Financial Daily from THE HINDU group of publications
Monday, Jan 06, 2003
Mentor
Features
Stocks
Port Info
Archives

Group Sites

 Mentor - Auditing


ISA Q&A from ICAI

INFORMATION Systems (IS) audit is a special assignment which is done by specially trained staff in the internal audit department. Sometimes, it is outsourced to external consultants too. The objective and scope of coverage of IS audit is then defined by the management.

The technical skills required depends on the complexity and objective of the IT environment audited and related IT processes.

Key perspectives

There are two perspectives from which an IS audit can be done.

Risk management: The objective in this approach is to assess the risks first, and implement appropriate controls to reduce the risks to an acceptable level. IS audit executed with this perspective tend to be called security management, information risk management, information systems risk management, security audit, IT audit, and so on.

Control objectives: The objective in this approach is to review whether the organisation's internal control system ensures that business objectives are achieved. Hence, it is necessary to set appropriate control objectives which, in turn, result in reducing risks to an acceptable level.

Assignments executed with this perspective are termed IS audit, IS assurance, computer assurance services, technology assurance services, IT governance, IS controls review and the like. What follows are multiple choice questions on a few topics.

IS strategy

1) Implementation of IT is least likely to impact: a) performance of business operations; b) internal controls; c) transaction processing; d) objective and scope of audit.

2) Which of the following changes are most critical for identification of inherent IT risks? a) business environment having an IT impact; b) new developments in the IT environment; c) recent incidents relevant to the controls and business environment; d) IT monitoring controls applied by management.

3) Prior to developing or changing the strategic or long-range IT plan, IT should assess the existing IS primarily in terms of the degree of: a) business process automation; b) proposed functionality; c) stability of software; d) complexity of technology.

4) The review of business plan is least likely to address the following: a) statement of mission, objectives and goals of business are well defined; b) business strategies are aligned to achieve business goals and objectives; c) IS are oriented towards executing business strategy; d) IT solutions are meeting business requirements.

5) The most critical audit procedures at preliminary review stage of IT strategic plan is to review whether: a) there is a developed and documented long-range plan for facilities, hardware, application and system software and the application system; b) there is any short-range plan, which has been prepared, that outlines the specific project; c) specific task activities are delegated to section manager that supports the completion of short-range plan.

6) Methodology for progress reporting and monitoring in terms of completing the long range and short-range plan are adequate.

The greatest risk on account of inadequate policies and standards relating to IT in an enterprise are: a) security and controls may be compromised; b) no benchmarks available for evaluating the operations; c) audit opinion regarding the quality of control and security will be open to question; d) time required for audit is higher.

7) To ensure implementation of policy, in addition to defining the policy objective, it is important to: a) establish clear-cut responsibility for implementation; b) ensure adequate allocation of resources; c) ensure commitment from senior management; d) monitor changes required on a regular basis.

8) The most critical resource for minimum standards and compliance requirements of security relate to: a) data; b) communications; c) environment; d) personnel

9) IS auditors are primarily responsible for providing: a) whether security policy, standards, measures, practices and procedures are appropriate; b) assurance to management on the appropriateness of the security; d) comply with the organisation's security objectives; d) consulting on IT security and controls.

10) The greatest risk of inadequate definition of policy relating to ownership of data and systems is: a) all users are authorised to originate, modify, or delete data; b) difficulty in coordinating change within large organisations; c) accountability on specific users cannot be established; d) audit recommendations may not be implemented.

11) The physical access controls which has the highest impact is: a) all assets are duly recorded in fixed assets register; b)

all assets are to be physically verified on a regular basis; c) access to server room allowed only to authorised persons; d) CPU room and CPUs are to be locked and the keys entrusted only to authorised persons.

12) The logical access controls which has the highest impact is: a) all the users listed created in the system are currently working; b) users who have been transferred, retired or resigned are to be deleted from active list; c) there is option to update the users and change passwords; d) The user ids are unique and are identified with specific functions.

13) The primary objective of assess IT policies is to review: a) all written statements are collected and tracked to ensure that they have been distributed or are available to all staff; b) published organisation charts and function descriptions; c)

business and IT objectives and to analyse if the IT and related security and control policies support them; d) whether organisation of the IT department ensures adequate division of duties and recruitment and staff relations procedures are conducive to control and training.

14) The best control for a system administrator (SA) is that the SA is: a) well trained; b) exclusively performing functions as defined; c) technically competent; d) standby staff identified and trained.

15) The most critical control relating to parameters is: a) access to parameters in the system is restricted; b) changes are recorded in an audit trail, maintained and reviewed; c) changes are supported by circulars authenticated and authorised by the senior officer; d) parameter values are set properly as per business rules

Solutions: 1) d; 2) d; 3) b; 4) d; 5) a; 6) a; 7) a; 8) a; 9) b; 10) c; 11) c; 12) d;

13) c;14) b; and 15) d.

(To be continued)

(Edited extracts from Comprehensive Guide on Information Systems Audit Volume I of the ICAI.)

Send this article to Friends by E-Mail
Comment on this article to BLFeedback@thehindu.co.in

Stories in this Section
ISA Q&A from ICAI

Costing in the old mould
A house full of expenses, but are there sops?
The Italian connection in a Punjabi's taxi
Global gambit gaffe

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | Home |

Copyright © 2003, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line