PRACTICE MANUAL Final Course PAPER : 6 INFORMATION SYSTEMS CONTROL AND AUDIT VOLUME-II BOARD OF STUDIES THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
This practice manual has been prepared by the faculty of the Board of Studies. The objective of the practice manual is to provide teaching material to the students to enable them to obtain knowledge and skills in the subject. Students should also supplement their study by reference to the recommended text books. In case students need any clarifications or have any suggestions to make for further improvement of the material contained herein, they may write to the Director of Studies. All care has been taken to provide interpretations and discussions in a manner useful for the students. However, the practice manual has not been specifically discussed by the Council of the Institute or any of its Committees and the views expressed herein may not be taken to necessarily represent the views of the Council or any of its Committees. Permission of the Institute is essential for reproduction of any portion of this material. THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA All rights reserved. No part of this book may be reproduced, stored in retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior permission in writing from the publisher. Revised Edition : January, 2013 Website : www.icai.org E-mail : bosnoida@icai.org Committee / : Board of Studies Department ISBN No. : Price : ` Published by : The Publication Department on behalf of The Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi 110 002 Printed by : Sahitya Bhawan Publications, Hospital Road, Agra 282 003 January/2012/25,000 Copies (Revised)
A WORD ABOUT PRACTICE MANUAL In today s business world, accounting professionals have to interact with computer-based Information systems on a regular basis. As primary users of information systems in organizations, accountants must participate in their design and understand their operation. Accounting managers must measure and evaluate the performance of information systems. Internal and external auditors must assess the quality of information systems and evaluate the accuracy of information input and output. The major share of the work of accounting consultants is in the design, implementation, evaluation and control of information systems. The new system of Chartered Accountancy course recognizing the importance of Information Technology has included it as part of the course curriculum both at IPCC and Final levels. A paper on Information Systems Control and Audit forming a part of the final syllabus helps the students to understand how to evaluate controls and standards for information systems in an organizational environment. The basic knowledge about Information Technology gained at IPCC level is sought to be built up further through this paper. The students are expected to cover the entire syllabus and also do practice on their own while going through this practice manual. Students are also advised to update themselves with the latest changes in the IT sector. For this they may refer to academic updates in the monthly journal The Chartered Accountant and the Students Journal published by the Institute, in addition with other IT Journals/Magazines of repute e. g. ISACA s Journal. The course Study Material covers the theoretical framework in detail. In addition to this, students can also refer the recommended reading books available on this paper. This Practice Manual has been designed with the need of home-study and distance-learning students in mind. Such students require full coverage of the syllabus topics, and also the facility to undertake extensive question practice. The main aim of this Practice Manual is provide guidance as to the manner of writing an answer in the examination. The practice manual has been revised on the basis of the revisions in the study material. Some case study based questions are also added in this revised edition. The main features of this Practice Manual are given as follows: Matrix: Statement showing chapter-wise distribution of past five Examination Questions along with marks has been added. Concepts in Brief: Important definitions, concepts and points have been given before each topic for quick recapitulation. Questions: Generous compilation of practice questions from the previous examinations. Students are expected to attempt the questions and then compare their
solutions with the solutions provided in the manual. The significant changes have been highlighted with bold and italics in the manual. Assignment: Exercises have been given at the end of each chapter for independent practice. In case you need any further clarification/guidance, please send your queries at e-sahaayataa portal at ICAI website (www.icai.org) or bosnoida@icai.org/ santosh.pandey@icai.org. Happy Reading And Best Wishes!
Paper -6: Information Systems Control and Audit Statement indicating Chapter-wise distribution of past five Examination Questions along with Marks Chapter Name of the No. Chapter 1 Information Systems Concept 2 System Development Life Cycle Term of Examination May, 2010 November, 2010 May, 2011 November, 2011 May, 2012 Question Marks Question Marks Question Marks Question Marks Question Marks Total Marks 4(c), 5(c) 10 1 (b), 5 (b), 7 (c) 13 3 (b), 5 (b), 7(a) 12 2(a) 8 3 (b), 5 (c) 10 53 10.6 1(a), 2(b) 10 6 (a), 6 (b) 12 1(a), 6 (a) 13 1 (a), 1 (c), 2 30 3 (a), 3 (c), 14 79 15.8 (b), 2 (c), 3 (b), 7(a) 3 (c), 7 (b) Avg. Marks 3 Control Objectives 2(c), 3(c), 4(d) 20 1 (a), 3 (c), 5 (c) 21 2 (a), 4 (b), 7(b) 16 4 (b), 4 (c), 7 (d) 14 2 (a), 5 (a), 6 (b) 18 89 17.8 4 Testing General and Automated Controls 5 Risk Assessment Methodologies and Applications 6 Business Continuity Planning and Disaster Recovery Planning 7 An overview of Enterprise Resource Planning (ERP) 4(a), 5(d) 10 3 (a), 7 (a) 8 6 (b) 4 5 (b) 4 6 (a) 6 32 6.4 2(a), 5(a) 10 2 (c) 8 4 (a), 7 (c) 12 3 (a), 5 (c) 12 1 (b), 7 (b) 9 51 10.2 3(b) 5 1 (c), 4 (a) 9 2 (b), 3 (c), 6 (c) 3(a), 5(b) 15 2 (a), 2 (b), 7 (b) 12 1 (d), 4 (a), 5 (a), 6 (a) 27 1 (c) 5 58 11.6 12 1 (b), 4 (c) 9 1 (b) 5 2 (b), 4 (b) 12 53 10.6
8 Information Systems Auditing Standards, Guidelines, Best Practices 9 Drafting of IS Security Policy, Audit Policy, IS Audit Reporting A Practical Perspective 10 Information Technology (Amendment) Act, 2008 1(b) 5 4 (b), 6 (c), 7(e) 12 2 (c), 5 (a), 7(d) 16 7 (e) 4 4 (a), 6 (c), 7 (c) 1(c) 5 3 (b), 4 (c) 12 1 (c), 3 (a) 13 6 (b) 4 1 (d), 4 (c), 7 (d) 1(d), 4(b) 10 1 (d), 5 (a), 7 (d) 13 1 (d), 5 (c),7(e) 13 6 (c) 4 2 (c), 5 (b), 7 (e) 14 51 10.2 13 47 9.4 14 54 10.8 Note: Question papers of all the aforementioned examinations can be accessed from the BoS Knowledge Portal under the section Students on the Institute s website, www.icai.org.
CONTENTS CHAPTER 1 INFORMATION SYSTEMS CONCEPTS... 1.1 1.29 CHAPTER 2 SYSTEM DEVELOPMENT LIFE CYCLE METHODOLOGY... 2.1 2.35 CHAPTER 3 CONTROL OBJECTIVES... 3.1 3.21 CHAPTER 4 TESTING GENERAL AND AUTOMATED CONTROLS... 4.1 4.11 CHAPTER 5 CHAPTER 6 CHAPTER 7 CHAPTER 8 CHAPTER 9 RISK ASSESSMENT METHODOLOGIES AND APPLICATIONS... 5.1 5.11 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING... 6.1 6.18 AN OVERVIEW OF ENTERPRISE RESOURCE PLANNING (ERP)... 7.1 7.19 INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, BEST PRACTICES... 8.1 8.15 DRAFTING OF IS SECURITY POLICY, AUDIT POLICY, IS AUDITING REPORTING-A PRACTICAL PERSPECTIVE... 9.1 9.18 CHAPTER 10 INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008... 10.1 10.18 QUESTIONS BASED ON THE CASE STUDIES... 1-21