7 - 1.
Doing a business process redesign exercise prior to starting the implementation.
- Establishing a good communication ...... Ensure Continuous Service. DS5.
Ensure Systems Security. DS6. Identify and Allocate Costs. DS7. Educate and
Train Users. DS8. Manage Service Desk and Incidents. DS9. Manage the
Configuration.
Part of the document
INFORMATION
SYSTEMS CONTROL
AND AUDIT
(CA Final) Contents |Chapter |Chapter Name |
|1 | Information Systems Concepts |
|2 | An overview of Enterprise Resource Planning |
| |(ERP) |
|3 | System Development Life Cycle Methodology |
|4 | Control Objectives |
|5 | Audit Test of General and Automated Controls |
|6 | Business Continuity Planning and Disaster |
| |Recovery Planning |
|7 | Risk Assessment Methodologies and |
| |Applications |
|8 | Information Technology (Amended) Act 2008 |
|9 | Drafting of IS Security Policy, Audit Policy, IS|
| |Audit Reporting - A Practical Perspective |
|10 | Information Systems Auditing Standards, |
| |Guidelines, Best Practices | Syllabus snaphot
. ISCA syllabus consists of 10 chapters.
. First of all, we shall understand the basic concepts of Information
Systems in Chapter 1 - Information System Concepts. In this chapter, we
shall also study various types of Information Systems, and one of them is
ERP.
. This ERP becomes the basis for next chapter i.e. Chapter 2 - An overview
of Enterprise Resource Planning (ERP).
. Having read about Information Systems in general and one of them i.e. ERP
in detail, we shall then study the various aspects concerned with the
development of these Information Systems in Chapter 3 - Systems
Development Life Cycle.
. Now, it is important to ensure that our Information Systems are protected
from various threats such as viruses etc. So, we shall study various
types of controls in Chapter 4 - Control Objectives.
. Once we study the various types of controls, we shall study how to test
these controls in the Chapter 5 - Audit Test of General and Automated
Controls.
. One of the controls mentioned in Chapter 4 has been explained in a
separate chapter i.e. Chapter 6 - Business Continuity Planning and
Disaster Recovery Planning.
. For any organization, it is not only important to install controls within
Information Systems, but also important to assess the various risks which
can cause harm to the Information Systems. Detailed study of these risks
is covered in Chapter 7 - Risk Assessment Methodologies and Applications.
. Various aspects of IT Act 2008 are covered in Chapter 8 - Information
Technology (Amended) Act 2008.
. Controls and risks form the basis of Information Security Policy of the
organization, which is Chapter 9 - Drafting of IS Security Policy, Audit
Policy, IS Audit Reporting - A Practical Perspective.
. There are different standards (just like Auditing standards), which
provide the guidelines etc for testing controls, which are covered in
Chapter 10 - Information Systems Auditing Standards, Guidelines, Best
Practices. INFORMATION
SYSTEMS
CONCEPTS
Chapter 1 - Information System Concepts I) Introduction and defintion of systems
II) Information
III) Information systems
IV) Computer Based Information Systems (CBIS)
V) Information systems at different levels of management
Chapter Snapshot
. In the recent years, there has been a shift from the term "Information
Technology" to "Information Systems". The term "Information Systems" is
much wider than "Information Technology".
. This chapter starts with understanding of what a "System" is. Then we
understand what "Information" is. Combination of these two makes
"Information Systems".
. Now, these Information Systems may of may not be "Computer Based" based.
These days, these are mostly Computer Based i.e. "Information
Technology". In such a scenario, these "Information Systems" are known as
"Compute Based Information Systems".
. Such "Information Systems" are classified on the basis of their use for
"Operations", "Management", or only for "Office Automation".
I. Introduction and definition of systems
A) Definition
. The term system may be defined as a set of interrelated and
interdependent elements that operate collectively to accomplish some
common purpose or goal.
. For instance, a manufacturing company is a system where economic
resources such as people, money, material, machines, etc are transformed
by various organizational processes (such as production, marketing,
finance etc.) into goods and services.
. A computer based information system is also a system which is a
collection of people, hardware, software, data procedure that interact to
provide timely information to authorized people who need it. B) General model of a system
. A general model of a physical system consists of inputs, process,
outputs, storage and feedback.
- Input is the data flowing into the system from outside.
- Processing is the action of manipulating the input into a more
useful from.
- Storage is the means of holding information for use at a later
date.
- Output is the information flowing out of a system.
C) System Environment and components of a system
1. System environment
. System environment consists of elements outside the boundary of the
system. For instance, in case of a Manufacturing Company's Information
System, the system environment is made up of Suppliers, Customers etc.
. These elements surround the system and often interact with it.
. The features that define and delineate a system form its boundary. The
system is inside the boundary the environment is outside boundary.
2. Sub-system
. A system and its environment can be described in many ways. A subsystem
is a part of a larger system. Each system is composed of subsystems,
which in turn are made up of other subsystems, system being delineated by
its boundaries.
. The interconnections and interactions between the subsystems are termed
interfaces. Interfaces occur at the boundary and take the form of inputs
and outputs.
. For instance, within a manufacturing company, there maybe several sub-
systems such as Planning, Procurement etc.
Characteristics of Sub-systems
a) Decomposition
. A complex system is difficult to comprehend when considered as a whole.
Therefore the system is decomposed or factored into subsystems.
. Decomposition of systems means decomposing or factoring systems into sub-
systems.
. Decomposition is generally based on functional cohesion, i.e. components
are considered to be part of the same system, if they perform the same
function or are related to the same function.
. The boundaries and interfaces are defined, so that the sum of the
subsystems constitutes the entire system.
. This process of decomposition is continued with subsystems divided into
smaller subsystems until the smallest subsystems are of manageable size.
. An example of decomposition is the factoring of business system into
subsystems. For instance, Information system divided into subsystems such
as:
a. Materials Management
b. Production Planning and Control
c. Sales and Distribution
d. Financials
e. Controlling
f. Treasury
g. Investment Management
h. Human Resources Management
i. Internet and Intranet
j. Integrated Enterprise Management
- Each subsystem is divided further into subsystems. For example,
the Human Resources Management might be divided into the following
smaller subsystems:
a. Creation and update of personnel pay-roll records
b. Personnel reports
c. Payroll data entry and validation
d. Monthly payroll processing
e. Payroll reports for management
f. Payroll reports for government
- These subsystems might be further subdivided into smaller
subsystems or modules. For example, the hourly payroll processing
subsystem might be factored into modules for the calculation of
deductions and net pay, payroll register and audit controls
preparation, cheque printing, and register and controls output
b) Simplification
. Simplification is defined as the process of organizing subsystems so as
to reduce the number of interconnections, which is a
potential interface for communication among subsystems.
c) Decoupling (Decouple means "To uncouple / Separate /
Disconnect")
. If two different subsystems are connected very tightly, very close
coordination between them is required. For example, if the raw material
is put directly into production the moment it arrives at the factory, the
raw materials system can be said to be tightly couple. Under these
conditions, it is important to decouple the two sub-systems, i.e. raw
material delivery and production are decoupled.
3. Supra-system
. A supra-system refers to the entity formed by a system and other
equivalent systems with which it interacts.
. For example, for any sub-system within a