this disaster recovery plan,Copies of install disks etc.
establishes primary site operations. Manages/executes DR plan role in reducing the impact Disaster Recovery Team
of the disaster and executes the steps de ned in the DR Plan to recover and protect resources
that are being impacted by the disaster and to mitigate the disaster itself. Disaster Recovery Management Team
Business Continuity Team: General Responsibilities General Activities
Manages/executes BC plan by establishing off-site operations to ensure Business Continuity. Responsible for the overall coordination of the disaster recovery process from an Information • Assess the damage and if
Business Continuity Team initiates those responses to the impacts that are being faced by the Technology Systems perspective. e other team leaders report to this team during a disaster. In addition necessary, declare a disaster
entity and would bring the entity back to its original level of business functioning. to their management activities, members of this team will have administrative, supply, transportation, • Coordinate efforts of all teams
and public relations responsibilities during a disaster. Each of these responsibilities should be headed by • Be the liaison to upper
Disaster Recovery Plan (DRP) Scope and Objectives a member of the MGMT team. management
e DRP should inform the user about the primary focus of this document like responding
Administrative Team - Responsibilities Supply Team - Responsibilities
to disaster, restoring operations as quickly as possible and reducing the number of
Hiring of temporary help or reassignment of other clerical personnel. Purchase of all needed supplies include computing equipment and
decisions which must be made when, and if, a disaster occurs. It should also inform about
Procedures during All Phases: supplies paper and pencils, and office furnishings.
the responsibility to keep this document current. It should be approved by appropriate
• Process expense reports Public Relations Team- Responsibilities
authority. e objectives of this plan are to protect organisation’s computing resources and
• Account for the recovery costs Will pass appropriate information to the public and to employees.
employees, to safeguard the vital records of which Information Technology Systems and
• Handle personnel problems
to guarantee the continued availability of essential Information Technology services. e
plan represents a dynamic process that will be kept current through updates, testing, and Management Team Call Checklist Facility Team
reviews. As recommendations are completed or as new areas of concern are recognized, the Specify the contact information about Team leader as well as team Salvage Team-Responsibilities
plan will be revised to re ect the current IT and business environment. e IS Auditor has members with the details on which functionality he/she can be Minimizing the damage at the primary site and to work with the
to review the process followed for preparation of the DRP and assess whether it meets the contacted. insurance company for settlement of all claims. what equipment is
requirements of the organisation and provide recommendations on any areas of weaknesses Technical Support Team Call Checklist salvageable and what is also responsible for securing the disaster
identi ed. recovery data centre.
Hardware Team-Responsibilities
Disaster Recovery Phases Acquire con gure and install servers and workstations New Data Centre Team-Responsibilities
1. Disaster Assessment: Soware Team-Responsibilities Locating the proper location for a new data centre and overseeing
e disaster assessment phase lasts from the inception of the disaster until it is under Maintain the systems soware at the alternate site and reconstruct the the construction of it. is includes the environmental and security
control and the extent of the damage can be assessed. Cooperation with emergency system soware upon returning to the primary site. controls for the room.
services personnel is critical. Network Team-Responsibilities New Hardware Team-Responsibilities
2. Disaster recovery activation: Preparing for voice and data communications to the alternate location Responsible for ordering replacement hardware for equipment
When the decision is made to move primary processing to another location, this phase data centre and restoring voice and data communications damaged in the disaster and installing it in the new or rebuilt data
begins. e Disaster Recovery Management Team will assemble and call upon team centre.
Operations Team-Responsibilities
members to perform their assigned tasks. e most important function is to fully restore Daily operation of computer services and management of all backup
operations at a suitable location and resume normal functions. Once normal operations tapes.
are established at the alternate location, Phase 2 is complete.
3. Alternate site operation
is phase involves continuing operations at the alternate location. In addition, the
process of restoring the primary site will be performed
4. Return to primary site:
is phase involves continuing operations at the alternate location. In addition,
the process of restoring the primary site will be performed. is phase involves the
reactivation of the primary site at either the original or possibly a new location

CA Rajat Agrawal www.prokhata.com 31

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
DOCUMENTATION: BCP MANUAL AND BCM POLICY DATA BACKUP, RETENTION AND RESTORATION PRACTICES
All documents that form the BCM are to be subject to document control and record control processes. e following Back up Strategies
documents (representative only) are classi ed as being part of the business continuity management system: Dual recording of data
• e business continuity policy; • e aims and objectives of each function; Under this strategy, two complete copies of the database are maintained. e databases are concurrently updated.
• e business continuity management system; • e activities undertaken by each function; Periodic dumping of data
• e business impact analysis report; • e business continuity strategies; is strategy involves taking a periodic dump of all or part of the database. e database is saved at a point in
• e risk assessment report; • e overall and speci c incident management plans; time by copying it onto some backup storage medium – magnetic tape, removable disk, Optical disk. e dump
To provide evidence of the effective operation of the BCM, records demonstrating the operation should be retained as per may be scheduled.
policy of the organisation and as per applicable laws, if any. In this, a pro le is developed by identifying resources required Logging input transactions
to support critical functions, which include hardware (mainframe, data and voice communication and personal computers), this works in conjunction with a periodic dump. In case of complete database failure, the last dump is loaded and
soware (vendor supplied, in-house developed, etc.), documentation (user, procedures), outside support (public networks, reprocessing of the transactions are carried out which were logged since the last dump.
DP services, etc.), facilities (office space, office equipment, etc.) and personnel for each business unit. Logging changes to the data
BCM Policy is involves copying a record each time it is changed by an update action.
ey should consider all relevant standards, regulations and policies that have to be included or can be used as benchmark. It is important to implement email and personal les backup policies. e data so transferred in the server will be
e objective of this policy is to provide a structure through: • Incident Management Plans and BCP are subject to backed up by the IT department as a part of their routine backup.
• Critical services and activities identi ed. ongoing testing, Types of Backup
• Plans will be developed to ensure continuity of key service delivery • Planning and management responsibility are assigned When the back-ups are taken of the system and data together, they are called total system’s back-up.
• Invocation of incident management to members of the relevant senior management team. Full Backup
BCP Manual Captures all les on the disk
A BCP manual consists of the Business Continuity Plan and the Disaster Recovery Plan. e BCP Manual is expected Incremental Backup
to specify the responsibilities of the BCM team, whose mission is to establish appropriate BCP procedures to ensure the An incremental backup captures les that were created or changed since the last backup, regardless of backup type.
continuity of organisation's critical business functions. Differential Backup
Elements of BCP Manual A differential backup stores les that have changed since the last full backup. Restoring from a differential backup
is a two-step operation: Restoring from the last full backup; and then restoring the appropriate differential backup.
1. Purpose of the plan: Mirror Backup
Included in this section should be a summary description of the purpose of the manual. A mirror backup is identical to a full backup, with the exception that the les are not compressed in zip les and
2. Organisation of the manual: they cannot be protected with a password.
Direction to the relevant section of the manual Recovery Strategies
3. Disaster de nitions Recovery plan should identify a recovery team that will be responsible for working out the speci cs of the recovery
Four types of classi cation can generally be used: to be undertaken. e plan might also indicate which applications are to be recovered rst. Periodically, they must
Problem/Incident: Major disaster: review and practice executing their responsibilities soNetworked
Strategies for they are prepared
Systemsshould a disaster occur.
No signi cant damage. Signi cant impact and effect on outside clients. Vary depending type of network architecture and implementation. For example, LANs can be implemented in
Minor disaster: Catastrophic disaster: two main architectures:
Limited nancial impact, Affect the organisation’s “going concern” status LAN Systems
4. Objectives of the plan: •Peer-to-Peer: Each node has equivalent capabilities and responsibilities. For example, ve PCs can be networked
e objectives of the manual should be clearly stated in the introductory section. Safety/security all personnel. e through a hub to share data.
paramount objective of a BCP is to ensure the safety and security of people. e safeguarding of assets/data is always a •Client/Server: Each node on the network is either a client or a server. A client can be a PC or a printer where a
secondary objective. client relies on a server for resources.
5. Scope of the plan: Listed below are some of the strategies for recovery of LANs:
e scope of the plan must be clearly identi ed. Any limitations must be explained. 1. Eliminating Single Points of Failure (SPOC):
6. Plan approach / recovery strategy: e organisation should identify single points of failure that affect critical systems or processes outlined in the Risk
A step by step summary of the approach adopted by the plan should be presented. For ease of reference, it may be good Assessment. ese single points of failures are to be eliminated by providing alternative or redundant equipment.
to provide this overview by means of a schematic diagram.. 2. Redundant Cabling and Devices:
7. Plan administration: Contingency planning should also cover threats to the cabling system, such as cable cuts, electromagnetic and
e introductory section should also identify the person or persons, responsible for the business continuity plan radiofrequency interference, and damage resulting from re, water, and other hazards. As a solution, redundant
manual, and the expected plan review cycles. cables may be installed when appropriate.
8. Plan management: 3. Remote Access
e management responsibilities and reporting channels to be observed, during disaster recovery should be clearly Remote access is a service provided by servers and devices on the LAN. Remote access provides a convenience for
established in advance. users working off-site or allows for a means for servers and devices to communicate between sites.
Wireless LANs
9. Disaster noti cation and plan activation procedures:
Do not require the cabling infrastructure wireless networks broadcast the data over a radio signal, enabling the
e procedures represent the rst steps to be followed when any disaster occurs.
data to be intercepted. security controls, such as data encryption, should be implemented.

32 www.prokhata.com CA Rajat Agrawal

 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
Strategies for Distributed Systems
Distributed systems use the client-server model to make the application more accessible to users in different locations. e contingency strategies for distributed system re ect the system's reliance Nolan and WAN availability In addition, a
distributed system should consider WAN communication link redundancy and possibility of using Service Bureaus and Application Service Providers (ASPs).

Strategies for Data Communications Strategies for Voice

Communications
(i) Dial-up: (ii) Circuit extension: (iii) On-demand service (iv) Diversi cation of services: (v) Microwave communications: (vi) VSAT (Very Small Aperture (i) Cellular phone backup
Using Dial-up as a backup to is is by, where the from the carriers: e use of diverse services provides is could be used to: backup Terminal) based satellite Phones could also be used on an
normal leased or broadband commun icat ions Many carriers now offer the best solutions to the loss of communications from the communications: on-going basis and could be used to
communications lines from the remote sites on-demand services which a carrier central office. Diversity central office to the primary site, is technique could similarly be balance the load on the main PBX
remains the most popular can be directed to the provide the mechanisms can be achieved in a number of in case of breakage in the land used to back up the primary carrier switch.
means of backing up wide- primary site or the to switch communications manners, including: Use of more lines; backup communications service. e use of this technology (ii) Carrier call rerouting systems:
area network communications recovery site from the to the recovery site from than one carrier on a regular basis. from the central office to the requires VSAT terminals to be All calls to a given number can
in an emergency. Ideally, carrier’s central office. the primary site on client If the organisation uses two or more recovery center; or a backup installed at each remote location be rerouted to another number
the modems should be full noti cation. carriers, it will likely pay above link from a company controlled and at the recovery center if it does temporarily.
duplex modems. e half- the odds for its regular service communications center direct to not currently provide such a service.
duplex option will require two and require investment in some the recovery center.
telephone lines. additional equipment.

Types of Recovery and Alternative Sites

Traditional focus of BCP/DRP was the recovery of the corporate computer system, which was almost always a mainframe or large minicomputer, Mainframe centric disaster recovery plans oen concentrated on replacing an inaccessible or
non-functional mainframe with compatible hardware. Types of Alternate processing sites are outlined along with some of the widely adopted strategies for centralized system recovery.
Cold Site Offsite Data Protection
A cold site is the least expensive type of backup site for an organisation to operate. It does not include backed up copies of data Data can also be sent electronically via a remote backup service, which is known as electronic vaulting
and information from the original location of the organisation, nor does it include hardware already set up. e lack of hardware or e-vaulting.
contributes to the minimal start-up costs of the cold site, but requires additional time following the disaster to have the operation Data Vaults
running at a capacity close to that prior to the disaster. Backups are stored in purpose-built vaults three categories:
Hot Site Warm Site • Underground vaults
A dedicated contingency center, or ‘hot site’ is a fully A warm site is a compromise between hot • Free-standing dedicated vaults
equipped computer facility with electrical power, heating, and cold. ese sites will have hardware and • Insulated chambers sharing facilities
ventilation and air conditioning (HVAC) available for use connectivity already established, though on a Hybrid Onsite and Offsite Vaulting
in the event of a subscriber’s computer outage. A hot site smaller scale than the original production site Sometimes known as Hybrid Online Backup, involve a combination of Local backup for fast backup
is a duplicate of the original site of the organisation ese or even a hot site. An example would be backup and restore, along with Off-site backup for protection against local disasters. Storing data either the
facilities are available to a large number of subscribers on tapes sent to the warm site by courier. backup soware or a D2D2C (Disk to Disk to Cloud) appliance encrypts and transmits data to a service
a membership basis and use of site is on a ‘ rst come, rst provider. Cloud storage appliances from CTERA Networks, Naquin, StorSimple and Twin Strata.
served’ basis.

Mirror Site
e single most reliable system backup Alternate Mobile Site
A mobile site is a vehicle ready
strategy is to have fully redundant systems
called an active recovery or mirror site.
Recovery with all necessary computer
equipment, and it can be
While most companies cannot afford to
build and equip two identical data centers,
Site moved to any cold or warm site
depending upon the need.
those companies that can afford to do so
have the ability to recover from almost any
disaster.

CA Rajat Agrawal www.prokhata.com 33

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section CHAPTER 5: BUSINESS CONTINUITY MANAGEMENT
System Resiliency Tools and Techniques
Fault Tolerance Redundant Array of Inexpensive Disks (RAID)
Fault-tolerance is the property that enables a system (oen computer-based) to continue operating properly in the event of the failure of (or one or Provides fault tolerance and performance improvement via hardware and soware
more faults within) some of its components. e basic characteristics of fault tolerance require: solutions.
1. No single point of failure. 4. Fault containment to prevent propagation of the failure. RAID levels:
2. No single point of repair. 5. Availability of reversion modes. Levels 0, 1, and 5 are the most commonly found, RAID-1and RAID-5 for data redundancy.
3. Fault isolation to the failing component. Electronic vaulting:
Fault tolerant systems are characterized in terms of both planned service outages and unplanned service outages. usually measured at the application Data is backed up to an offsite location. e data is backed up, generally, through batch
level and not just at a hardware level. A ve nines system would therefore statistically provide 99.999% availability. A spare component addresses rst process and transferred through communication lines to a server at an alternate location.
fundamental characteristic of fault-tolerance in three ways: Remote journaling:
(i) Replication: A parallel processing of transactions to an alternate site, as opposed to batch dump
Multiple identical instances of the same system or subsystem, requests to all of them in parallel, and choosing the correct result on the basis of a process like electronic vaulting. e alternate site is fully operational at all times and
quorum; introduces a very high level of fault tolerance.
(ii) Redundancy: Database shadowing:
Multiple identical instances of the same system in case of a failure (failover); Live processing of remote journaling but creates even more redundancy by duplicating
(iii) Diversity: the database sites to multiple servers.
Multiple different implementations of the same speci cation using them like replicated systems to cope with errors in a speci c implementation.
Testing of BCP
1. Checklist test: 2. Structured walk 3. Simulation test: 4. Parallel test: 5. Full interruption test:
Copies of the plan are through test: Simulation test is a mock practice Critical systems will actually run at the During a full interruption test, a disaster is replicated event the point of ceasing
distributed to each business Representatives meet to session in response to a simulated alternate processing backup site. Systems normal production operations. e plan is implemented as if it were a real disaster,
unit’s management. e plan walk through the plan. disaster. e simulation may go are relocated to the alternate site, parallel to the point of involving emergency services.
is then reviewed to ensure Each step of the plan is to the point of relocating to the processing backup site, and the results of Documentation of results:
that the plan addresses all walked through in the alternate backup but does not the transactions and other elements are Detailed documentation of observations, problems and resolutions should be
procedures and critical areas of meeting and marked as perform any actual recovery compared. is is the most common type of maintained. Live tests especially could create disaster if not planned properly
the organisation. performed. process. disaster recovery plan testing. because they use real people and real resources in real conditions,
BCP Audit and Regulatory Requirements
Role of IS Auditor in BCP Audit Regulatory Requirements Regulatory Compliances of BCP
e objective of BCP review e business continuity plan Basel Committee on E-Banking Indian legislations Bank Audit
is to assess the ability of the audit should be programmed e Basel Committee on E-Banking outlines the principles for electronic ere are various Indian legislations such as the Long Form Audit report contains
organisation to continue all critical to cover the applicable laws, banking as; “Banks should have effective capacity, business continuity Information Technology Act, Indian Income two key points relating to business
operations during a contingency standards and Frameworks etc. and contingency planning processes to help ensure the availability of Tax act, Central Sales Tax act, State VAT Acts, continuity and disaster recovery.
and recover from a disaster within It is also necessary to understand e-banking systems and services”. e Committee underlines that banks Services tax act, Central excise act etc. which •Regular back-ups of accounts and
the de ned critical recover time whether the information should also ensure that periodic independent internal and/or external require data retention for speci c number of off-site storage are maintained
period. IS Auditor is expected technology related to BCP/DRP audits are conducted about business continuity and contingency years. Organisations which have to comply with •Adequate contingency and
to identify residual risks which arrangements are supporting planning. ese requirements are spelt out in Appendix VI relating these requirements have to ensure that they disaster recovery plans
are not identi ed and provide the business compliance with to “Sound Capacity, Business Continuity and Contingency Planning have a proper business continuity plan which
recommendations to mitigate them. external laws and regulations. Practices for E-Banking”: meets these requirements.
ISO 22301:2019
ISO 22301 speci es requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise.
ISO 27031:2011
Describes the concepts and principles of information and communication technology (ICT) & provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation). It
includes and extends the practices of information security incident handling and management and ICT readiness planning and services.
Services that can be Provided by an IS Auditor in BCM
1. Management Consultancy Services in providing guidance in draing of a BCP/DRP. 6. Consultancy Services in Risk Assessment and Business Impact Analysis.
2. Designing and implementing a BCP/DRP. relevant to the organisation’s nature and 7. CAs be involved in areas of BCP implementation areas could be pertaining to:
size. design the phases for implementation of the BCP. (a) Risk Assessment (e) Fast-track Business Continuity Development
3. Designing Test Plans and Conducting Tests of the BCP/DRP. (b) Business Impact Assessment (f) BCP / DRP Audit, Review and Health-check Services
4. Consultancy Services in revising and updating the BCP/DRP. (c) Disaster Recovery Strategy Selection (g) Development and Management of BCP / DRP Exercises and Rehearsals
5. Conducting Pre-Implementation Audit, Post Implementation Audit, General Audit (d) Business Continuity Plan Development (h) Media Management for Crisis Scenarios
of the BCP/DRP. (i) Business Continuity Training

34 www.prokhata.com CA Rajat Agrawal

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC
MODULE 3  SYSTEM DEVELOPMENT, ACQUISITION IMPLEMENTATION AND MAINTENANCE APPLICATION SYSTEM AUDIT
CHAPTER 1:
PROJECT MANAGEMENT FOR SDLC
Project Management for SDLC
Unless the proposed system becomes operational and organization begins deriving bene t out of it, SDLC project cannot be treated as complete. IS Auditor should ensure that appropriate controls are designed at analysis and design stage.

Project Management Frameworks

Project is initiated once it is approved. Project management practices, Project Management Body of Knowledge (PMBOK®) version ere are signi cant differences in scope, content and wording in each
tools and control frameworks, makes it possible to manage all the 6, IEEE standard Project Management Institute (PMI), of these standards, each approach has its own pros and cons, several
Approaches
relevant aspects like planning, scheduling, resource management, risk elements are common. Some are focused soware development, others
for project
management, sizing and estimation of efforts, milestone achievements, Projects in a Controlled Environment (PRINCE2TM) Office general approach; some focuses on holistic and systemic view, others
management
quality, deliverables and budget monitoring, of a large project. of Government Commerce (OGC) in the UK, are very detailed work ow including templates for document creation.
Capability Maturity Model Integration (CMMI) : Process improvement approach that provides enterprise with the essential elements of effective processes.

Instance view/ Individual knowledge Enterprise view/Corporate knowledge

Level 0 Incomplete Level 1 Performed Level 2 Managed Level 3 Established Level 4 Predictable Level 5 Optimized
Process is not implemented Implemented process Process is now implemented in a managed fashion Previously described managed process is Previously described process now Previously described process is
or fails to achieve its process achieves its process are appropriately established, controlled and now implemented using a de ned process operates within de ned limits to continuously improved to meet relevant
purpose. purpose maintained capable of achieving its process outcomes achieve its process outcomes current and projected business goals

Key Concepts of Project Management

Project is a temporary activity undertaken to generate de ned outcome (like creating a service or product). Project is closed, once the expected outcome is delivered or results are achieved or if the project becomes technically or economically
unviable.
Five major process groups:
Project monitoring and controlling
Processes related to monitoring risks, Scope Creeps, quality of deliverables, costs and budgets, performance reporting.
Project initiation Project planning
Processes related to developing project Processes related to developing project execution nalizing requirements, de ning work breakdown structure and modules estimating Project closing
charter based on scope of project. In SDLC efforts and cost, resource planning, risk management, procurement planning and plan for communications with stakeholders. Handing over
project, it is business case that help in Project execution deliverables or
identifying bene ciaries and stakeholders Processes related to direct project teams, ensuring quality assurance and testing, managing requirements and changes in requirements, terminating project.
of project. ensuring timely procurements and manage resources.
Program and Project Management and Organization

Portfolio/Program Management Program/Project management Organization Forms: depending upon the nature of business
Program is a group of projects and/or time-bound tasks that are linked together through common
objectives. Programs have a limited time frame (start and end date), predetermined budget, de ned
Functional org. in uenced by the projects: Projectile organization: Matrix project organization:
deliverables/outcomes Program is more complex than a project and many times consists of multiple
ese are business organizations that are involved in ey execute projects. Most IT companies falls under
projects.
production of goods and services. Projects are undertaken For ex, an infrastructure such categories where these
to support the functional activities. For example, a development organization. organizations undertake project to
Portfolio Project/program management office (PMO) manufacturing organization may want to automate Project Manager has only a manage business functions for other
Group of all projects/ PMO governs the processes of project management but is not involved administrative processes (like nance, HR, pay roll etc.) staff function without formal organizations and also executes
programs (related or in management of project content. Includes Management of: Program using IT. e Project Manager is only allowed to advise management authority. projects for customer organization.
unrelated) carried out scope, Program nancials (costs, resources, cash ow, etc.), schedules, peers and team members as to which activities should be
in an organisation. objectives, context, communication, organization. IS Auditor has to understand these organizational forms and their
completed.
implications on controls in SDLC project management activities.

34 www.prokhata.com CA Rajat Agrawal

 CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
Portfolio, Program and project
Program 1 (IT Security Port folio (IT related development, IT services, procedure documentation, IT risk Program 2 (Application
Management) management, IT security Management etc.) Management)

Sub-Program 1.1 (IT Asset and Risk Managementt Project 1.1 (ISO 27001 accreditation) Sub-Program 2.1 (Web based services development) Sub-Program 2.2 (ERP Implementation)
Project 1.1.1 (IT Asset
Project 2.2.1 (Standard ERP con guratuion and Pilot
Management and Project 2.1.1 (Supplier web service application
Project 1.1.1 (IT Risk Management implementation at P1
classi cation automation development- SDLC)
Outsourced FPP) using service manager Project 2.2.2 (ERP roll out at P2 to P5)
Project 2.1.2 (Customer Access and help desk-Web Based application -SDLC)
Project Initiation
Whenever stakeholders in the business or senior management to undertake computerization, a project will have to be initiated. For ex:
•New business application to address a new or existing business process HR management system, billing system, order processing
•Adoption of a new technology invented Internet based advertising for an advertising company .
•Application soware computerization of college admissions
•Migrating
Migrating from text-based computerized system GUI based system old COBOL / XBASE based distributed banking to RDBMS based Core Banking system.
Initiated from any part of the organization, including project is time bound, with speci c start and end dates. A project sponsor and project manager is appointed to execute the further activities. compiled into terms of reference or a project
charter that states the objective of the project. Approval of a project initiation or project request is authorization for a project to begin.
Major activities:

Project initiation team Relationship with customer Plan for project Management procedures Project workbook and project management environment
To complete the project To build stronger customer initiation To achieve successful To organize and collect the tools that will be used for managing the project project workbook is derived from charts,
initiation activities. partnerships and also higher De ne the scope of the completion of project. diagrams and description of the system. Serves as a repository for all project deliverables, inputs, outputs, correspondence,
trust level. project. procedures, and standards established by the project.
Standard process for project management prepare a formal Project Initiation Report that is presented to Senior Management or Board of Directors. Once accepted this becomes formal charter for the project and triggers next phases of SDLC.
Project Management Project Context and Environment Project Communication and Project Objectives Project Management Practices
Methodology • Organization may be running Culture To deliver the de ned outcome/deliverables/product in time, within budget •Many organizations prefer to adopt the practices
• IT projects are divisible into pre- several projects at the same time. Success of project depends and of desired quality. Measurement of success depends upon clearly de ning based on global standards/best practices e.g.
de ned phases. • Relationships between these upon timely communication results that are speci c, measurable, attainable, realistic and timely (SMART). PMBOK, Prince2 etc.
• Begins with the project charter projects have to be established to with stakeholders and affected Work breakdown structure (WBS) •Successful project planning is a risk-based
and ends with the closure of the identify common objectives for the parties through : WBS is a tool used for the project in terms of manageable and controllable management process that is iterative in nature.
project. business. • One-on-one meetings. units of work and forms the baseline for cost and resource planning. •Project management practices for SDLC
• Organizations may adopt • is is a function of a project • Kick-off meetings Work packages (WP) projects also provide standards for systematic
standard processes prescribed portfolio management to help in • Project start workshops Detailed speci cations regarding the WBS can be used to develop work quantitative and qualitative approaches to
by globally accepted standards consolidating common activities • Periodic reporting packages (WP). Each WP must have a distinct owner and a list of main soware size estimating, scheduling, allocating
developed by organizations like Context is based on : Project Manager develop objectives, and may have a list of additional objectives. e WP speci cations resources and measuring productivity.
PMI • Importance of project deliverables and execute communication should include dependencies on other WPs. •Project management to ols like MS project can
• Organizations following a to organization’s objectives. plan so as to inform issues, Task list be adapted to implement techniques to assist
standard project management • Relationship with other projects concerns, if any and to report A list of actions to be carried to complete each work package and includes the Project Manager in controlling the time and
process have higher possibility • Priority based on the business case project progress. assigned responsibilities and deadlines. Task list when merged together forms resources utilized during execution of project.
of completing projects in time, • Start and end time of the project, a project schedule.
within budget and deliverables Project schedules
meeting with expected quality. Work documents containing the start and nish dates, percentage completed,
task dependencies, and resource names of individuals planned to work on
tasks.

CA Rajat Agrawal www.prokhata.com 35

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC
Project Planning
To plan & control SDLC projects, Project Manager needs to determine: Major activities:
• Various project tasks and management tasks to develop/acquire and implement business application system. • Measure the development efforts. Different soware sizing techniques
• Order in which these tasks should be performed. • Identify resources. e.g. Skilled People, Development tools.
• Estimated duration for each task. • Budgeting Although overall budget for the project has been allocated at high- level during business case development,
• priority of each task. Project Manager need to prepare granular budget for monitoring.
• IT resources, available, • Scheduling and establishing the time frame. when these resources are required in the project.
• Budget or costing for each of these tasks. Notional for internal resources monetary for outsourced projects. When these resources are required in the project.
ere are some techniques like Gantt chart, Program Evaluation Review Technique (PERT), Critical Path • Logical sequential & parallel tasks relationship & determining earliest start date.
Method (CPM) etc., that are useful in creating and monitoring project plan. • Resource arriving at latest expected nish date.
• Schedules are presented using PERT, CPM diagrams and Gantt Charts.
Project Controlling
New requirements for the project are documented appropriate resources are allocated. Control of changes during a project ensures that projects are completed meeting stakeholder requirements
Mid-term project review IS Auditor focus on project planning and controlling activities to ensure that these are not deviating from primary objectives of the project.
Management of Scope - “Scope Creep”. Resource Management Project Risk Management Standards and Methods
Scope creep refers to an uncontrolled project scope due to continuous changes Monitoring resource usage in project execution is the process to control budget and ensure that PMBOK of PMI speci es following activities for
in project requirements. Scope creep is one of the major factors in the failure of cost plan is on track. Project Manager:
a project. Earned Value Analysis Project Planning Phase Project
is can be controlled by: Earned Value Analysis (EVA) is the technique for projecting estimates at completion. Plan Risk Monitoring
• Baselining the requirements before project planning. Comparing expected budget till date, actual cost, estimated completion date and actual Identify Risk, Phase
• Change management process who can request for change, how a formal change completion at regular intervals during the project. It is tool used to verify that deployed resources Qualitative Analyses of Risks Control Risks
request be made, what it should contain and the reasons for the change. For are capable of nishing a task within the set time limit and with the expected quality level Quantitative Analysis of Risks
complex deliverables, it is best to document the work breakdown structure. Plan Risk Response
• e Project Manager then assesses the impact of change request on project 8 Hours End of day 1 8 Hours
activities, schedule and budget. Day 1 Day 2 Risk in Project Management
Earned Value Two main categories of project risk: impacts the
• Change advisory board evaluate change requests and decide on approving
(Time remaining to complete the task) business bene ts impacts the project itself. project
changes.
• Change is accepted, Project Manager should update the project plan. sponsor is responsible for mitigating Project Manager
<8 Hours 8 Hours >8 Hours
• Updated project plan must be formally con rmed by the Project SponsorSponsor— Resource might be idle Projection track Project might be delayed
accepting or rejecting the recommendation of the change advisory board.

Project Risk Risk Management Process

Based on impact Identify Risk Assess and Evaluate Risk Manage Risk Monitor risk Evaluate the Risk
Brainstorming session Quantify the likelihood as percentage More important the risk, the more budget should Risk that materializes, Management Process
Business Bene ts Project itself with your team and and the impact of the risk as amount .e be made available for counter-measures. Risk can and act accordingly. Review and evaluate the
create an inventory of “insurance policy” (total impact) that needs be mitigated, avoided, transferred or accepted effectiveness and costs of the
Project sponsor is Project manager possible risks. to be in the project budget is calculated as the depending on its severity, likelihood and cost of Risk Management Process.
responsble to mitigate risk likelihood multiplied by the impact. counter-measures and the organization’s policy.
IS Auditor has to focus on the Risk Management Process as it provides detailed insight on the effectiveness of Project Management.

Project Closing
Projects should be formally closed to provide accurate information on project results, improve future projects and allow an orderly release of project resources. Project closure is to be planned in two situations:
Project deliverables are completed Project is suffering from Risk Materialization and has to be terminated.
1. Project Sponsor should be satis ed system produced is acceptable 4. Achievement of objectives adherence to the Changes in functional requirements, obsolescence of planned technology, availability of new technology,
2. Custody of contracts may need to be assigned schedule, costs, and quality of the project. unforeseen budget constraints, strategy changes etc. planned depending upon the status of project.
3. Survey the project team, development team, users to identify any 5. Post project review in which lessons learned. IS Auditor conducting review aer project closure objectives achieved, time overrun, cost overrun, quality
lessons learned that can be applied to future projects. 6. Release of project teams. of deliverables,

36 www.prokhata.com CA Rajat Agrawal

 CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
Roles and responsibilities
Steering Committee Business Management Technology Specialist
Provides overall direction and monitors the project execution Assumes ownership of the project and resulting allocates quali ed Experts in speci c technology areas, such as Microso technology, Web-
Responsible for all deliverables, project costs and schedules. representatives actively participates in business process redesign, enablement and the like.
system requirements de nition, test case development, acceptance Systems Analyst
Comprise of senior representatives having authority for decision testing and user training. To understand existing problem/system/data ow and new requirements. Convert
making. Project Sponsor will chair the steering committee. e Business Management is concerned with questions like: the user’s requirements in the system requirements to design new system.
Project Manager is a member of steering committee. • Are the required functions available in the soware,
Programmers/Developers
• How reliable & efficient is soware
Convert design into programs by coding using programming language. Referred
Role of Project Steering Committee: • Is it possible to add new functions
to as Coders or Developers.
• Reviews project progress periodically • Does it meet regulatory requirements etc.
• Serves as co-ordinator and advisor to the project Testers
Systems Development Project Team
• Takes corrective action based on reviews. Junior level quality assurance personnel test programs and subprograms and
Consist of System Analyst, Developers, Testing Professionals, Control
• Take decision on and if required recommend the project be prepare test reports.
Consultants (IS Auditor), Hardware and Network Consultants. ey
halted or discontinued. Documentation Specialist
complete the assigned tasks, communicate effectively with users,
Project Sponsor advises the Project Manager of necessary project plan deviations. Creation of user manuals and other documentation.
Provides funding and assumes overall ownership and Database Administrator (DBA)
Business Function Representatives/Domain Specialists
accountability of the project. Handles multiple projects; and ensures the integrity and security of information
Consists of Subject Matter Experts (SME) that provides inputs to
Project Manager developers and system analysts on requirements, business related stored in the database.
Identi ed and appointed by the IS steering committee. controls, and sometime approves the low-level design speci cations. Data Administrator (DA)
Complete operational control over the project. Gathers and analyzes business requirements and develops conceptual and logical
Primary Function of project manager are : Security Officer
Ensures that system controls and supporting processes provide an models of business. De nes and enforces standards and naming conventions of
• Day-to-day management database. Administration of meta data repository and data administration tools
• Ensure expected quality effective level of protection, based on the data classi cation set in
accordance with corporate security policies. also keeps interface with business users for data de nition.
• Resolve con icts.
• Delivery of a project within the time and budget. Consults throughout the life cycle on appropriate security measures User Manager
that should be incorporated into the system Immediate manager or reporting manager of an employee. Ultimate responsibility
Senior Management for all user IDs and information assets owned by company employees. In the case
Quality assurance (QA)
Demonstrates commitment to the project and approves the of non-employee individuals such as contractors, consultants, etc., user manager
• Develop test plan and test the code.
necessary resources to complete the project. Senior management is responsible for the activity and for the company assets used by these individuals.
• Review Project Documentation is complete.
representative is appointed by the steering committee.
• Review deliverables of the project.
Role of IS Auditor in SDLC
•Analyze
Analyze the associated risks and exposures inherent in each phase of SDLC.
•Assure
Assure that appropriate control mechanisms are in place to minimize the risks in a cost-effective manner.
•Assess
Assess the project development team’s ability to produce key deliverables by the promised dates. documentation of all phases should be collected and reviewed by processes, speci c areas of review
Quality assurance (QA)
Understand standards adopted through the process of inquiry, observation and documentation review. • Test methodology adopted and determine compliance by reviewing the documentation produced.
Determine signi cant phases for the various size and type. • Evaluate controls designed for compliance with internal control principles and standards.
assess efficiency and effectiveness of each function to satisfy the users goals and organization objectives. • Determine compliance with common security, auditability and change control standards.
If IS Auditor is part of project team in an advisory role then depending on the level of involvement, IS
Auditor may become ineligible to perform audits of the application when it becomes operational.

CA Rajat Agrawal www.prokhata.com 37

MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION CHAPTER 1 : PROJECT MANAGEMENT FOR SDLC
SDLC Project Management Techniques and Tools

Computer-Aided Soware Engineering (CASE) tools Soware Size Estimation

Automated tools that aid in the soware development process. ese Once the work breakdown structure is completed Project Manager must perform Soware size estimation, i.e. determining the physical size of application (number of
includes tool for capturing and analyzing requirements, soware programs, modules, reusable function/modules etc.). is helps the Project Manager in deciding resource and skills requirements, to judge the time and cost required
design, code generation, testing, document building and other for development,
soware development activities. Source Lines Of Code (SLOC) Function Point Analysis (FPA) FPA Feature Points - for web-enabled applications
IS Auditor is not expected to have detailed knowledge of how to use · SLOC is a direct method of · Indirect method of soware size estimation. · In web-enabled applications, the development effort depends on
CASE tools for effective audit of SDLC project, as required. soware size estimation. · Function points are a unit measure for soware size much the number of forms, number of images; type of images (static or
· FPA is more reliable as like an hour is to measuring time, miles are to measuring animated), features to be enabled, interfaces and crossreferencing
Code Generators
compared to SLOC specially for distance or Celsius is to measuring temperature. that is required.
•Part of CASE tools or development environment like Visual Studio.
complex projects. · FPA is arrived on the basis of number and complexity of us, from the point of view of web applications, the effort would
•Generate program source code based on parameters provided.
inputs, outputs, les, interfaces and queries. include all that is mentioned under Function Point Estimation, plus
•Reduce the development (particularly coding) time; maintaining or
· FPA is more reliable than SLOC. the features that need to be enabled for different types of user groups.
changing these programs might be painful and time consuming.
Cost Budgets: Cost estimates of a SDLC project are based on the amount of effort likely to be required to carry out each task.
Development Environments and Non-Procedural Languages
Person-hours Infrastructure Other costs
E.g. System Analyst, Programmers, Support Staff, Testing Teams Hardware, Soware, Networks ird-party services, automation tools required for the
Developer’s Workbench Non-procedural languages etc. etc. project, consultant or contractor fees, training costs, etc.
Provides environment to Event driven and make
developer for editing, simulating extensive use of Object-Oriented Prepare estimate of human and machine effort by for all tasks. Determine hourly rate for each type of person-hours and arrive total person cost.
code, temporary storage, le Programming concepts such as Project Controlling Tools and Techniques
management and sometimes objects, properties and methods.
A. Program Evaluation Review Technique B. Critical Path Methodology C. Gantt Charts
code generation. referred to ese languages provide
(PERT) CPM is a technique for estimating project duration. All projects have • Gantt Charts are aid for
as an Integrated Development environmental independence
PERT is a technique for estimating project atleast one critical path. scheduling activities/tasks needed
Environment (IDE). (portability)
duration and timeline. • Critical path is sequence of activities where duration is longest as to complete a project.
ese languages are classi ed in the following ways: PERT is more reliable than CPM for compared to other path. • Progress of the entire project
estimating project duration because in • us, CPM represents the shortest possible time required for completing can be tracked from the Gantt
Query and Report E m b e d d e d Relational Database CPM only single duration is considered while the project. Chart.
Generators: Database Languages Languages PERT considers three different scenarios i.e. • If activities with zero slack time are addressed rst, early completion of • ey re ect the resources
Extract and Extract and produce Optional feature optimistic (best), pessimistic (worst) and the projectis possible. assigned to each task and by
produce reports reports normal (most likely) and on the basis of three • Activities on Critical Path have zero slack time. whatpercent allocation.
scenarios, a single critical path is arrived. • Slack time can be de ned as the amount of time an activity can be • ese charts show details related
delayed without impacting the completion date of the project. us zero to activities calculated during
PERT time = slack time makes an activity critical and concentration on such activities PERT and CPM.
[Optimistic + Pessimistic + 4(most likely)]/6. will help to reduce overall project completion time.

Note:-

38 www.prokhata.com CA Rajat Agrawal

 CHAPTER 2: SDLC – NEED, BENEFITS AND PHASES MODULE : 3 - SYSTEM DEVELOPMENT, ACQUISITION, IMPLEMENTATION
MODULE 3  SYSTEM DEVELOPMENT, ACQUISITION IMPLEMENTATION AND MAINTENANCE APPLICATION SYSTEM AUDIT
CHAPTER 2 :
SDLC  NEED, BENEFITS AND PHASES
SDLC Systems Development Methodology What is SDLC?
A standard set of steps used for use of standard set of steps to develop and support Process of examining a business case with the intent of improving it through better procedures and methods.
developing systems business applications Relevance of SDLC for Business Process Automation
SDLC Phases SDLC Models Business Application System, also called Application Soware, is designed to support a speci c function or process of an organization,
• Waterfall Model such as management of inventory, payroll, or analysis of market. e objective of application system is to process data to produce
•Phase 1: Feasibility Study
information.
•Phase 2: Requirement De nation • Incremental Model
Business Drivers
•Phase 3a: System Analysis • Soware Reengineering and Reverse Engineering e attributes of a business function (service delivery) that arise out of strategic objectives to enhance targets and goals of business
e
•Phase 3b: Design Phase • Object Oriented Soware Development (OOSD) function to achieve the strategic goals of the business.
•Phase 4: Development Phase • Component Based Development Need for SDLC Situations -
•Phase 5: Testing Phase • Web-Based Application Development • New service delivery opportunity (e.g. e-commerce);
• Problems with an existing systems
•Phase 6: Implementation Phase • Prototype Model
• Change in strategic focus Mergers and Acquisitions, or new Service Delivery Channels like ATM for Banks.
•Phase 7: Maintanence Phase • Spiral Model • Availability of new technology Mobile Technology for Banking Services
• RAD Model Bene ts of SDLC - Less COST & Less Time
• Agile Model Business drivers are the attributes of a business function (service delivery) that arise out of strategic objectives to enhance targets and
• DevOps goals of business function to achieve the strategic goals of the business.
Phases of SDLC
1.Feasibility Study 2.Requirements De nition 3a.System Analysis 3b. Design
e feasibility study is based on technical, is phase involves preparing the statement of Process of gathering and analyzing the facts, diagnosing is phase takes primary inputs from Requirement De nition phase.
economical and social aspects and this helps intent explaining the need for new application problems, and using the outcome to recommend Based on the requirements identi ed, the team may need to nalize
in determining strategic bene ts of using to provide functional, service and quality improvements to the proposed system. requirements by multiple user interactions and establish a speci cation
system. requirements of the solution system. Analysis is also important to decide upon system design baseline for development of system and sub system.
Identify and quantify the cost savings and is phase includes studying needs of the users,
is approach. Role of IS Auditor:
estimate the probable ROI which is used to obtaining inputs from employees and managers on Due to extensive use of technology in modern • Review system owcharts for adherence to the general design
build a business case covering both tangible their expectations. organizations, the focus now is more on service oriented • Review input, processing and output controls
as well as intangible factors . Techniques and tools used are questionnaires, approach where the objective of the system is to provide • Assess adequacy of the audit trails which provide traceability and
Role of IS Auditor: interviews, observing decision-maker behaviour services using data models. accountability.
• Review of documentation for the and their office environment etc. Role of IS Auditor: • Verify key calculations and processes for correctness and
reasonableness. Role of IS Auditor • Verify that Management has approved the initiation of completeness.
• Review cost justi cation/bene ts affected users and the key team
• Identify the affected the project and the cost • Interview users to ascertain their level understanding of the system
• Identify if the business needs used to justify members. • Determine whether the application is appropriate for design, input to the system, screen formats and output reports.
the system actually exist. • Review detailed requirements de nition the user of an embedded audit routine or modules • Verify that system can identify erroneous data correctly and can
• Justi cation for going for a development or document. • In case of acquisition, determine that an appropriate handle invalid transactions.
acquisition. • Review existing data ow diagrams. number of vendors have been given proposals.
• Review the alternate solutions for
reasonableness.
• Review the reasonableness of the chosen
solution.

CA Rajat Agrawal www.prokhata.com 39