Direct study report on Information system (IS) audit

7/29/2019 Direct study report on Information system (IS) audit

1/47

TRIBHUVAN UNIVERISTY

Department of Mechanical Engineering

INSTITUTE OF ENGINEERING

Pulchowk Campus

Directed Study Report

On

Information System (IS) Audit

9th October, 2012

Submitted By:

Rajendra Bahadur Thapa

(068/MsTIM/156)

Rajib Kumar Hyoju

(068/MsTIM/157)

Sudan Kayastha

(068/MsTIM/163)

Sudip Joshi

(068/MsTIM/165)

Submitted to:Prof. Amrit Man Nakarmi

Co-ordinator,

Master of Science in Technology and

Innovation Management (MsTIM),

Department of Mechanical Engineering.


2/47

ii

ACKNOWLDEGEMENT

We wish to express our sincere gratitude to Prof. Amrit Man Nakarmi, Co-ordinator of

Master of Science in Technology and Innovation Management (MsTIM) program and

core group members of MsTIM program for providing us an opportunity on studying

directed study on the topic "Information System (IS) Audit" as a core course of Study in

third semester of MsTIM. We sincerely thank to our other professors and lecturers for

their valuable feedbacks and encouragement in carrying out this directed study work.

Last but not the least, we wish to avail ourselves of this opportunity, express a sense of

gratitude and love to our friends for their manual support, strength, help and for

everything.

Sincerely,

Rajendra Bahadur Thapa

Rajib Kumar Hyoju

Sudan Kayastha

Sudip JoshiMsTIM-2011


3/47

iii

Abstract

The strength of organization is measured from the strength information system which

integrates knowledge, capability, maturity models, product and services delivery

processes, etc possesses by the organization. The information system must be flawlessand be aware of possible risks and should have good measures of risks hazards. For

this information system must be certified or audited to check the level of performance

and enhancing the system. Information systems audit is a part of the overall audit

process, which is one of the facilitators for good corporate governance. Information

systems are the lifeblood of any large business. The purpose of IS audit is to review and

provide feedback, assurances and suggestions for the availability, confidentiality and

integrity of the information systems. The COBIT framework for IS Audit, incorporates the

business-focused, process-oriented, controls-based and measurement-driven

characteristics. NRB has issued the IT Guidelines to be implemented by the commercial

banks of Nepal. Thus, due to increase in the complexity in the Information System, IS

Audit is necessary to be done for avoiding risk hazards and enhance the performance of

the Information Systems to yield more efficiency and competitive advantages.

Key Words: Information System, Information Technology, IT Audit, IS Audit, COBIT,

COBIT Framework, NRB Guidelines, Nepal


4/47

iv

Table of Contents

ACKNOWLDEGEMENT ...................................................................................................ii

Abstract ........................................................................................................................... iii

List of Abbreviations ........................................................................................................ v

1. Background .............................................................................................................. 1

1.1 Introduction ........................................................................................................ 1

1.2 Significance of the Study .................................................................................... 2

1.2.1 General Significance ................................................................................... 2

1.2.2 Specific Significance .................................................................................... 2

1.3 Statement of Purpose ........................................................................................ 3

1.4 Theoretical Framework/Model ............................................................................ 3

1.4.1 Control Objectives for Information and related Technology (COBIT): .......... 5

2. Literature Review ..................................................................................................... 6

2.1 Elements of IS Audit ........................................................................................... 6

2.2 Need for a Control Framework in Information System ....................................... 7

2.3 Procedures ....................................................................................................... 11

2.4 Control Objectives for Information and related Technology (COBIT) ............... 12

2.4.1 Vision ......................................................................................................... 12

2.4.2 How COBIT Meets the Need ..................................................................... 12

2.4.3 COBIT Framework Model .......................................................................... 21

2.4.1 Overall COBIT Framework ........................................................................ 24

2.5 Information Security and Technical Security Risks .......................................... 25

2.5.1 Information Security ................................................................................... 25

2.5.2 Technical Security Risks ............................................................................ 26

3. IS Audit in Nepal Scenario ..................................................................................... 32


5/47

v

3.1 NRB guidelines ................................................................................................ 32

3.2 Challenges for Nepal in implementing IS Audit ................................................ 36

4. Discussion and Recommendation .......................................................................... 37

4.1 Discussion ........................................................................................................ 37

4.2 Recommendation ............................................................................................. 38

5. Conclusion ............................................................................................................. 39

6. References and Bibliography ................................................................................. 40

List of Abbreviations

IT Information Technology

IS Information System

ISACA Information System Audit

ITGI IT Governance Institute

CISA Certified Information Systems Auditors

ATM Automatic Teller Machine

COBIT Control Objectives for Information and related TechnologyNRB Nepal Rastra Bank

ISACA Information Systems Audit and Control Association

ITSEC Information Technology Security Evaluation Criteria

TCSEC Trusted Computer System Evaluation Criteria

COSO Committee of Sponsoring Organizations

CMMI Capability Maturity Model Integration

ITIL Information Technology Infrastructure LibraryPMBOK Project Management Body of Knowledge

SEI Software Engineering Institute


6/47

1

1.Background

1.1 Introduction

This 21st century is the age of information and knowledge management. The strength oforganization is measured from the strength of knowledge, capability, maturity models,

product and services delivery processes, etc possesses by the organization. For this,

organizations/firms should have efficient and reliable information system. To achieve

the best information system, the organizations are in rat race competitions to use cutting

edge technologies. It is indeed necessary for all the organizations and firms to comply

with the new technology and show good performance in the market for getting

competitive advantages among the rival companies.

Adapting the information system has increased more risks among the organization if

any flaws are there. These days, if any flaw is there in the system the bad impression

can be followed to the whole world within a few seconds. Any delay on the services and

flaw in the product may be tweeted (following the messages in the social networking

sites like tweeter, facebook, etc) by the customers. So, the product and services must

be perfect and should satisfy all the customers.

To achieve the main goal of business by satisfying the customers, the information

system must be flawless and be aware of possible risks and should have good

measures of risks hazards. For this information system must be certified or audited to

check the level of performance for enhancing the system.

Information systems audit is a part of the overall audit process, which is one of the

facilitators for good corporate governance. While there is no single universal definition

of IS audit, Ron Weber has defined it as "the process of collecting and evaluating

evidence to determine whether a computer system (information system) safeguards

assets, maintains data integrity, achieves organizational goals effectively and consumes

resources efficiently."

Information systems are the lifeblood of any large business. As in years past, computer

systems do not merely record business transactions, but actually drive the key business


7/47

2

processes of the enterprise. In such a scenario, senior management and business

managers do have concerns about information systems. The purpose of IS audit is to

review and provide feedback, assurances and suggestions. These concerns can be

grouped under three broad heads:

Availability: Will the information systems on which the business is heavily dependent be

available for the business at all times when required? Are the systems well protected

against all types of losses and disasters?

Confidentiality: Will the information in the systems be disclosed only to those who have

a need to see and use it and not to anyone else?

Integrity: Will the information provided by the systems always be accurate, reliable and

timely? What ensures that no unauthorized modification can be made to the data or the

software in the systems?

There is also a lot of competition in the business firms and organization in Nepal. Every

businesses firm is aware of the benefits of the Information sector. The banking sectors

are prominent in the use of best information system with their capacity. There has been

a Guidelines for Information Technology audit introduced by Nepal Rastra Bank (Central

bank of Nepal). Still IT audit must be introduced by other firm for better performance,

which will be gradually increased in coming days.

1.2 Significance of the Study

1.2.1 General Significance

The general significance is to study the effective management processes of Information

System.

1.2.2 Specific SignificanceThe specific significance of the study can be stated as follows:

To study the importance of Information System for an organization, firms, orbusinesses.

To study the management of philosophy, operating style, and risk assessmentpractices for Information System.


8/47

3

To study the processes for auditing Information system adapted in worldwide.

To study the security hazards and technical risks in Information System

To relate the Information System audit in the context of Nepal.

1.3 Statement of Purpose

Like air is necessary for human beings, these days in every business, organizations and

institutions, information system is necessary for smooth operation. There are many

issues on using information system.

High tech manpower is needed to implement the information system in an

effective way.

Many companies, organizations, etc are bearing a huge loss while implementing

the information system.

Information system is integrated to the whole business process. Information

Technology department must be responsible for the smooth operation of the

information system.

So, there is need to control on the implementation of Information system for prosperous

overall business performance. Hence we are focusing our study to the control

framework for Information governance which is also known as Information System

Auditing.

1.4 Theoretical Framework/Model

Governance over information technology and its processes with the business goal of

adding value, while balancing risk versus return ensures delivery of information to the

business that addresses the required Information Criteria. This is measured by Key

Goal Indicators enabled by creating and maintaining a system of process control

excellence appropriate for the business. It directs and monitors the business valuedelivery of IT considers Critical Success Factors that leverage all IT Resources and is

measured by Key Performance Indicators. [ IT Governance Institute, 2004]

Critical success factor


9/47

4

IT governance activities are integrated into the enterprise governance process

and leadership behaviors IT governance focuses on the enterprise goals,

strategic initiatives, the use of technology to enhance the business and on the

availability of sufficient resources and capabilities to keep up with the business

demands.

IT governance activities are defined with a clear purpose, documented and

implemented, based on enterprise needs and with unambiguous accountabilities

Management practices are implemented to increase efficient and optimal use of

resources and increase the effectiveness of IT processes.

Organizational practices are established to enable: sound oversight; a control

environment/culture; risk assessment as standard practice; degree of adherence

to established standards; monitoring and follow up of control deficiencies and

risks

Control practices are defined to avoid breakdowns in internal control and

oversight

Key Goal indicators Enhanced performance and cost management

Improved return on major IT investments

Improved time to market

Increased quality, innovation and risk management

Appropriately integrated and standardized business processes

Reaching new and satisfying existing customers

Availability of appropriate bandwidth, computing power and IT delivery

mechanisms

Meeting requirements and expectations of the customer of the process on budget

and on time

Adherence to laws, regulations, industry standards and contractual commitments

Transparency on risk taking and adherence to the agreed organizational risk

profile

Benchmarking comparisons of IT governance maturity


10/47

5

Creation of new service delivery channels

key performance indicators

Improved cost-efficiency of IT processes (costs vs. deliverables) Increased number of IT action plans for process improvement initiatives

Increased utilization of IT infrastructure

Increased satisfaction of stakeholders (survey and number of complaints)

Improved staff productivity (number of deliverables) and morale (survey)

Increased availability of knowledge and information for managing the enterprise

Increased linkage between IT and enterprise governance

Improved performance as measured by IT balanced scorecards

In recent years, it has become increasingly evident that there is a need for a reference

framework for security and control in IT. Successful organizations require an

appreciation for and a basic understanding of the risks and constraints of IT at all levels

within the enterprise in order to achieve effective direction and adequate controls.

Based on the compliance testing carried out in the prior phase, we develop an audit

program detailing the nature, timing and extent of the audit procedures. In the Audit

Plan various Control Tests and Reviews can be done.

1.4.1 Control Objectives for Information and related Technology (COBIT):

The Control Objectives for Information and related Technology (COBIT) is a set of best

practices (framework) for information (IT) management created by the Information

Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)

in 1992.

COBIT provides managers, auditors, and IT users with a set of generally acceptedmeasures, indicators, processes and best practices to assist them in maximizing the

benefits derived through the use of information technology and developing appropriate

IT governance and control in a company.


11/47

6

2.Literature Review

2.1 Elements of IS Audit

An information system is not just a computer. Today's information systems are complex

and have many components that piece together to make a business solution.

Assurances about an information system can be obtained only if all the components are

evaluated and secured. The proverbial weakest link is the total strength of the chain.

The major elements of IS audit can be broadly classified:

Physical and environmental reviewthis includes physical security, power supply, air

conditioning, humidity control and other environmental factors.

System administration reviewthis includes security review of the operating systems,database management systems, all system administration procedures and compliance.

Application software review the business application could be payroll, invoicing, a

web-based customer order processing system or an enterprise resource planning

system that actually runs the business. Review of such application software includes

access control and authorizations, validations, error and exception handling, business

process flows within the application software and complementary manual controls and

procedures. Additionally, a review of the system development lifecycle should be

completed.

Network security reviewReview of internal and external connections to the system,

perimeter security, firewall review, router access control lists, port scanning and

intrusion detection are some typical areas of coverage.

Business continuity reviewthis includes existence and maintenance of fault tolerant

and redundant hardware, backup procedures and storage, and documented and testeddisaster recovery/business continuity plan.

Data integrity reviewthe purpose of this is scrutiny of live data to verify adequacy of

controls and impact of weaknesses, as noticed from any of the above reviews. Such


12/47

7

substantive testing can be done using generalized audit software (e.g., computer

assisted audit techniques).

All these elements need to be addressed to present to management a clear assessment

of the system. For example, application software may be well designed andimplemented with all the security features, but the default super-user password in the

operating system used on the server may not have been changed, thereby allowing

someone to access the data files directly. Such a situation negates whatever security is

built into the application. Likewise, firewalls and technical system security may have

been implemented very well, but the role definitions and access controls within the

application software may have been so poorly designed and implemented that by using

their user IDs, employees may get to see critical and sensitive information far beyond

their roles.

It is important to understand that each audit may consist of these elements in varying

measures; some audits may scrutinize only one of these elements or drop some of

these elements. While the fact remains that it is necessary to do all of them, it is not

mandatory to do all of them in one assignment. The skill sets required for each of these

are different. The results of each audit need to be seen in relation to the other. This will

enable the auditor and management to get the total view of the issues and problems.

2.2 Need for a Control Framework in Information System

In recent years, it has become increasingly evident that there is a need for a reference

framework for security and control in IT. Successful organizations require an

appreciation for and a basic understanding of the risks and constraints of IT at all levels

within the enterprise in order to achieve effective direction and adequate controls.

MANAGEMENT has to decide what to reasonably invest for security and control in IT

and how to balance risk and control investment in an often unpredictable IT

environment. While information systems security and control help manage risks, they do

not eliminate them. In addition, the exact level of risk can never be known since there is

always some degree of uncertainty.


13/47

8

Ultimately, management must decide on the level of risk it is willing to accept. Judging

what level can be tolerated, particularly when weighted against the cost, can be a

difficult management decision. Therefore, management clearly needs a framework of

generally accepted IT security and control practices to benchmark the existing and

planned IT environment.

There is an increasing need for USERS of IT services to be assured, through

accreditation and audit of IT services provided by internal or third parties, that adequate

security and control exists. At present, however, the implementation of good IT controls

in information systems, be they commercial, non-profit or governmental, is hampered by

confusion. The confusion arises from the different evaluation methods such as ITSEC,

TCSEC, IS0 9000 evaluations, emerging COSO internal control evaluations, etc. As a

result, users need a general foundation to be established as a first step.

Frequently, AUDITORS have taken the lead in such international standardization efforts

because they are continuously confronted with the need to substantiate their opinion on

internal control to management. Without a framework, this is an exceedingly difficult

task. Furthermore, auditors are increasingly being called on by management to

proactively consult and advice on IT security and control-related matters.

Why

Increasingly, top management is realizing the significant impact that information can

have on the success of the enterprise. Management expects heightened understanding

of the way IT is operated and the likelihood of its being leveraged successfully for

competitive advantage. In particular, top management needs to know if information is

being managed by the enterprise so that it is:

Likely to achieve its objectives Resilient enough to learn and adapt

Judiciously managing the risks it faces

Appropriately recognizing opportunities and acting upon them


14/47

9

Successful enterprises understand the risks and exploit the benefits of IT and find ways

to deal with:

Aligning IT strategy with the business strategy

Assuring investors and shareholders that a standard of due care aroundmitigating IT risks is being met by the organisation

Cascading IT strategy and goals down into the enterprise

Obtaining value from IT investments

Providing organisational structures that facilitate the implementation of strategy

and goals

Creating constructive relationships and effective communication between the

business and IT, and with external partners

Measuring ITs performance

Enterprises cannot deliver effectively against these business and governance

requirements without adopting and implementing a governance and control framework

for IT to:

Make a link to the business requirements

Make performance against these requirements transparent

Organize its activities into a generally accepted process model

Identify the major resources to be leveraged

Define the management control objectives to be considered

Furthermore, governance and control frameworks are becoming a part of IT

management good practice and are an enabler for establishing IT governance and

complying with continually increasing regulatory requirements.

IT good practices have become significant due to a number of factors:

Business managers and boards demanding a better return from IT investments,

i.e., that IT delivers what the business needs to enhance stakeholder value

Concern over the generally increasing level of IT expenditure


15/47

10

The need to meet regulatory requirements for IT controls in areas such as

privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in

specific sectors such as finance, pharmaceutical and healthcare

The selection of service providers and the management of service outsourcing

and acquisition

Increasingly complex IT-related risks, such as network security

IT governance initiatives that include adoption of control frameworks and good

practices to help monitor and improve critical

IT activities to increase business value and reduce business risk

The need to optimize costs by following, where possible, standardized, rather

than specially developed, approaches

The growing maturity and consequent acceptance of well-regarded frameworks,

such as COBIT, IT Infrastructure Library (ITIL), ISO 27000 series on information

security-related standards, ISO 9001:2000 Quality Management Systems

Requirements, Capability Maturity Model Integration (CMMI), Projects in

Controlled Environments 2 (PRINCE2) and A Guide to the Project Management

Body of Knowledge (PMBOK)

The need for enterprises to assess how they are performing against generally

accepted standards and their peers (benchmarking)

Who

A governance and control framework needs to serve a variety of internal and external

stakeholders, each of whom has specific needs:

Stakeholders within the enterprise who have an interest in generating value from

IT investments:

Those who make investment decisions Those who decide about requirements

Those who use IT services

Internal and external stakeholders who provide IT services:

Those who manage the IT organization and processes


16/47

11

Those who develop capabilities

Those who operate the services

Internal and external stakeholders who have a control/risk responsibility:

Those with security, privacy and/or risk responsibilities

Those performing compliance functions

Those requiring or providing assurance services

What

To meet the requirements listed in the previous section, a framework for IT governance

and control should:

Provide a business focus to enable alignment between business and IT objectives

Establish a process orientation to define the scope and extent of coverage, with a

defined structure enabling easy navigation of content

Be generally acceptable by being consistent with accepted IT good practices and

standards and independent of specific technologies

Supply a common language with a set of terms and definitions that are generally

understandable by all stakeholders

Help meet regulatory requirements by being consistent with generally acceptedcorporate governance standards (e.g., COSO) and IT controls expected by regulators

and external auditors. [IT Governance Institute, 2007]

2.3 Procedures

The preparation before commencing an audit involves collecting background

information and assessing the resources and skills required to perform the audit. This

enables staff with the right kind of skills to be allotted to the right assignment.

It always is a good practice to have a formal audit commencement meeting with the

senior management responsible for the area under audit to finalize the scope,

understand the special concerns, if any, schedule the dates and explain the

methodology for the audit. Such meetings get senior management involved, allow


17/47

12

people to meet each other, clarify issues and underlying business concerns, and help

the audit to be conducted smoothly.

Similarly, after the audit scrutiny is completed, it is better to communicate the audit

findings and suggestions for corrective action to senior management in a formalmeeting using a presentation. This will ensure better understanding and increase buy-in

of audit recommendations. It also gives auditors an opportunity to express their

viewpoints on the issues raised. Writing a report after such a meeting where

agreements are reached on all audit issues can greatly enhance audit effectiveness.

For these procedures, standardization has been developed by Information Systems

Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992,

which is a set of best practices (framework for information (IT) management which isknown as e Control Objectives for Information and related Technology (COBIT).

2.4 Control Objectives for Information and related Technology

(COBIT)

2.4.1 Vision

To research, develop, publicize and promote an authoritative, up-to-date, internationally

accepted IT governance control framework for adoption by enterprises and day-to-day

use by business managers, IT professionals and assurance professionals.

2.4.2 How COBIT Meets the Need

In response to the needs described in the previous section 2.2, the COBIT framework

was created with the main characteristics of being business-focused, process-oriented,

controls-based and measurement-driven.

2.4.2.1 Business FocusedBusiness orientation is the main theme of COBIT. It is designed not only to be employed

by IT service providers, users and auditors, but also, and more important, to provide

comprehensive guidance for management and business process owners.

The COBIT framework is based on the following principle (figure below):


18/47

13

To provide the information that the enterprise requires to achieve its objectives, the

enterprise needs to invest in and manage and control IT resources using a structured

set of processes to provide the services that deliver the required enterprise information.

Managing and controlling information are at the heart of the COBIT framework and helpensure alignment to business requirements.

Figure 1 Basic COBIT Principle

COBIT's Information criteria are to satisfy business objectives, information needs to

confirm to certain control criteria, which COBIT refers to a business requirements for

information. These are effectiveness, efficiency, confidentiality, integrity, availability,

compliance and reliability.

Business Goals and IT Goals:

Whilst information criteria provide a generic method for defining the business

requirements, defining a set of generic business and IT goals provides a business-

related and more refined basis for establishing business requirements and developingthe metrics that allow measurement against these goals. Every enterprise uses IT to

enable business initiatives, and these can be represented as business goals for IT.


19/47

14

Figure 2 Managing IT Resources to Deliver IT Goals

IT Resources:

The IT organization delivers against these goals by a clearly defined set of processes

that use people skills and technology infrastructure to run automated business

applications while leveraging business information.

The IT resources identified in COBIT can be defined as follows:

Applications are the automated user systems and manual procedures that process

the information.

Information is the data, in all their forms, input, processed and output by the

information systems in whatever form is used by the business.

Infrastructure is the technology and facilities (i.e., hardware, operating systems,

database management systems, networking, multimedia, and the environment that

houses and supports them) that enable the processing of the applications.

People are the personnel required to plan, organize, acquire, implement, deliver,

support, monitor and evaluate the information systems and services. They may be

internal, outsourced or contracted as required.


20/47

15

2.4.2.2 Process OrientedCOBIT defines IT activities in a generic process model within four domains. These

domains are Plan and Organize, Acquire and Implement, Deliver and Support, and

Monitor and Evaluate. The domains map to ITs traditional responsibility areas of plan,

build, run and monitor.

The COBIT framework provides a reference process model and common language for

everyone in an enterprise to view and manage IT activities. Incorporating an operational

model and a common language for all parts of the business involved in IT is one of the

most important and initial steps toward good governance. It also provides a framework

for measuring and monitoring IT performance, communicating with service providers

and integrating best management practices. A process model encourages process

ownership, enabling responsibilities and accountability to be defined.

To govern IT effectively, it is important to appreciate the activities and risks within IT that

need to be managed. They are usually ordered into the responsibility domains of plan,

build, run and monitor. Within the COBIT framework, these domains, as shown in figure

below, are called:

Figure 3 The Four Interrelated Domains of COBIT

Plan and Organise (PO)Provides direction to solution delivery (AI) and service

delivery (DS)

Acquire and Implement (AI)Provides the solutions and passes them to be turned

into services


21/47

16

Deliver and Support (DS)Receives the solutions and makes them usable for end

users

Monitor and Evaluate (ME)Monitors all processes to ensure that the direction

provided is followed

2.4.2.3 Controls BasedCOBIT defines control objectives for all 34 processes, as well as overarching process

and application controls.

PROCESSES NEED CONTROLS

Control is defined as the policies, procedures, practices and organizational structures

designed to provide reasonable assurance that business objectives will be achievedand undesired events will be prevented or detected and corrected.

IT control objectives provide a complete set of high-level requirements to be considered

by management for effective control of each IT process. They:

Are statements of managerial actions to increase value or reduce risk

Consist of policies, procedures, practices and organizational structures

Are designed to provide reasonable assurance that business objectives will be

achieved and undesired events will be prevented or detected and corrected

Enterprise management needs to make choices relative to these control objectives by:

Selecting those that are applicable

Deciding upon those that will be implemented

Choosing how to implement them (frequency, span, automation, etc.)

Accepting the risk of not implementing those that may apply

Guidance can be obtained from the standard control model shown in figure below. It

follows the principles evident in this analogy: When the room temperature (standard) for

the heating system (process) is set, the system will constantly check (compare) ambient

room temperature (control information) and will signal (act) the heating system to

provide more or less heat.


22/47

17

Each of COBITs IT processes has a process description and a number of control

objectives. As a whole, they are the characteristics of a well-managed process. The

control objectives are identified by a two-character domain reference (PO, AI, DS and

ME) plus a process number and a control objective number. In addition to the control

objectives, each COBIT process has generic control requirements that are identified by

PCn, for process control number.

PC1 Process Goals and Objectives

PC2 Process Ownership

PC3 Process Repeatability, etc

PC4 Roles and Responsibilities

Figure 4 Control Model

IT GENERAL CONTROLS AND APPLICATION CONTROLS

General controls are controls embedded in IT processes and services. Examples

include:

Systems development

Change management

Security

Computer operations

Controls embedded in business process applications are commonly referred to as

application controls. Examples include:


23/47

18

Completeness

Accuracy

Validity

Authorization

Segregation of duties

The following list provides a recommended set of application control objectives. They

are identified by ACn, for application control number.

AC1 Source Data Preparation and Authorisation

AC2 Source Data Collection and Entry

AC3 Accuracy, Completeness and Authenticity Checks

AC4 Processing Integrity and Validity, etc

2.4.2.4 Measurement DrivenA basic need for every enterprise is to understand the status of its own IT systems and

to decide what level of management and control the enterprise should provide. To

decide on the right level, management should ask itself: How far should we go, and is

the cost justified by the benefit?

Obtaining an objective view of an enterprises own performance level is not easy. What

should be measured and how? Enterprises need to measure where they are and where

improvement is required, and implement a management tool kit to monitor this

improvement.

COBIT deals with these issues by providing:

Maturity models to enable benchmarking and identification of necessary

capability improvements

1. Performance goals and metrics for the IT processes, demonstrating how

processes meet business and IT goals and are used for measuring internal

process performance based on balanced scorecard principles

2. Activity goals for enabling effective process performance

MATURITY MODELS


24/47

19

Senior managers in corporate and public enterprises are increasingly asked to consider

how well IT is being managed. In response to this, business cases require development

for improvement and reaching the appropriate level of management and control over the

information infrastructure. While few would argue that this is not a good thing, they need

to consider the cost-benefit balance and these related questions:

3. What are our industries peers doing, and how are we placed in relation to them?

4. What is acceptable industry good practice, and how are we placed with regard to

these practices?

5. Based upon these comparisons, can we be said to be doing enough?

6. How do we identify what is required to be done to reach an adequate level of

management and control over our IT processes?

It can be difficult to supply meaningful answers to these questions. IT management is

constantly on the lookout for benchmarking and self-assessment tools in response to

the need to know what to do in an efficient manner. Starting from COBITs processes, the

process owner should be able to incrementally benchmark against that control objective.

This responds to three needs:

1. A relative measure of where the enterprise is

2. A manner to efficiently decide where to go3. A tool for measuring progress against the goal

Maturity modeling for management and control over IT processes is based on a method

of evaluating the organization, so it can be rated from a maturity level of non-existent (0)

to optimized (5). This approach is derived from the maturity model that the Software

Engineering Institute (SEI) defined for the maturity of software development capability.

Although concepts of the SEI approach were followed, the COBIT implementation differs

considerably from the original SEI, which was oriented toward software product

engineering principles, organizations striving for excellence in these areas and formal

appraisal of maturity levels so that software developers could be certified. In COBIT, a

generic definition is provided for the COBIT maturity scale, which is similar to CMM but

interpreted for the nature of COBITs IT management processes. A specific model is


25/47

20

provided from this generic scale for each of COBITs 34 processes. Whatever the model,

the scales should not be too granular, as that would render the system difficult to use

and suggest a precision that is not justifiable because, in general, the purpose is to

identify where issues are and how to set priorities for improvements. The purpose is not

to assess the level of adherence to the control objectives.

The maturity levels are designed as profiles of IT processes that an enterprise would

recognize as descriptions of possible current and future states. They are not designed

for use as a threshold model, where one cannot move to the next higher level without

having fulfilled all conditions of the lower level. With COBITs maturity models, unlike the

original SEI CMM approach, there is no intention to measure levels precisely or try to

certify that a level has exactly been met. A COBIT maturity assessment is likely to result

in a profile where conditions relevant to several maturity levels will be met, as shown in

the example graph in below.

Figure 5 Possible maturity level of an IT processHowever, process management capability is not the same as process performance. The

required capability, as determined by business and IT goals, may not need to be applied

to the same level across the entire IT environment, e.g., not consistently or to only a

limited number of systems or units. Performance measurement, as covered in the next


26/47

21

paragraphs, is essential in determining what the enterprises actual performance is for

its IT processes. 13

0 Non-existentComplete lack of any recognizable processes. The enterprise has not

even recognised that there is an issue to be addressed.

1 Initial/Ad Hocthere is evidence that the enterprise has recognized that the issues

exist and need to be addressed. There are, however, no standardized processes;

instead, there are ad hocapproaches that tend to be applied on an individual or case-

by-case basis. The overall approach to management is disorganized.

2 Repeatable but IntuitiveProcesses have developed to the stage where similar

procedures are followed by different people undertaking the same task. There is no

formal training or communication of standard procedures, and responsibility is left to the

individual. There is a high degree of reliance on the knowledge of individuals and,

therefore, errors are likely.

3 Defined ProcessProcedures have been standardized and documented, and

communicated through training. It is mandated that these processes should be followed;

however, it is unlikely that deviations will be detected. The procedures themselves are

not sophisticated but are the formalization of existing practices.

4 Managed and MeasurableManagement monitors and measures compliance with

procedures and takes action where processes appear not to be working effectively.

Processes are under constant improvement and provide good practice. Automation and

tools are used in a limited or fragmented way.

5 OptimizedProcesses have been refined to a level of good practice, based on the

results of continuous improvement and maturity modeling with other enterprises. IT is

used in an integrated way to automate the workflow, providing tools to improve quality

and effectiveness, making the enterprise quick to adapt.

2.4.3 COBIT Framework Model

The COBIT framework, therefore, ties the businesses requirements for information and

governance to the objectives of the IT services function. The COBIT process model


27/47

22

enables IT activities and the resources that support them to be properly managed and

controlled based on COBITs control objectives, and aligned and monitored using

COBIT's goals and metrics. [IT Governance Institute, 2007]

Figure 6 COBIT Management, Control, Alignment and Monitoring

To summarize IT resources are managed by IT processes to achieve IT goals that respond to thebusiness requirements. This is the basic principle of the COBIT framework, as illustrated by the COBITcube.

Figure 7 the COBIT Cube

COBITs General Acceptability


28/47

23

COBIT is based on the analysis and harmonization of existing IT standards and good

practices and conforms to generally accepted governance principles. It is positioned at

a high level, driven by business requirements, covers the full range of IT activities, and

concentrates on what should be achieved rather than how to achieve effective

governance, management and control. Therefore, it acts as an integrator of IT

governance practices and appeals to executive management; business and IT

management; governance, assurance and security professionals; and IT audit and

control professionals. It is designed to be complementary to, and used together with,

other standards and good practices.

To achieve alignment of good practice to business requirements, it is recommended

that COBIT be used at the highest level, providing an overall control framework based

on an IT process model that should generically suit every enterprise. Specific practices

and standards covering discrete areas can be mapped up to the COBIT framework, thus

providing a hierarchy of guidance materials.

COBIT appeals to different users:

1. Executive managementTo obtain value from IT investments and balance risk

and control investment in an often unpredictable IT environment.

2. Business managementTo obtain assurance on the management and controlof IT services provided by internal or third parties

3. IT managementTo provide the IT services that the business requires to

support the business strategy in a controlled and managed way

4. AuditorsTo substantiate their opinions and/or provide advice to management

on internal controls


29/47

24

2.4.1 Overall COBIT Framework

Figure 8 Overall COBIT Framework [IT Governance Institute, July2000]


30/47

25

2.5 Information Security and Technical Security Risks

2.5.1 Information Security

Security relates to the protection of valuable assets against loss, misuse, disclosure or

damage. In this context, valuable assets are the information recorded on, processed by,

stored in, shared by, transmitted from or retrieved from an electronic medium. The

information must be protected against harm from threats leading to different types of

impacts such as loss, inaccessibility, alteration or wrongful disclosure. Threats include

errors and omissions, fraud, accidents and intentional damage.

The objective of information security is protecting the interests of those relying oninformation and the systems and communications that deliver the information from harm

resulting from failures of availability, confidentiality and integrity. The impact of the

Internet and the growth of the networked economy have added the need for trust in

electronic transactions.

Overall, for most computer users the security objective is met when:

1. Information systems are available and usable when required, and can

appropriately resist attacks and recover from failures (availability)

2. Information is observed by or disclosed to only those who have a right to know

(confidentiality)

3. Information is protected against unauthorized modification or error so accuracy,

completeness and validity are maintained (integrity)

4. Business transactions and information exchanges between enterprises,

customers, suppliers or partners can be trusted (authenticity and no repudiation)

The relative priority and significance of availability, confidentiality, integrity and trust vary

according to the value and type of information and the context in which the information

is used. For example, integrity of management information is especially important to a

business that relies on critical strategy related decisions, and integrity of an online

purchase is very important to the home user doing Internet shopping.


31/47

26

The amount of protection required depends on how likely a security risk might occur,

and how big an impact it would have if it did occur. Protection is achieved by a

combination of technical and nontechnical safeguards. For the home user, this means

installation of reputable security tools, maintenance of up-to-date software, and care

with backups, and being careful and alert to the hazards of using computers and

connecting to the Internet. For large enterprises, protection will be a major task with a

layered series of safeguards such as physical security measures, background checks,

user identifiers, passwords, smart cards, biometrics and firewalls.

In the ever-changing technological environment, security that is state-of-the-art today

may be obsolete tomorrow. Therefore, security protection must keep pace with these

changes.

Information security provides the management processes, technology and assurance

to allow businesses management to ensure business transactions can be trusted;

ensure IT services are usable and can appropriately resist and recover from failures due

to error, deliberate attacks or disaster; and ensure critical confidential information is

withheld from those who should not have access to it. Dr. Paul Dorey, director,

Digital Business Security, BP Plc. [IT Governance Institute, 2004]

2.5.2 Technical Security Risks

Information security is a key aspect of information technology governance, and it is an

important issue for all computer users to understand and address. As computer systems

have become more and more commonplace in all walks of life, from home to school and

office, unfortunately so too have the security risks.

The widespread use of the Internet, handheld and portable computer devices, and

mobile and wireless technologies has made access to data and information easy and

affordable. On the other hand, these developments have provided new opportunities for

information technology related problems to occur, such as theft of data, malicious

attacks using viruses, hacking, denial-of-service (DoS) attacks and even new ways to

commit organized crime. These risks, as well as the potential for careless mistakes, can

all result in serious financial, reputational and other damages. Recognizing the need for


32/47

27

better security guidance, this booklet has been developed to provide essential advice

and practical tools to help protect computer users from these risks. [IT Governance

Institute, 2004]

Trojan Horse programs:

Trojan Horse programs are a common way for intruders to trick the user (sometimes

referred to as social engineering) into installing back door programs, which can allow

intruders easy access to the users computer without his/her knowledge, change the

system configurations or infect the computer with a computer virus.

Back door and remote administration programs:

On computers using a Windows operating system, intruders commonly use threetoolsBack Orifice, Netbus and SubSevento gain remote access to the computer.

These back door or remote administration programs, once installed, allow other people

to access and control the computer. The CERT vulnerability note about Back Orifice

should be reviewed. Other computer platforms may be vulnerable and the user needs to

monitor vulnerability reports and maintain the system.

Denial-of-service (DOS) attacks

Another form of attack is called a denial-of-service attack. This type of attack causes the

computer to crash or become so busy processing data that the user is unable to use it.

In most cases, the latest patches will prevent the attack.

Being an intermediary for another attack:

Intruders frequently use compromised computers as launching pads for attacking other

systems. The use of distributed denial-of-service (DDoS) tools is an example of this.

The intruders would install an agent (frequently through a Trojan Horse program) that

runs on the compromised computer awaiting further instructions. Then, when many

agents are running on different computers, a single handler can instruct all of them to

launch a denial-of-service attack on another system. Thus, the end target of the attack


33/47

28

is not the original users computer, but someone elsesthe original users computer is

just a convenient tool in a larger attack. [IT Governance Institute, 2004]

Unprotected Windows networking shares:

Intruders can exploit unprotected Windows networking shares in an automated way to

place tools on large numbers of Windows-based computers attached to the Internet.

Because site security on the Internet is interdependent, a compromised computer not

only creates problems for the computer's owner, but it is also a threat to other sites on

the Internet.

Mobile code (Java/JavaScript/ActiveX):

There have been reports of problems with mobile code (e.g., Java, JavaScript and

ActiveX). These programming languages let web developers write code that is executed

by the organization's web browser. Although such code is generally useful to the

organization, intruders also use it to gather information (such as which web sites the

user visits) or run malicious code on the computer. It is possible to disable Java,

JavaScript and ActiveX in the web browser, but the user should be aware that this may

limit legitimate browser functionality. Also, the user should be aware of the risks

involved in the use of mobile code within e-mail programs. Many e-mail programs use

the same code as web browsers to display HTML. Thus, vulnerabilities that affect Java,

JavaScript and ActiveX are often applicable to e-mail and web pages.

Cross-site scripting:

A malicious web developer may attach a script to something sent to a web site, such as

a URL, an element in a form or a database inquiry. Later, when the web site responds,

the malicious script is transferred to the browser. This can potentially expose the web

browser to malicious scripts by:

Following links in web pages, e-mail messages or newsgroup postings without

knowing where they link Using interactive forms on an untrustworthy site

Viewing online discussion groups, forums or other dynamically generated pages

where users can post text containing HTML tags


34/47

29

E-mail spoofing

E-mail spoofing is when an e-mail message appears to have originated from one source

when it actually was sent from another source. E-mail spoofing is often an attempt to

trick the user into making a damaging statement or releasing sensitive information (suchas passwords). Spoofed e-mail can range from harmless pranks to social engineering

ploys. Examples of the latter include:

E-mail claiming to be from a system administrator requesting users to change

their passwords to a specified string and threatening to suspend their account if

they do not comply

E-mail claiming to be from a person in authority requesting users to send a copy

of a password file or other sensitive information

E-mail-borne viruses:

Viruses and other types of malicious code are often spread as attachments to e-mail

messages. Before opening any attachments, the user should be aware of the source of

the attachment. It is not enough that the e-mail originated from a recognised address.

For example, the Melissa virus spread precisely because it originated from a familiar

address. Also, malicious code might be distributed in amusing or enticing programs.

Many recent viruses use these social engineering techniques to spread. Examples

include W32/Sircam and W32/Goner.

Hidden file extensions:

Windows operating systems contain an option to hide file extensions for known file

types. The option is enabled by default, but a user may choose to disable this option to

have file extensions displayed by Windows. Multiple e-mail-borne viruses are known to

exploit hidden file extensions.The first major attack that took advantage of a hidden file

extension was the VBS/LoveLetter worm that contained an e-mail attachment named

LOVE-LETTER-FOR-YOU.TXT.vbs. Other examples include Downloader

(MySis.avi.exe or uickFlick.mpg.exe), VBS/CoolNote

(COOL_NOTEPAD_DEMO.TXT.vbs), and VBS/OnTheFly (AnnaKournikova.jpg.vbs).


35/47

30

The files attached to the e-mail messages sent by these viruses may appear to be

harmless text (.txt), MPEG (.mpg), AVI (.avi) orother file types, when in fact the file is a

malicious script or executable (.vbs or .exe). [IT Governance Institute, 2004]

Chat clients:

Internet chat applications, such as instant messaging applications and Internet relay

chat (IRC) networks, provide a mechanism for information to be transmitted bi-

directionally between computers on the Internet. Chat clients provide groups of

individuals with the means to exchange dialogue, web URLs and, in many cases, files of

any type. Because many chat clients allow for the exchange of executable code, they

present risks similar to those of e-mail clients. As with e-mail clients, the chat clients

ability to execute downloaded files should be limited. As always, the user should bewary of exchanging files with unknown parties.

Packet sniffing:

A packet sniffer is a program that captures data from information packets as they travel

over the network. These data may include user names, passwords and proprietary

information that travel over the network in clear text. With perhaps hundreds orthousands of passwords captured by the packet sniffer, intruders can launch

widespread attacks on systems. Installing a packet sniffer does not necessarily require

administrator-level access. Relative to DSL and traditional dial-up users, cable modem

users have a higher risk of exposure to packet sniffers, since entire neighborhoods of

cable modem users are effectively part of the same LAN. A packet sniffer installed on

any cable modem user's computer in a neighborhood may be able to capture data

transmitted by any other cable modem in the same neighborhood.

Identity theft:

Information stored on a home computer may provide a hacker with enough personal

data to apply for a credit card or identification in the users name.


36/47

31

Tunneling:

When employees work at home and transfer files to a computer at the office, there is

potential that someone could remotely gain access to the home PC and place a secret

file in a document that ends up on the company system.

Zombies:

Automatic programs search for systems that are connected to the Internet, but are

unprotected; take them over without the owners knowledge; and use them for malicious

purposes.

Spyware:

Innocent looking software (e.g., P2p-agent software used in popular peer-to-peer

communications software) can include or hide software that collects information about

the system and the user, and can send this information to third parties without the

legitimate user knowing.

Among these, new and new programs targeting naive users are coming and becoming

a huge treats to the Information system. So Information Security is a key issue for theInformation Audit System. [IT Governance Institute, 2004]


37/47

32

3.IS Audit in Nepal Scenario

3.1 NRB guidelines

Figure 9 NRB IT Guidelines

NRB IT

GUIDELINES

1 IT

GOVERNANCE

2.

Information

Security

3.

Information

Security

Education

4.

Information

Disclosure

AndGrievance

Handling

5.

Outsourcing

Management

6. IT

Operation

7.Information

Systems

Acquisition,

Development

and

Implementatio

n

8.Business

Continuity

And Disaster

Recovery

Planning

9.IS Audit

10.Fraud

Management


38/47

33

APPLICABILITY OF THE GUIDELINES

The objectives of NRB (Nepal Rastra Bank, central bank of Nepal)'s IT guideline are to

promote sound and robust technology risk management and to strengthen system

security, reliability, availability and business continuity in commercial banks of Nepal.

Banks should compulsorily comply with this guideline within two years from the date of

issuance. The Action Plan (along with time frame for each action) for the

implementation of the guidelines should be developed and provided to Bank

Supervision Department, Nepal Ratra Bank within six month from the issuance. The

extent of compliance of this guideline will be examined during the periodic onsite/offsite

supervision from NRB. The guidelines cover the 10 different points which are as follows.

[Bank Supervision Department, 2012]

1. IT GOVERNANCE

IT has been adopted by most of the commercial banks to some degree from branch

automation to providing alternate delivery channels. This pervasive nature of IT has

increased the challenge on governing it. Since IT is very critical in supporting and

enabling business goals and is strategic for business growth, due diligence on its

governance is essential. IT governance is a continuous process where IT strategy

drives the process using necessary resources.

2. INFORMATION SECURITY

Robust information is crucial to achieve business goals and for managing risk prudently

in banks. Accuracy, integrity, consistency, completeness, validity, timeliness,

accessibility, usability and auditability are requirement of information processed and

stored electronically. To achieve these qualities of data, banks should develop and

maintain comprehensive information security program.

3. INFORMATION SECURITY EDUCATION

With the introduction of electronic delivery channe ls, customers dont require to visit the

bank branches physically to conduct banking. This has intensified the challenges of


39/47

34

authenticating customers. Moreover; fraudsters are designing and using more advanced

techniques to impersonate users and make illegal access to customers account. To

defend illegal users from accessing banking system, it has become essential to well

educate customers to conduct banking operation securely. To create effective

information security practice, it is also important to educate other stakeholders including

its employees.

4. INFORMATION DISCLOSURE AND GRIEVANCE HANDLING

Bank should clearly provide information about the services, cost, security features, risk

and benefits of electronic banking environment. Precise information about

responsibilities, obligations and rights of customers and bank regarding electronic

transaction should be delivered to customers.

5. OUTSOURCING MANAGEMENT

It has become quite common for Nepalese banks to outsource some or all of IT

functions. Inter-branch communication, software, hardware and other technical and

administrative functions are commonly outsourced by Nepalese banks. Emerging

technologies such as virtualization, Data Centre and Disaster Recovery SiteOutsourcing are also becoming popular. Whatever the reasons of outsourcing, bank has

responsibility to ensure that their service providers are capable of delivering the level of

performance, service reliability, capability and security need that is at least as stringent

as it would expect for its own operations.

6. IT OPERATIONS

IT infrastructures have been developed and grown in banks over few years and has

been used to support processing and storage of information in banks. IT should be

operated to ensure timely, reliable, secure information.

7. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND

IMPLEMENTATION


40/47

35

Many software fails due to inadequate system testing and bad system design.

Application that handles financial information of customers' data should, inter-alia,

satisfy security requirements.

Deficiencies in system design should be recognized at early stage of softwaredevelopment and during software testing.

8. BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

The role of banking sector in economic growth and stability is vital and requires

continuous service and reliable service. The introduction of electronic delivery channels

and 24/7 services availability has increased the demand of Business Continuity

Planning (BCP) framework comprising of all critical aspects of people, process and

technology. Business Continuity should be formed to minimize financial, operational,

legal, reputational and other risks and it includes policies, standards and procedures to

ensure continuity, resumption and recovery of business processes and minimizes the

impact of disaster. A business continuity plan generally incorporates business Impact

analysis, recovery strategies, business continuity plan as well as testing, training,

awareness, communication and crisis management program.

9. IS AUDIT

Since the increasing complexity of IT environment in banks has created significant risk,

comprehensive risk management comprising of various standard internal control

framework, bank's own requirement and NRB requirement. To ensure the effectiveness

of implemented controls framework and adequacy of the adopted security plan and

procedures, banks should conduct IS audit annually.

10. FRAUD MANAGEMENT

Nepalese banks are using electronic delivery channels to provide banking services.

Increased use of Internet banking, mobile banking, payment card (debit and credit card),

ATM is also creating risk of electronic fraud in banking system. [Bank Supervision

Department, 2012]


41/47

36

3.2 Challenges for Nepal in implementing IS Audit

Nepal is a developing country. Although Nepal is backward in other infrastructure, it has

achieved a significant development in the IT sector. Most of the government and non-

government sectors in the country have incorporated IT for the Information system. Now

a days, information system has taken a role model in every sector of the country like

government sector, banking sector, business sector etc. With the advent of IT, it brings

both the opportunity and the risk. Although the most of the company uses IT as main

backend for the information system, they are either unaware of the risk involved in it or

they are ignoring the risk because of lack of IT guidelines and policy in the information

system. The unseen risk in the IT system has posed a great threat in the Information

System. The threat on the information system is not limited to country geographical

boundary. Since IT has connected the information system across the whole globe the

threat can be originated from any place across the world. Therefore one must be

prepared to tackle the unseen risk in the information system.

To list out, the challenges of implementing IS audit in Nepal are as follows:

To model the suitable information system audit guidelines, which are appropriate

for Nepal and can be well implemented in context of Nepal.

o If we try to implement the model form around the world, then it may be notexactly fit here in Nepal. Because some sector may not be able to install

high cost IT infrastructure. In addition, due to the ongoing energy crisis in

country, it may require high investment in the backup setup for the supply

of uninterrupted power to IT devices.

To find out skilled manpower who can carry out the information system audit in

well manner.

Although the country has lots of skilled manpower in IT field, it lacks the

professional people who can conduct the audit in information system.

To convinced higher authority level personnel who are in decision making

process.


42/47

37

It is hard to convince the higher authority level personnel who are form non

technical background and who are not much acquaintance with contemporary IT

savvy world.

4.Discussion and Recommendation

4.1 Discussion

The standardized framework of IT governance is very important to minimize the risk and

get the maximum output from the Information systems. Information Systems are

integrated in overall business processes. The performance of any firm is reflected from

the excellence use of Information Systems. To check the compliance of the information

system to avoid risk hazards, time to time IS audit is necessary. The COBIT

incorporates the business-focused, process-oriented, controls-based and

measurement-driven characteristics.

The information system must not be deviated from the mission, objectives and core

values of the firms to achieve the long term vision of the firm / organization. These

systems are for enhancing the processes in an efficient way to minimize cost and time.

By using IS, the quality of the product and services must be upgraded. These all

effectiveness and enhancement must be measureable too.

Though Nepal is backward in other infrastructure, the achievement in the development

of an IT sector is very significant and praise worthy. Most of the government and non-

government sectors in the country have incorporated IT for the Information system.

Nowadays, information system has taken a role model in every sector of the country like

government sector, banking sector, business sector etc.

With the advent of IT, it brings both the opportunity and the risk. Although the most ofthe company uses IT as main backend for the information system, they are either

unaware of the risk involved in it or they are ignoring the risk because of lack of IT

guidelines and policy in the information system. The unseen risk in the IT system has

posed a great threat in the Information System. The threat on the information system is


43/47

38

not limited to country geographical boundary. Therefore one must be prepared to tackle

the unseen risk in the information system. Proper guidelines for IS audit should be

made and IS audit must be implemented to all sectors not only to the banking sectors of

Nepal.

4.2 Recommendation

It is not doubt that proper using of the Information Systems will enhance the overall

performance of the businesses, organizations and firms. Any flaws, inefficiency in the

information systems are much more risky than what benefits were being achieved. To

reduce the risk hazards from the Information System, proper guidelines of IS audit must

be adopted in the businesses, organizations and firms.

IS Audit must be compliance with the current environment of the country. The governing

body must make standard guidelines, so that the firms under that body can adapt the

similar models. The framework of IS Audit is very important to know by all the managers

as Information Systems are being the backbone of all the organizations.

For the case of Nepal, IS Audit is a totally new concept. The need of IS Audit is

increasing due to increase in complex information systems adopted by the

organizations and firms. Some recommendations are as follows:

Government policies must be made to increase IS Audit human resources.

Appropriate and feasible to implement models of Information System Audit

guidelines must be prepared for the context of Nepal.

Training programs for IS Audit must be introduced to the IT professionals.

Higher authority levels must be aware to the Information System Auditing.


44/47

39

5.Conclusion

Nowadays, the use of Information System is found everywhere. With the advent of IS, it

brings both the opportunity and the risk. The standardized framework of IT governance

is very important to minimize the risk and get the maximum output from the Informationsystems. Information Systems are integrated in overall business processes. The

performance of any firm is reflected from the excellence use of Information Systems. To

check the compliance of the information system to avoid risk hazards, time to time IS

Audit is necessary.

The COBIT incorporates the business-focused, process-oriented, controls-based and

measurement-driven characteristics. The information system must not be deviated from

the mission, objectives and core values of the firms to achieve the long term vision ofthe firm / organization. These systems are for enhancing the processes in an efficient

way to minimize cost and time. By using IS, the quality of the product and services must

be upgraded. These all effectiveness and enhancement must be measureable too.

NRB has issued the IT Guidelines to be implemented by the commercial banks of Nepal.

The objectives of NRB (Nepal Rastra Bank, central bank of Nepal)'s IT guideline are to

promote sound and robust technology risk management and to strengthen system

security, reliability, availability and business continuity in commercial banks of Nepal.Banks should compulsorily comply with this guideline within two years from the date of

issuance. The Action Plan (along with time frame for each action) for the

implementation of the guidelines should be developed and provided to Bank

Supervision Department, Nepal Ratra Bank within six month from the issuance.

Hence, due to increase in the complexity in the Information System, IS Audit is

necessary to be done for avoiding risk hazards and enhance the performance of the

Information Systems to yield more efficiency and competitive advantages.


45/47

40

6.References and Bibliography

1. IT Governance Institute. (2004). COBIT Student Book. Cobit in Academia.

2. AllinsonCaroline. (2001). Information Systems Audit Trails in Legal Proceedings

as Evidence. Computer & Security, 20, 409-421.

3. Bank Supervision Department. (2012). Nepal Rastra Bank Information

Technology Guidelines. Kathamndu: Nepal Rastra Bank.

4. BDO USA LLP. (January 24, 2012). Audit of Information Technology Support for

Export-Import Bank's Mission. New York, USA: Office of Inspector General

Export-Import Bank of the US.

5. BOONBOTHA AND J.A.HANNER. (2003 vol 53 pp 23-38). The Information

Audit: Principles and Guidelines. Libri.

6. ChamplainJ.Jack. (2003 second edition). Auditing Information Systems. John

Wiley & Sonx, Inc.

7. Dale StoelHavelka, Jeffrey W. MerhoutDouglas. (2011). An analysis of attributes

that impact information technology audit quality: A study of IT and fiancnial audit

practitioners. International Journal of Accounting Information System(13), 60-79.

8. DefenceGovernment Department ofAustralian. (January 2011 V (11.1)).

Information System Audit Guide.

9. Department of Information Technology. (2001). Information Systems audit policy

for the banking and financial sector. Mumbai: Reserve Bank of India.

10. ElkySteve. (2007). An Introduction to Information System Risk Management.

SANS Institute.

11. Ernst & Young Ford Rhodes Sidat Hyder. ( 2009). The Information Systems Audit.

Ernst & Young Ford Rhodes Sidat Hyder.


46/47

41

12. Evi MariaHaryaniEndang. (2011). AUDIT MODEL DEVELOPMENT OF

ACADEMIC INFORMATION SYSTEM: CASE STUDY ON ACADEMIC

INFORMATION SYSTEM OF SATYA WACANA. Journals of Arts, Science &

Commerce, II (2).

13. Hyo-Jeong KimMannino, Robert J. NieschwietzMicheal. (2009). Information

technology acceptance in the internal audit profession: Impact of technology

features and commplexity. International Journal of Accounting Information

Systems, 214-228.

14. (2008). Information Technology Audit of the Directorate of Education.

Government of NCT Delhi.

15. ISACA. (16 August, 2010). IT Standards, Guidelines, and Tools and Techniques

for Audit and Assurance and Control Professionals. IL, USA: ISACA.

16. ISACA. (2010). IT Standards, Guidelines, and Tools and Techniques for Audit

and Assurance and Control Professionals. Rolling Meadows, IL 60008 USA.

17. IT Governanace Institute. (2005). Aligning COBIT, ITIL and ISO 17799 for

Business Benefit: Management Summary. IL, USA: IT Governance Institute.

18. IT Governance Institute. (July 2000). COBIT 3rd Edition Control Objectives. IL,

USA: COBIT Steering Committee and the IT Governance Institute.

19. IT Governance Institute. (2007). COBIT 4.1. IL, USA: IT Governance Institute.

20. IT Governance Institute. (2004). COBIT Security Baseline. IL, USA: IT

Governance Institute.

21. Jacky AkokaComyn-WattiauIsabelle. (2010). A FRAMEWORK FOR AUDITING

WEB-BASED INFORMATION SYSTEMS. 18th European Conference on

Information Systems.

22. Jericho Forum. (January 2009). IT Audit and Compliance. Jericho Forum-COA

Position Paper.


47/47

23. Migual A. MartinezLasheras, Eduardo Fernandez-Medina, Amrosio Toval, Mario

PiattiniJoaquin. (2010). A Personal Data Audit Method through Requirements

Engineering. Computer Starndars and Interfaces, 166-178.

24. NVijayendraKaul. IT Audit Process & Methodology. Manual of InformationTechnology Audit.

25. Office of the Auditor General Western Australia. (June 2012). Information

Systems Audit Report. Perth, Australia: Office of The Auditor General Western

Australia.

26. Paolo GuardaZannoneNicola. (2008). Towards the development of privacy-

aware sytem. Science Direct.

27. Prakash KumarMaheshworiSajeev. IT Security & Audit Policy. Ref Date:

2012/9/25: http://it.delhigovt.nic.in: http://www.nsit.ac.in/pdf/itsa_policy.pdf

28. Progestic international Inc. (Janury, 2005). Audit of Information Technology.

Ottawa: Natural Sciences and Engineering Research Council of Canada.

29. RafeqA. (May, 2003). Practical Approach to Information System Audit.

30. Steven BuchananGibbforbes. (2008). The information audit: Methodologyselection. International Journal of Information Management, 28 (1), 3-11.

31. Steven BuchananGibbForbes. (June 2008). The information audit: Theory versus

practice. International Journal of Information Management, 28 (3), 150-160.

32. WrightCraig. (2008). The Information Systems Audit program. The IT Regulatory

and Standards Compliance Handbook, 43-58.

Documents

Direct study report on Information system (IS) audit