1. |
Information Systems Concepts |
|
General Systems Concepts – Nature and types of systems, nature and types of information, attributes of information. |
|
Management Information System – Role of information within business |
|
Business information systems –various types of information systems – TPC, MIS, DSS, EIS, ES |
2. |
Systems Development Life Cycle Methodology |
|
Introduction to SDLC/Basics of SDLC |
|
Requirements analysis and systems design techniques |
|
Strategic considerations : Acquisition decisions and approaches |
|
Software evaluation and selection/development |
|
Alternate development methodologies- RAD, Prototype etc |
|
Hardware evaluation and selection |
|
Systems operations and organization of systems resources |
|
Systems documentation and operation manuals |
|
User procedures, training and end user computing |
|
System testing, assessment, conversion and start-up |
|
Hardware contracts and software licenses |
|
System implementation |
|
Post-implementation review |
|
System maintenance |
|
System safeguards |
|
Brief note on IS Organisation Structure |
3. |
Control objectives |
|
(a) |
Information Systems Controls |
|
Need for control |
|
Effect of computers on Internal Audit |
|
Responsibility for control – Management, IT, personnel, auditors |
|
Cost effectiveness of control procedure |
|
Control Objectives for Information and related Technology (COBIT) |
(b) |
Information Systems Control Techniques |
|
Control Design: Preventive and detective controls,
Computer-dependent control, Audit trails, User Controls (Control
balancing, Manual follow up) |
|
Non-computer-dependent (user) controls: Error identification
controls, Error investigation controls, Error correction controls,
Processing recovery controls |
(c) |
Controls over system selection, acquisition/development |
|
Standards and controls applicable to IS development projects |
|
Developed / acquired systems |
|
Vendor evaluation |
|
Structured analysis and design |
|
Role of IS Auditor in System acquisition/selection |
(d) |
Controls over system implementation |
|
Acceptance testing methodologies |
|
System conversion methodologies |
|
Post implement review |
|
Monitoring, use and measurement |
(e) |
Control over System and program changes |
|
Change management controls |
|
Authorization controls |
|
Documentation controls |
|
Testing and quality controls |
|
Custody, copyright and warranties |
|
Role of IS Auditor in Change Management |
(f) |
Control over Data integrity, privacy and security |
|
Classification of information |
|
Logical access controls |
|
Physical access controls |
|
Environmental controls |
|
Security concepts and techniques – Cryptosystems, Data Encryption Standards (DES), Public Key Cryptography & Firewalls |
|
Data security and public networks |
|
Monitoring and surveillance techniques |
|
Data Privacy |
|
Unauthorised intrusion, hacking, virus control |
|
Role of IS Auditor in Access Control |
|
4. |
Audit Tests of General and Automated Controls |
|
(a) |
Introduction to basics of testing (reasons for testing); |
(b) |
Various levels/types of testing such as: (i) Performance testing,
(ii) Parallel testing, (iii) Concurrent Audit modules/Embedded audit
modules, etc. |
|
5. |
Risk assessment methodologies and applications: |
|
(a) Meaning of Vulnerabilities, Threats, Risks,
Controls, (b) Fraud, error, vandalism, excessive costs, competitive
disadvantage, business, interruption, social costs, statutory sanctions,
etc. (c) RiskAssessment and Risk Management, (d)
Preventive/detective/corrective strategies |
6. |
Transfer pricing |
|
(a) Fundamentals of BCP/DRP, (b) Threat and risk
management, (c) Software and data backup techniques, (d) Alternative
processing facility arrangements,(e) Disaster recovery procedural plan,
(f) Integration with departmental plans, testing and documentation, (g)
Insurance |
7. |
An over view of Enterprise Resource Planning (ERP) |
8. |
Information Systems Auditing Standards, guidelines, best practices (BS7799, HIPPA, CMM etc.) |
9. |
Drafting of IS Security Policy, Audit Policy, IS Audit Reporting – a practical perspective |
10. |
Information Technology Act, 2000 |