ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES DRAFTING OF IS SECURITY POLICY, AUDIT POLICY, IS ISCAGLOBALPROFESSIONALSTUDIES AUDIT REPORTING ISCAGLOBALPROFESSIONALSTUDIES ISCA ISCAGLOBALPROFESSIONALSTUDIES GLOBAL PROFESSIONAL

ISCAGLOBALPROFESSIONALSTUDIES STUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES ISCAGLOBALPROFESSIONALSTUDIES
ISCA1 | P a g e

4/1/2014

2|ISCA

color notes available for Rs. 1000/-

Write a brief note on information security and its importance. (CA final may 04, may 05, nov 07) Information System Security 1. Security means the protection of valuable assets (say data, information, hardware etc) against loss, disclosure, or damage. 2. Securing valuable assets from threats, sabotage, or natural disaster with physical safeguards such as locks, perimeter fences, and insurance is commonly understood and implemented by most organizations. 3. However, security must be expanded to include logical and other technical safeguards such as user passwords, firewalls, etc. which are not understood nearly as well by organizations as physical safeguards. In organizations where a security breach has been experienced. (Physical safeguard toh sab samajte ha aur implement karte ha, apan logical aur technical safeguard bhi lagayenge) Security Objective The objective of information system security is The protection of the interests of those relying on information, and the information systems, from harm resulting from failures of confidentiality, integrity, and availability.

For any organization, the security objective comprises three universally accepted attributes:
Code: CIA (DMW) 1. Confidentiality: Prevention of the unauthorized Disclosure of information. 2. Integrity: Prevention of the unauthorized Modification of information. 3. Availability: Prevention of the unauthorized Withholding of information.

The relative priority and significance of confidentiality, integrity and availability vary according to the data within the information system and the business context in which it is used.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

3|ISCA

color notes available for Rs. 1000/-

Importance of information security

Organizations depend on timely, accurate, complete, valid, consistent, relevant, and reliable information. Accordingly, executive management has a responsibility to ensure that the organization provides all users with a secure information systems environment. In this it environment there are many direct and indirect risks relating to the information systems. These risks have led to a gap between the need to protect systems and the degree of protection applied.

These risks are nothing but the gap that is caused by following reasons:

Widespread use of technology

Interconnectivity of systems Unevenness of technological changes

Elimination of distance, time, and space as constraints

Attractiveness of conducting unconventional electronic attacks over more conventional physical attacks against organization.

External factors such as Legislative, Legal, and Regulatory requirements or technological developments.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

4|ISCA

color notes available for Rs. 1000/-

What Information is Sensitive? self study

The following examples highlight some of the factors, necessary for a company to succeed. The common thing thread in each case is the critical information that each generates.

Strategic Plans: Most organizations readily acknowledge that strategic plans are crucial to the success of a company. But most of the companies fail to really make an effort to protect these plans.
For example: a competitor learns that a company is testing a new product line in a specific geographic location. The competitor removes its product from that location, creating an illusionary demand for the product. When the positive results of the marketing test are provided to the company's executives, they decide to roll the product out nationwide. Only then did the company discover that in all other geographic regions the competition for their product was intense. The result: the company lost several million, dollars as its product sales faltered. Although it might have been impossible for the company to completely prevent its intentions from being discovered, this situation does illustrate the real value of keeping strategic plans confidential. In todays global environment, the search for competitive advantage has never been greater. The advantages of achieving insight into a competitor's intentions can be substantial. Industry studies bear witness to this fact.

Business Operations: Business operations consist of an organizations process and procedures, most of which are deemed to be proprietary. As such, they may provide a market advantage to the organization. This is the case when one company can provide a service profitably at a lower price than the competition. A company's client lists and the prices charged for various products and services can also be damaging in the hands of a competitor.
While most organizations prohibit the sharing of such data, carelessness often results in its compromise. Such activity includes inadvertent storage of data on unauthorized systems, unprotected laptops, and failure to secure magnetic media.

Finances: Financial information, such as salaries and wages, are very sensitive and should not be made public. While general salary ranges are known within industry sectors, precise salary information can provide a competitive edge. As salaries and wage-related charges normally comprise the majority of fixed costs, lower costs in this area contribute directly to an organizations profitability. When a competitor knows specific information about a company's wages, the competitor may be able to price its products accordingly. When competitors' costs are lower, they can either under-price the market or increase profits. In either case, the damage to an organization may be significant.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

5|ISCA

color notes available for Rs. 1000/-

What steps do they need to take to keep all of their critical information protected? OR Factors which decide level of information security.
Establishing better Information Protection: a. Not all data has the same value: And, as such, the information may be handled and protected differently. Organizations must determine the value of the different types of information in their environment before they can plan for the appropriate levels of protection.

b. Know where the critical data resides: In today's business environment, this is normally the companys information systems infrastructure. Because each piece of information may require different levels of protection, identifying where each is located enables an organization to establish an integrated security solution. This approach also provides significant cost benefits, as the company does not need to spend more on protecting data than the data itself is worth.

c. Develop an access control methodology: Information that is inadvertently(by mistake) damaged, disclosed or copied without the knowledge of the owner may render the data useless. To guard against this, organizations must establish some type of access control methodology. For important data, this access control (and the associated auditing) should extend to the file level. There are many types of solutions designed to provide this protected access.

d. Protect information stored on media: Employees can cause considerable damage by walking out the door with information on 3 -inch floppy disks or CD-ROMS. In addition, companies should control magnetic media to reduce the loss of software (both application and operating system). e. Review hardcopy output: The hardcopy output of employees daily work should also be reviewed. Although strategic plans in their final forms may be adequately protected, what measures are used to
Bhinang Tejani 98980-54244 GPS Surat Abhishek Chaudhary 90160-76035

6|ISCA

color notes available for Rs. 1000/-

safeguard all drafts and working papers? What information is regularly placed in the recycle or trash containers without thought to its value?

PROTECTING COMPUTER-HELD INFORMATION SYSTEMS We discussed that not all information is equal and that some information requires greater protection than other information. There are few basic ground rules that must be addressed sequentially for establishing better information protection: (Code: 2 ladke 1 ladki ka ATM ) Rule 1: We need to know that what the information systems are and where these are located.(tu ha kon aur kaha ha?) Rule 2: We need know the value of the information held and how difficult it would be to recreate if it were damaged or lost.(agar mar dia toh how difficult it would be for his dad to recreate another) Rule 3: We need to know that who is authorized to access the information and what they are permitted to do with the information.(ladki k friends- for some one girl may be party animal for some other only hi hello) Rule 4: We need to know that how quickly information needs to be made available should and it become unavailable for whatever reason (loss, unauthorized modification, etc.) (eg: ATM) THERE ARE 3 TYPES OF PROTECTION THAT AN ORGANIZATION CAN USE FOR PROTECTION OF COMPUTER HELD INFORMATION: 1. Preventative Information Protection: This type of protection is based on use of security controls. Information system security controls are generally grouped into three types of control: Physical, Logical, and Administrative. Organizations require all three types of controls. The organizations Information Security Policy through the associated Information Security Standards documentation mandates use of these controls. Here are some examples of each type of control: 1. Physical: Doors, Locks, Guards, CCTV, Paper Shredders, Fire Suppression Systems.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

7|ISCA

color notes available for Rs. 1000/-

2. Logical (Technical): Passwords, File Permissions, Access Control Lists.

3. Administrative: Security Awareness, User Account Revocation, and Policy

i.

ii. iii.

2. Restorative Information Protection: Security events that damage information systems will happen. If an organization cannot recover or recreate critical information systems in an acceptable time period, the organization will suffer and possibly have to go out of business. Planning and operating an effective and timely information system backup and recovery program is vital to an operation. Information system backup does not simply involve backing up "just the valuable information," but also means backing up the system as well, since the information may need services that the system provides to make the information usable. Here are a few questions that any restorative information system protection program MUST address: Code: (5 points- 4 on recovery and 1 on back up) i. ii. iii. iv. v. Has the recovery process been tested recently? How long did it take? (testing karne me kitna time laga) How much productivity was lost? (during testing kitna productivity lost hua say: employee kam nai kar paye.) Did everything go according to plan? (testing ka result kya ha? Jaisa socha tha vaisa hi aya na) --------------------------------------------------------------------------------------------------------------------How much extra time was needed to input the data changes since the last backup?( say X than X+Y than X+Y+Z)

3. Holistic Protection: Protection must be done holistically and give the organization the appropriate level of security at a cost that is acceptable to the business. One must plan for the unexpected and unknown, expect the worst events to happen, and recover from these events if and when they occur, as though nothing ever happened. Such events cant be planned, and they always seem to happen at the most inopportune times. Organizations that wait until the last minute to decide on a protection plan and recovery process will suffer.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

8|ISCA

color notes available for Rs. 1000/-

INFORMATION SECURITY POLICY Meaning of POLICY: A Policy is a plan or course of action, designed to influence and determine decisions, actions and other matters. Meaning of SECURITY POLICY: The security policy is a set of laws, rules, and practices that regulates how assets, including sensitive information are managed, protected, and distributed within the user organization. Meaning of SECURITY POLICY: An information Security policy addresses many issues such as 1. disclosure, integrity and availability concerns(CIA CONCERNS), 2. who may access what information and in what manner, 3. basis on which access decision is made, 4. separation of duties,(This enables internal check eg: croma) 5. who controls and who owns the information. Issues to address: The policy should AT LEAST ADDRESS the following issues: Code: Student: sir IS policy me kya issue address karene chaiye? Sir: 2 definations Student: 2 definition explain kar do Sir: Goals and principles bataya aur bola definition supporting document se padh lo. 1. A definition of information security. 2. Definition of all relevant information security responsibilities. 3. A brief explanation of the security policies, principles, standards and compliance requirements, 4. Goals and principles of information security and Reasons why information security is important to the organization. 5. Reference to supporting documentation. Members of Security Policy: Security has to encompass managerial, technological and legal aspects. Security policy broadly comprises the following three groups of management: i. ii. iii. Management members who have budget and policy authority, Technical group who know what can and cannot be supported(eg: Auditors), and Legal experts who know the legal ramifications(outcome) of various policy charges
GPS Surat Abhishek Chaudhary 90160-76035

Bhinang Tejani 98980-54244

9|ISCA

color notes available for Rs. 1000/-

TYPES OF INFORMATION HIERARCHY

SECURITY

POLICIES

AND

THEIR

Major Information Security Policies are given as follows: 1. Information Security Policy: (DOI) This policy provides a Definition of Information Security, its overall Objective and the Importance applies to all users.

2. User Security Policy: (RRR) This policy sets out the Responsibilities and Requirements for all IT system users. It provides security terms of Reference for Users, Line Managers and System Owners. 3. Acceptable Usage Policy: This sets out the policy for acceptable use of email and Internet services. 4. Organizational Information Security Policy : This policy sets out the GROUP POLICY for the security of its information assets and the Information Technology (IT) systems processing this information. (Although it is positioned at the bottom of the above hierarchy diagram, it is the main IT security policy document.) 5. Network & System Security Policy : This policy sets out detailed policy for system and

network security and applies to IT department users 6. Information Classification Policy : This policy sets out the policy for the classification of information 7. Conditions of Connection : This policy sets out the GROUP POLICY for connecting to their network. It applies to all organizations connecting to the organization.
Bhinang Tejani 98980-54244 GPS Surat Abhishek Chaudhary 90160-76035

10 | I S C A

Color notes available for Rs. 1000/-

Components of the Security Policy: A good security policy should clearly state the following: 1. Purpose and Scope of the Document and the intended audience,

2.

ecurity infrastructure

3. Incident reporting and incident response mechanism, 4. Security organization Structure, 5. Inventory and Classification of assets, 6. Physical and Environmental Security,

7.

IT

Operations management,

8. IT Communications, 9. System Development and Maintenance Controls(chapter 2) 10. Business Continuity Planning (chapter 6) 11. Legal Compliances(company law) 12. Monitoring and Auditing Requirements(audit) and 13. Underlying Technical Policy(har abde admi k piche ek politician ka support hota ha) Described below are the major contents of a typical security policy. Purpose and Scope: PURPOSE The primary objective of the policy would be to ensure confidentiality, integrity and availability of information and related systems. The security policy is designed to: (a) Deny authorized access to any IT resources, and Restrict access to data and resources. (unauthorized access ko deny karo, aur authorized access ko restrict karo) (b) Within the operational constraints, the security controls will allow the required services to be available to authorized users only. (only authorized user ko service dene ka) SCOPE (c) The scope defines how far the policy would be applicable, to whom it would be applicable and the period for which the policy would be applicable.
Bhinang Tejani 98980-54244 GPS Surat Abhishek Chaudhary 90160-76035

11 | I S C A

Color notes available for Rs. 1000/-

Security Organization Structure: discussed later RESPONSIBILITY ALLOCATION: The responsibilities for the management of Information Security should be set out in this policy. a. An owner(sharukh) would be appointed for each information asset.

b. All staff should be aware of the need for Information Security and should be aware of their responsibilities.(say for eg: goal keeper knows what he has to do) c. All tasks have been successfully completed and system owner is satisfied.

d. All new network communications links must be approved.(eg: new player in chak de india team) e. A contact list of organizations that may be required in the event of a security incident to be maintained.(eg: police, fire, ambulance) f. Risk assessments for all third party access to the information assets and the IT Network must be carried out.
6

Risk Assessment

Limited and controlled

g. Access by third parties to all material related to the IT Network and infrastructure must be strictly limited and controlled. There should be a Conditions of Connection agreement in place for all third party connections.

(intentionally left blank)

12 | I S C A

Color notes available for Rs. 1000/-

Asset Classification and Security Classification

Following are the major points for these classifications: 1 INVENTORY: 1. An inventory of assets must be maintained. This must include physical, software and information assets. 6 CLASSIFICATION: 2. A formal, documented classification scheme (as set out in the Information Classification Policy) should be in place and all staff must comply with it. 3. The originator or 'owner' of an item of information (e.g. a document, file, diskette, printed report, screen display, e-mail, etc.) should provide a security classification, where appropriate. 4. The handling of information, which is protectively marked CONFIDENTIAL or above must be specifically approved (i.e. above RESTRICTED). 5. Organizations to whom information is to be sent must be informed of the protective marking associated with that information, in order to establish that it will be handled by personnel with a suitable clearance corresponding to the protective marking. 6. Appropriate procedures for information labeling and handling must be agreed and put into practice. 7. Classified waste must be disposed of appropriately and securely.

(intentionally left blank)

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

13 | I S C A

Color notes available for Rs. 1000/-

Access Control
Access controls must be in place to prevent unauthorized access to information systems and computer applications In Access Control, the following points need to be taken into consideration: Company as a whole: 1. Access must only be granted in response to a business requirement. (sometimes you may also need to give access to facebook to a marketing agent because thats the business requirement.) Formal processes must be in place to provide individuals with access.(make an application to admin, he will forward application to higher level to give access to facebook.) The requirement for access must be reviewed regularly. System: 2. System Owners are responsible for approving access to systems and they must maintain records of who has access to a particular system and at what level. The actual access controls in place must be audited against this record on a regular basis. 3. Users should be granted access to systems only up to the level required to perform their normal business functions. Users: 4. The registration (joined) and de-registration (left) of users must be formally managed. 5. Access rights must be deleted for individuals who leave or change jobs.(jaise hi job chod k gate k bahar nikle delete access) 6. Each individual user of an information system or computer application will be provided with a unique user identifier (user id) 7. It should not be permitted for an individual to use another person's user id or to log-on, to allow another individual to gain access to an information system or computer application. 8. PCs and terminals should never be left unattended whilst they are connected to applications or the network. Someone may use the equipment to access confidential information or make unauthorized changes. General: 9. Passwords Policy should be defined and the structure of passwords and the duration of the passwords should be specified. Passwords must be kept confidential and never disclosed to others. 10. Mobile computing - When using mobile computing facilities, such as laptops, notebooks, etc., special care should be taken to ensure that business information is not compromised, particularly when the equipment is used in public places.
Bhinang Tejani 98980-54244 GPS Surat Abhishek Chaudhary 90160-76035

14 | I S C A

Color notes available for Rs. 1000/-

Incident Handling For incident handling, following are the major points: a. Security incident reporting times and approach must be consistent at all times.

b. Specific procedures must be introduced to ensure that incidents are recorded and any recurrence is analyzed to identify weaknesses or trends. c. Procedures for the collection of evidence relating to security incidents should be standardized. d. Adequate records must be maintained and inspections facilitated to enable the investigation of security breaches or concerted attempts by third parties to identify security weaknesses. Physical and Environmental Security For the proper implementation of Physical and Environment Security, the following points need to taken into account: Watchman..!! watchman..!! ap muje andar jane donge kya? 1. Physical security should be maintained (watchman rakhna jaruri ha) and checks must be performed to identify all vulnerable areas within each site. (aju baju dekhte raho kaha se chor andar aa sakta ha) 2. The IT infrastructure must be physically protected.(eg: server k bahar watchman) 3. Access to secure areas must remain limited to authorized staff only.(server is a secure area usme access is only to authorized staff) When not using: 4. Confidential and sensitive information and valuable assets must always be securely locked away when not in use. (eg: files/gold kept in safe when not in use) When using: 5. Computers must never be left unattended whilst displaying confidential or sensitive information or whilst logged on to systems. Before you use it, you have to buy: 6. Supplies and equipment must be delivered and loaded in an isolated area to prevent any unauthorized access to key facilities 7. Premises housing computer equipment and data should be located away from, and protected against threats of deliberate or accidental damage such as fire and natural disaster.

15 | I S C A

Color notes available for Rs. 1000/-

Business Continuity Management In Business Continuity planning, following points should be addressed: 1. A Business Continuity Plan (BCP) must be maintained, tested and updated regularly. 2. All staff must be made aware of it. 3. A Business Continuity and Impact Assessment must be conducted annually. 4. Suppliers of network services must be contractually obliged to provide a predetermined minimum service level. System Development and Maintenance Controls These controls are given as follows: 1. System development or enhancements must have appropriate security controls included to safeguard their availability and ensure the integrity and confidentiality of the information they process. 2. All security requirements and controls must be identified and agreed prior to the development of information systems. AUDIT POLICY

Purpose of the audit policy:

Purpose of this audit policy is to provide the guidelines to the audit team to conduct an audit on IT based infrastructure system. WHY AUDIT IS DONE? a. The Audit is done TO PROTECT ENTIRE SYSTEM from the most common security threats which includes the following: a. Access to confidential data(employee accessing confidential data) b. Unauthorized access of the department computers(employee data kaha se access karenga, departmental computers se) c. Password disclosure compromise(department ka computer kaise access kia kisi ne password bataya honga tab na) d. Virus infections(aise employee company k lie virus ha) -------------------------------------------------------------------------------------------e. Denial of service attacks(jisko mann kia attack kar k chala gaya) f. Open ports, which may be accessed from outsiders(attack isliye hua because ports are left open) and g. Unrestricted modems(port isliye open reh gaye because modem ko restrict nai kia) b. Audits may be conducted TO ENSURE (CIA) integrity, confidentiality and availability of information and resources. c. An IS audit is CONDUCTED TO ACHIEVE 5 OBJECTIVES:
Bhinang Tejani 98980-54244 GPS Surat Abhishek Chaudhary 90160-76035

16 | I S C A

Color notes available for Rs. 1000/-

a. Asset safeguarding objective: The information system assets (hardware, software, data files etc) must be protected by a system of internal audit from unauthorized access. b. Data integrity objective. c. System effectiveness objective. Effectiveness of the system is evaluated by auditing the characteristics and objectives of the system to meet substantial user requirements. d. System Efficiency objective. To optimize the use of various information system resources. and e. comply with Information System related policies, guidelines, circulars, and any other instructions requiring compliance in whatever name called.

Scope of IS Audit:
1. The scope of IS auditing should encompass the examination and evaluation of the adequacy and effectiveness of the internal control system and the quality of performance by the information system. 2. IS Audit will examine and evaluate the Planning, organizing, and directing processes to determine whether reasonable assurance exists that objectives and goals will be achieved. The scope of the audit will also include the internal control system(s) on the use and protection of information and the information system, as under:
Data Application systems Technology Facilities People

The Information System auditor will consider whether the information obtained from the above reviews indicates coverage of the appropriate areas. The information system auditor will examine, among others, the following: 1. GOAL: Information system mission statement and agreed goals and objectives for information system activities.

of IS activities of information system

17 | I S C A

Color notes available for Rs. 1000/-

2. RISK: Assessment of the risks associated with the use of the information systems and approach to managing those risks.(goal toh set kar lia, usko achieve karne me risk kya ha) 3. PLAN TO IMPLEMENT STRATEY: Information system strategy plans to implement the strategy and monitoring of progress against those plans. 4. BUDGET: Information system budgets and monitoring of variances. --------------------------------------------------------------------------5. Major contract approval and monitoring of performance of the supplier. 6. Monitoring of performance against service level agreements. 7. Acquisition of major systems and decisions on implementation. ------------------------------------------------------------------------------8. Impact of external influences on information system such as internet, merger of suppliers or liquidation etc.

What Audit policy should do? : The Audit Policy should lay down the responsibility of audit. The audit may be conducted by internal auditors or external auditors. Information System Auditors should be independent of the activities they audit. Independence permits the auditors to render impartial and unbiased judgment essential to the proper conduct of audits. ------------------------------------------------------------------------------------------------------------------------1. The Policy should lay out the periodicity of reporting(say monthly, quarterly, yearly) and the authority to whom the reporting is to be made(say to CEO, manager, RBI, SEBI etc) 2. A statement of professional proficiency may be included to state the minimum qualification and experience requirements of the auditors.(auditor should be CA and should cleared DISA for bank audit + minimum 5 years experience.) 3. All information system auditors will sign a declaration of fidelity and secrecy before commencing the audit work.

4. The policy may lay out the extent of testing to be done under the various phases of the audit Planning Compliance Testing Substantive Testing

18 | I S C A

Color notes available for Rs. 1000/-

5. A documented audit program would be developed including the following:

EXPECTED Q: How would you develop the documented audit program OR Points to be considered when documented audit program is developed.
1. Documentation of the information system auditor's procedures for collecting, analyzing, interpreting, and documenting information during the audit. 2. Objectives of the audit. 3. Scope, nature, and degree of testing required to achieve the audit objectives in each phase of the audit.(say SND of Testing to achieve objective of planning phase.) 4. Identification of technical aspects, risks, processes, and transactions which should be examined.(there are thousands of processes in a organization, you cannot examine all) 5. Procedures for audit will be prepared prior to the commencement of audit work and modified, as appropriate, during the course of the audit. 6. The policy should define the access rights to be given to the auditors. This access may include: 1. User level and/or system level access to any computing or communications device. 2. Access to information (electronic, hardcopy, etc.) 3. Access to work areas (labs, offices, cubicles, storage areas, etc.) 4. Access to reports / documents created during internal audit. 5. Access to interactively monitor and log traffic on networks.(dekhna aur note down karna) 7. The Policy should outline the compliance testing areas such as:

Organizational and Operational Controls Security Management Controls System development and Documentation Controls Application Controls Physical and Environmental Controls Access Controls Business Continuity Controls, etc.
8. The auditor will carry out substantive testing wherever the auditor observes weakness in internal control or where risk exposure is high. The auditor may also carry out such tests to gather additional information necessary to form an audit opinion.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

19 | I S C A

Color notes available for Rs. 1000/-

9. The Audit Policy would define the compulsory audit working papers to be maintained and their formats.

Bhinang Tejani 98980-54244

GPS Surat

Abhishek Chaudhary 90160-76035

20 | I S C A

Color notes available for Rs. 1000/-

Nov 09: During IS audit of bank what are the kind of working papers and documentation you would prepare? AUDIT WORKING PAPERS AND DOCUMENTATION 1. Working papers should record 1. the audit plan, 2. the nature, timing and extent of auditing procedures performed, and 3. the conclusions drawn from the evidence obtained. 2. All significant matters which require the exercise of judgment should also be included in the working papers. 3. The form and content of the working papers are affected by matters such as: The nature of the engagement,(tax audit, statutory audit) The form of the auditors report,(depends on--given to SH, bankers, management) The nature and complexity of clients business,(WIP stock in manufacturing) and The nature and condition of clients records (fire last year) and degree of reliance on internal controls.

1. 2. 3. 4.

In case of recurring audits, some working paper files may be classified as permanent audit files which are updated currently with information of continuing importance to succeeding audits, as distinct from the current audit files which contain information relating primarily to audit of a single period. The permanent audit file normally includes: code: 0 1 2 3 1 Organizational structure 1. The organization structure of the entity, 2 audit 2. Extracts of copies of important legal documents relevant to audit, 3. Copies of audit reports and observations of earlier years, and 3 Information systems 4. The historical background of the information system in the organization, 5. The IS policies of the organization, 6. A record of the study and evaluation of the internal controls related to the information system, 0 letter management ka aur issue kia auditor ne. 7. Copies of management letters issued by the auditor, if any.

(intentionally left blank)

[Type text ]

[T ype text ]

[Type t e xt ]

21 | I S C A

Color notes available for Rs. 1000/-

The current file normally includes: 1. ACCEPT: Correspondence relating to the acceptance of appointment and the scope of the work,(one fine morning you are received appointment letter from ABC Ltd that you are appointed as auditor and the scope of your work is ..) 2. PLAN: Evidence of the planning process of the audit and audit programme, 3. PERFORM: A record of the nature, timing, and extent(NTE) of auditing procedures performed, and the results of such procedures, 4. COMMUNICATE: Copies of letters and notes concerning audit matters communicated to or discussed with the client, including material weaknesses in relevant internal controls, 5. RESPONE TO COMMUNICATION: Letters of representation and confirmation received from the client, 6. CONCLUSION: Conclusions reached by the auditor concerning significant aspects of the audit, including the manner in which the exceptions and unusual matters, if, any, disclosed by the auditors procedures were resolved and treated, and 7. RELEVANT DOCUMENTS: Copies on the data and system being reported on and the related audit reports. Working papers are the property of the auditor. The auditor may, at his discretion, make portions of, or extracts from his working papers available to the client. The auditor should adopt reasonable procedures for custody and confidentiality of his working papers and should retain them for a period of time sufficient to meet the needs of his practice and satisfy any pertinent legal and professional requirements of record retention.
----------------------------------------------END OF NOV 09 QUESTION-------------------------------------------------------------

Nov 12: Discuss the parameters that would help in planning the documentation process.

Planning the Documentation:

The following three parameters (factors) would help in planning a documentation process.

1. The importance of planning and understanding the planning process requires identifying three planning questions: Knowing Your Resources: The three basic resources: time, people, money. One has to check for their availability and affordability. Defining the Scope and Audience: The same report may undergo significant changes depending on the character of report and nature of audience. Presentation on Balance Sheet made to bankers and to investors would be quite different in content and focus. Using a Scope Definition Report: It is critical to know how to complete a Scope Definition Report. This report helps in developing a workable schedule for completing the project. (You cannot prepare your schedule until you define your scope that how much you will study in which subject.)
2. The Documentation Writer: The qualities and skills that the documentation writer would need. The requirement may often be legal in nature.(eg: Audit report can be prepared by CA only)
[Type text ] [T ype text ] [Type t e xt ]

22 | I S C A

Color notes available for Rs. 1000/-

3. Rules to guide documentation writing: The four rules of writing documentation are as follows: Writing in Active Voice: Using active voice in documentation.

Giving the Consequences: Giving the consequences of the reader's action. Writing from General to Specific: Designing the documentation from general to specific. Consistency: Using style, order and format consistently.
----------------------------------------------END OF NOV 12 QUESTION-------------------------------------------------------------

Gathering Information:
To be able to have a good documentation, it is necessary to get information about the reader and the requirement of the document.

About the Reader: Finding information about the reader by doing a task analysis. Three parts of the task: viz. input, process, output will have to be identified before one could develop an understanding of a reader. About the Subject: The three sources of information about a subject are people, paper, and the object of the report.

Organizing Information:
Organizing information involves deciding what information to include and how to sequence it. This covers five organizational sequences and examines how to divide the documentation into various sections and subsections. a. Selecting Information: Selecting what the reader needs to know. Organizing t h e information into a useful sequence. b. Organizing the Documentation: Using the five organizational subject, difficulty, chronological, importance and analytical. c. Dividing Into Sections: Dividing documentation into chapters or sections. d. Dividing Into Subsections: Dividing sections or chapters into subsections. sequences:

Writing the Documentation:

Writing is governed by the following major rules/principles: 1. Writing in Active Voice: Using active voice in documentation. 2. Giving the Consequences: Giving the consequences of the reader's action. 3. Writing from General to Specific: Designing the documentation from general to specific. 4. Consistency: Using style, order and format consistently. 5. Writing Online Documentation: Laying down guidelines online documentation. Using appropriate techniques to emphasize text.
[Type text ] [T ype text ]

for

writing

[Type t e xt ]

23 | I S C A

Color notes available for Rs. 1000/-

Finalizing Documents:
This section identifies the tasks involved in reviewing and testing the document, generating the glossary and index and formatting the document for final production. 1. Reviewing and Testing: (generally reviewed by third party) 1. Selection of reviewer of the documentation involves identification of subject and communication skill. 2. The reviewer must be provided with adequate information regarding the audience and object of the report. 3. In order to ensure objectivity It is recommended that the reviewer be a person who has not been involved in the documentation process. 2. Generating the Glossary and Index: (some specific words and short cuts used in document will be described in glossary ) Compilation of a glossary and generation of an index are two major tasks for a complete documentation. In order to achieve this task it is necessary to mark the Index and glossary entries at the stage of documentation itself. Word processing software comes with an inbuilt ability of creating an index from the identified text in the body of the document.

3. Formatting and Production: (eg: compare my formatting of ISCA notes with every one others in INDIA) a. The idea of creating a good document is incomprehensible without first deciding on a good design for the same. b. This involves choosing effective formatting options for headings, sub-headings, section breaks, formatting, and allied. c. It also important to select an appropriate binding style that would aid filing and ease of consultation.

[Type text ]

[T ype text ]

[Type t e xt ]

24 | I S C A

Color notes available for Rs. 1000/-

IS AUDIT REPORTS Structure: Audit reports broadly include the following sections: title page, table of contents, summary (including the recommendations), introduction, findings and appendices. These components of an audit report are discussed below: (i) Cover and Title Page : Audit reports should use a standard cover, with a window showing the title: "Information System Audit" or "Data Audit", the department's name and the report's date of issue (month and year). These items are repeated at the bottom of each page. The title page may also indicate the names of the audit team members. (ii) Table of Contents: The table lists the sections and sub-sections with page numbers including summary and recommendations, introduction, findings (by audit field) and appendices (as required). (iii) Summary / Executive Summary: The summary gives a quick overview of the salient features at the time of the audit in light of the main issues covered by the report. It should not normally exceed three pages, including the recommendations. (iv) Introduction: Since readers will read the summary, the introduction should not repeat details. It should include the following elements: Code: CPS methodology a. Context: This sub-section briefly describes conditions in the audit entity during the period under review, for instance, the entity's role, size and organization especially with regard to information system management, significant pressures on information system management during the period under review, events that need to be noted, organizational changes, IT disruptions, changes in roles and programs, results of internal audits or follow-up to our previous audits, if applicable. b. Purpose: This sub-section is a short description of what functions and special programs were audited and the clients' authorities. c. Scope: The scope lists the period under review, the issues covered in each function and program, the locations visited and the on-site dates. d. Methodology: This section briefly describes sampling, data collection techniques and the basis for auditors' opinions. It also identifies any weaknesses in the methodology to allow the client and auditee to make informed decisions as a result of the report. (v) Findings: Findings constitute the main part of an audit report. They result from the examination of each audit issue in the context of established objectives and clients' expectations. If the auditor is using any standard grading standard like InfoSecGrade or others, the arrived value should also be stated. (vi) Opinion: If the audit assignment requires the auditor to express an audit opinion, the auditor shall do so in consonance to the requirement. (vii) Appendices: Appendices can be used when they are essential for understanding the report. They usually include comprehensive statistics, quotes from publications, documents, and references.
[Type text ] [T ype text ] [Type t e xt ]