ISCA Important Topics for November 2014





Paper 6: Information Systems Control and Audit
[One paper: Three Hours – 100 marks]

Level of Knowledge :

Advanced knowledge.


To gain application ability of necessary controls, laws and standards in computerized Information system.


1. Information Systems Concepts

General Systems Concepts – Nature and types of systems, nature and types of information, attributes of information.

Management Information System – Role of information within business

Business information systems –various types of information systems – TPC, MIS, DSS, EIS, ES
2. Systems Development Life Cycle Methodology

Introduction to SDLC/Basics of SDLC

Requirements analysis and systems design techniques

Strategic considerations : Acquisition decisions and approaches

Software evaluation and selection/development

Alternate development methodologies- RAD, Prototype etc

Hardware evaluation and selection

Systems operations and organization of systems resources

Systems documentation and operation manuals

User procedures, training and end user computing

System testing, assessment, conversion and start-up

Hardware contracts and software licenses

System implementation

Post-implementation review

System maintenance

System safeguards

Brief note on IS Organisation Structure
3. Control objectives

(a) Information Systems Controls

Need for control

Effect of computers on Internal Audit

Responsibility for control – Management, IT, personnel, auditors

Cost effectiveness of control procedure

Control Objectives for Information and related Technology (COBIT)
(b) Information Systems Control Techniques

Control Design: Preventive and detective controls, Computer-dependent control, Audit trails, User Controls (Control balancing, Manual follow up)

Non-computer-dependent (user) controls: Error identification controls, Error investigation controls, Error correction controls, Processing recovery controls
(c) Controls over system selection, acquisition/development

Standards and controls applicable to IS development projects

Developed / acquired systems

Vendor evaluation

Structured analysis and design

Role of IS Auditor in System acquisition/selection
(d) Controls over system implementation

Acceptance testing methodologies

System conversion methodologies

Post implement review

Monitoring, use and measurement
(e) Control over System and program changes

Change management controls

Authorization controls

Documentation controls

Testing and quality controls

Custody, copyright and warranties

Role of IS Auditor in Change Management
(f) Control over Data integrity, privacy and security

Classification of information

Logical access controls

Physical access controls

Environmental controls

Security concepts and techniques – Cryptosystems, Data Encryption Standards (DES), Public Key Cryptography & Firewalls

Data security and public networks

Monitoring and surveillance techniques

Data Privacy

Unauthorised intrusion, hacking, virus control

Role of IS Auditor in Access Control
4. Audit Tests of General and Automated Controls

(a) Introduction to basics of testing (reasons for testing);
(b) Various levels/types of testing such as: (i) Performance testing, (ii) Parallel testing, (iii) Concurrent Audit modules/Embedded audit modules, etc.
5. Risk assessment methodologies and applications:

(a) Meaning of Vulnerabilities, Threats, Risks, Controls, (b) Fraud, error, vandalism, excessive costs, competitive disadvantage, business, interruption, social costs, statutory sanctions, etc. (c) RiskAssessment and Risk Management, (d) Preventive/detective/corrective strategies
6. Transfer pricing

(a) Fundamentals of BCP/DRP, (b) Threat and risk management, (c) Software and data backup techniques, (d) Alternative processing facility arrangements,(e) Disaster recovery procedural plan, (f) Integration with departmental plans, testing and documentation, (g) Insurance
7. An over view of Enterprise Resource Planning (ERP)
8. Information Systems Auditing Standards, guidelines, best practices (BS7799, HIPPA, CMM etc.)
9. Drafting of IS Security Policy, Audit Policy, IS Audit Reporting – a practical perspective
10. Information Technology Act, 2000

No comments:

Post a Comment