ISCA Chap 9

ISCA1 | P a g e

ISCAGLOBALPROFESSIONALSTUDIES




















DRAFTING OF IS SECURITY

POLICY, AUDIT POLICY, IS

AUDIT REPORTING

ISCA

4/1/2014

GLOBAL PROFESSIONAL

STUDIES

2 | I S C A c o l o r n o t e s a v a i l a b l e f o r R s . 1 0 0 0 / -

Bhinang Tejani 98980-54244 GPS Surat Abhishek Chaudhary 90160-76035

Write a brief note on information security and its importance. (CA final may 04, may 05,

nov 07)

Information System Security

1. Security means the protection of valuable assets (say data, information, hardware etc)

against loss, disclosure, or damage.

2. Securing valuable assets from threats, sabotage, or natural disaster with physical

safeguards such as locks, perimeter fences, and insurance is commonly understood

and implemented by most organizations.

3. However, security must be expanded to include logical and other technical safeguards

such as user passwords, firewalls, etc. which are not understood nearly as well by

organizations as physical safeguards. In organizations where a security breach has

been experienced. (Physical safeguard toh sab samajte ha aur implement karte ha,

apan logical aur technical safeguard bhi lagayenge) Security Objective

The objective of information system security is

“The protection of the interests of those relying on information, and the information

systems, from harm resulting from failures of confidentiality, integrity, and availability”.

For any organization, the security objective comprises three universally

accepted attributes:

Code: CIA (DMW)

1. Confidentiality: Prevention of the unauthorized Disclosure of information.

2. Integrity: Prevention of the unauthorized Modification of information.

3. Availability: Prevention of the unauthorized Withholding of information.

The relative priority and significance of confidentiality, integrity and availability vary

according to the data within the information system and the business context in which it is

used.



Importance of information security Organizations depend on timely, accurate, complete, valid, consistent, relevant, and reliable

information. Accordingly, executive management has a responsibility to ensure that the organization

provides all users with a secure information systems environment.

In this it environment there are many direct and indirect risks relating to the information systems.

These risks have led to a gap between the need to protect systems and the degree of protection

applied.

These risks are nothing but the gap that is caused by following reasons:

• Widespread use of technology

• Interconnectivity of systems

• Unevenness of technological changes

• Elimination of distance, time, and space as constraints

• Attractiveness of conducting unconventional electronic attacks over more conventional physical

attacks against organization.

• External factors such as Legislative, Legal, and Regulatory requirements or technological

developments.



What Information is Sensitive? –self study

The following examples highlight some of the factors, necessary for a company to succeed. The

common thing thread in each case is the critical information that each generates. Strategic Plans: Most organizations readily acknowledge that strategic plans are crucial to the

success of a company. But most of the companies fail to really make an effort to protect these plans. For example: a competitor learns that a company is testing a new product line in a specific

geographic location. The competitor removes its product from that location, creating an illusionary

demand for the product. When the positive results of the marketing test are provided to the company's

executives, they decide to roll the product out nationwide. Only then did the company discover that in

all other geographic regions the competition for their product was intense. The result: the company

lost several million, dollars as its product sales faltered.

Although it might have been impossible for the company to completely prevent its intentions from

being discovered, this situation does illustrate the real value of keeping strategic plans confidential.

In today’s global environment, the search for competitive advantage has never been greater. The

advantages of achieving insight into a competitor's intentions can be substantial. Industry studies bear

witness to this fact. Business Operations: Business operations consist of an organization’s process and procedures, most

of which are deemed to be proprietary. As such, they may provide a market advantage to the

organization. This is the case when one company can provide a service profitably at a lower price

than the competition. A company's client lists and the prices charged for various products and

services can also be damaging in the hands of a competitor. While most organizations prohibit the sharing of such data, carelessness often results in its

compromise. Such activity includes inadvertent storage of data on unauthorized systems, unprotected

laptops, and failure to secure magnetic media. Finances: Financial information, such as salaries and wages, are very sensitive and should not be

made public. While general salary ranges are known within industry sectors, precise salary

information can provide a competitive edge. As salaries and wage-related charges normally

comprise the majority of fixed costs, lower costs in this area contribute directly to an organization’s

profitability. When a competitor knows specific information about a company's wages, the

competitor may be able to price its products accordingly. When competitors' costs are lower, they can

either under-price the market or increase profits. In either case, the damage to an organization may be

significant.



What steps do they need to take to keep all of their critical information protected?

OR

Factors which decide level of information security. Establishing better Information Protection:

a. Not all data has the same value: And, as such, the information may be handled and protected

differently. Organizations must determine the value of the different types of information in their

environment before they can plan for the appropriate levels of protection.

b. Know where the critical data resides: In today's business environment, this is normally the

company’s information systems infrastructure. Because each piece of information may require

different levels of protection, identifying where each is located enables an organization to establish

an integrated security solution. This approach also provides significant cost benefits, as the company

does not need to spend more on protecting data than the data itself is worth.

c. Develop an access control methodology: Information that is inadvertently(by mistake) damaged,

disclosed or copied without the knowledge of the owner may render the data useless. To guard

against this, organizations must establish some type of access control methodology.

For important data, this access control (and the associated auditing) should extend to the file level.

There are many types of solutions designed to provide this protected access.

d. Protect information stored on media: Employees can cause considerable damage by walking out

the door with information on 3 ½-inch floppy disks or CD-ROMS.

In addition, companies should control magnetic media to reduce the loss of software (both

application and operating system).

e. Review hardcopy output: The hardcopy output of employees’ daily work should also be reviewed.

Although strategic plans in their final forms may be adequately protected, what measures are used to



safeguard all drafts and working papers? What information is regularly placed in the recycle or trash

containers without thought to its value?

PROTECTING COMPUTER-HELD INFORMATION SYSTEMS We discussed that not all information is equal and that some information requires greater protection

than other information. There are few basic ground rules that must be addressed sequentially for establishing better

information protection:

(Code: 2 ladke 1 ladki ka ATM ) Rule 1: We need to know that ‘what the information systems are’ and ‘where these are located’.(tu

ha kon aur kaha ha?)

Rule 2: We need know the value of the information held and how difficult it would be to recreate if it

were damaged or lost.(agar mar dia toh how difficult it would be for his dad to recreate another)

Rule 3: We need to know that ‘who is authorized to access the information’ and ‘what they are

permitted to do with the information’.(ladki k friends- for some one girl may be party animal for

some other only hi hello) Rule 4: We need to know that ‘how quickly information needs to be made available should and it

become unavailable for whatever reason (loss, unauthorized modification, etc.) ‘(eg: ATM) THERE ARE 3 TYPES OF PROTECTION THAT AN ORGANIZATION CAN USE FOR

PROTECTION OF COMPUTER HELD INFORMATION: 1. Preventative Information Protection: This type of protection is based on use of security

controls. Information system security controls are generally grouped into three types of control:

Physical, Logical, and Administrative. Organizations require all three types of controls. The

organization’s Information Security Policy through the associated Information Security Standards

documentation mandates use of these controls.

Here are some examples of each type of control:

1. Physical: Doors, Locks, Guards, CCTV, Paper Shredders, Fire Suppression Systems.



2. Logical (Technical): Passwords, File Permissions, Access Control Lists.

3. Administrative: Security Awareness, User Account Revocation, and Policy

2. Restorative Information Protection:

i. Security events that damage information systems will happen. If an organization cannot recover or

recreate critical information systems in an acceptable time period, the organization will suffer and

possibly have to go out of business.

ii. Planning and operating an effective and timely information system backup and recovery

program is vital to an operation.

iii. Information system backup does not simply involve backing up "just the valuable information," but

also means backing up the system as well, since the information may need services that the system

provides to make the information usable.

Here are a few questions that any restorative information system protection program MUST address:

Code: (5 points- 4 on recovery and 1 on back up)

i. Has the recovery process been tested recently?

ii. How long did it take? (testing karne me kitna time laga)

iii. How much productivity was lost? (during testing kitna productivity lost hua say: employee kam

nai kar paye.)

iv. Did everything go according to plan? (testing ka result kya ha? Jaisa socha tha vaisa hi aya na)

---------------------------------------------------------------------------------------------------------------------

v. How much extra time was needed to input the data changes since the last backup?( say X than

X+Y than X+Y+Z)

3. Holistic Protection:

Protection must be done holistically and give the organization the appropriate level of security at a

cost that is acceptable to the business.

One must plan for the unexpected and unknown, expect the worst events to happen, and recover from

these events if and when they occur, as though nothing ever happened.

Such events can’t be planned, and they always seem to happen at the most inopportune times.

Organizations that wait until the last minute to decide on a protection plan and recovery process will

suffer.



INFORMATION SECURITY POLICY Meaning of POLICY:

A Policy is a plan or course of action, designed to influence and determine decisions, actions and

other matters.

Meaning of SECURITY POLICY:

The security policy is a set of laws, rules, and practices that regulates how assets, including sensitive

information are managed, protected, and distributed within the user organization.

Meaning of SECURITY POLICY:

An information Security policy addresses many issues such as

1. disclosure, integrity and availability concerns(CIA CONCERNS),

2. who may access what information and in what manner,

3. basis on which access decision is made,

4. separation of duties,(This enables internal check eg: croma)

5. who controls and who owns the information.

Issues to address: The policy should AT LEAST ADDRESS the following issues:

Code:

Student: sir IS policy me kya issue address karene chaiye?

Sir: 2 definations……

Student: 2 definition explain kar do

Sir: Goals and principles bataya aur bola definition supporting document se padh lo.

1. A definition of information security.

2. Definition of all relevant information security responsibilities.

3. A brief explanation of the security policies, principles, standards and compliance

requirements,

4. Goals and principles of information security and Reasons why information security is

important to the organization.

5. Reference to supporting documentation.

Members of Security Policy: Security has to encompass managerial, technological and legal

aspects. Security policy broadly comprises the following three groups of management:

i. Management members who have budget and policy authority,

ii. Technical group who know what can and cannot be supported(eg: Auditors), and iii. Legal experts who know the legal ramifications(outcome) of various policy charges



TYPES OF INFORMATION SECURITY POLICIES AND THEIR

HIERARCHY Major Information Security Policies are given as follows:

1. Information Security Policy: (DOI) This policy provides a Definition of Information

Security, its overall Objective and the Importance applies to all users.

2. User Security Policy: (RRR) This policy sets out the Responsibilities and Requirements for

all IT system users. It provides security terms of Reference for Users, Line Managers and

System Owners.

3. Acceptable Usage Policy: This sets out the policy for acceptable use of email and Internet

services.

4. Organizational Information Security Policy : This policy sets out the GROUP POLICY for

the security of its information assets and the Information Technology (IT) systems

processing this information. (Although it is positioned at the bottom of the above

hierarchy diagram, it is the main IT security policy document.)

5. Network & System Security Policy : This policy sets out detailed policy for system and

network security and applies to IT department users

6. Information Classification Policy : This policy sets out the policy for the classification of

information

7. Conditions of Connection : This policy sets out the GROUP POLICY for connecting to their

network. It applies to all organizations connecting to the organization.

10 | I S C A C o l o r n o t e s a v a i l a b l e f o r R s . 1 0 0 0 / -


Components of the Security Policy:

A good security policy should clearly state the following:

1. Purpose and Scope of the Document and the intended audience,

2. Security infrastructure

3. Incident reporting and incident response mechanism,

4. Security organization Structure,

5. Inventory and Classification of assets,

6. Physical and Environmental Security,

7. IT Operations management,

8. IT Communications,

9. System Development and Maintenance Controls(chapter 2)

10. Business Continuity Planning (chapter 6)

11. Legal Compliances(company law)

12. Monitoring and Auditing Requirements(audit) and 13. Underlying Technical Policy(har abde admi k piche ek politician ka support hota ha)

Described below are the major contents of a typical security policy. Purpose and Scope:

PURPOSE

The primary objective of the policy would be to ensure confidentiality, integrity and availability

of information and related systems.

The security policy is designed to: (a) Deny authorized access to any IT resources, and Restrict access to data and resources.

(unauthorized access ko deny karo, aur authorized access ko restrict karo) (b) Within the operational constraints, the security controls will allow the required services to be

available to authorized users only. (only authorized user ko service dene ka)

SCOPE (c) The scope defines how far the policy would be applicable, to whom it would be applicable and

the period for which the policy would be applicable.


Security Organization Structure: discussed later RESPONSIBILITY ALLOCATION: The responsibilities for the management of Information Security should be set out in this policy.

a. An owner(sharukh) would be appointed for each information asset.

b. All staff should be aware of the need for Information Security and should be aware of their

responsibilities.(say for eg: goal keeper knows what he has to do)

c. All tasks have been successfully completed and system owner is satisfied.

d. All new network communications links must be approved.(eg: new player in chak de india team)

e. A contact list of organizations that may be required in the event of a security incident to be

maintained.(eg: police, fire, ambulance)

f. Risk assessments for all third party access to the information assets and the IT Network must be

carried out. 6Risk Assessment Limited and controlled

g. Access by third parties to all material related to the IT Network and infrastructure must be strictly

limited and controlled. There should be a Conditions of Connection agreement in place for all third

party connections.

(intentionally left blank)



Asset Classification and Security Classification Following are the major points for these classifications:

1 INVENTORY:

1. An inventory of assets must be maintained. This must include physical, software and

information assets.

6 CLASSIFICATION:

2. A formal, documented classification scheme (as set out in the Information Classification

Policy) should be in place and all staff must comply with it.

3. The originator or 'owner' of an item of information (e.g. a document, file, diskette, printed

report, screen display, e-mail, etc.) should provide a security classification, where

appropriate.

4. The handling of information, which is protectively marked CONFIDENTIAL or above

must be specifically approved (i.e. above RESTRICTED).

5. Organizations to whom information is to be sent must be informed of the protective

marking associated with that information, in order to establish that it will be handled by

personnel with a suitable clearance corresponding to the protective marking.

6. Appropriate procedures for information labeling and handling must be agreed and put

into practice.

7. Classified waste must be disposed of appropriately and securely.




Access Control

Access controls must be in place to prevent unauthorized access to information systems and

computer applications In Access Control, the following points need to be taken into consideration:

Company as a whole:

1. Access must only be granted in response to a business requirement. (sometimes you

may also need to give access to facebook to a marketing agent because that’s the

business requirement.)

Formal processes must be in place to provide individuals with access.(make an

application to admin, he will forward application to higher level to give access to

facebook.)

The requirement for access must be reviewed regularly.

System:

2. System Owners are responsible for approving access to systems and they must maintain

records of who has access to a particular system and at what level.

The actual access controls in place must be audited against this record on a regular basis.

3. Users should be granted access to systems only up to the level required to perform their

normal business functions.

Users:

4. The registration (joined) and de-registration (left) of users must be formally managed.

5. Access rights must be deleted for individuals who leave or change jobs.(jaise hi job chod

k gate k bahar nikle delete access)

6. Each individual user of an information system or computer application will be

provided with a unique user identifier (user id)

7. It should not be permitted for an individual to use another person's user id or to log-on,

to allow another individual to gain access to an information system or computer

application.

8. PCs and terminals should never be left unattended whilst they are connected to

applications or the network. Someone may use the equipment to access confidential

information or make unauthorized changes.

General:

9. Passwords Policy should be defined and the structure of passwords and the duration of

the passwords should be specified. Passwords must be kept confidential and never

disclosed to others.

10. Mobile computing - When using mobile computing facilities, such as laptops,

notebooks, etc., special care should be taken to ensure that business

information is not compromised, particularly when the equipment is used in public

places.


Incident Handling For incident handling, following are the major points:

a. Security incident reporting times and approach must be consistent at all times.

1 2

b. Specific procedures must be introduced to ensure that incidents are recorded and any

recurrence is analyzed to identify weaknesses or trends.

c. Procedures for the collection of evidence relating to security incidents should

be standardized.

d. Adequate records must be maintained and inspections facilitated to enable the

investigation of security breaches or concerted attempts by third parties to identify

security weaknesses.

Physical and Environmental Security For the proper implementation of Physical and Environment Security, the following points need to

taken into account:

Watchman..!! watchman..!! ap muje andar jane donge kya?

1. Physical security should be maintained (watchman rakhna jaruri ha) and checks must be

performed to identify all vulnerable areas within each site. (aju baju dekhte raho kaha se

chor andar aa sakta ha)

2. The IT infrastructure must be physically protected.(eg: server k bahar watchman)

3. Access to secure areas must remain limited to authorized staff only.(server is a secure area

usme access is only to authorized staff)

When not using:

4. Confidential and sensitive information and valuable assets must always be securely

locked away when not in use. (eg: files/gold kept in safe when not in use)

When using:

5. Computers must never be left unattended whilst displaying confidential or sensitive

information or whilst logged on to systems.

Before you use it, you have to buy:

6. Supplies and equipment must be delivered and loaded in an isolated area to prevent any

unauthorized access to key facilities

7. Premises housing computer equipment and data should be located away from, and

protected against threats of deliberate or accidental damage such as fire and natural

disaster.



Business Continuity Management In Business Continuity planning, following points should be addressed:

1. A Business Continuity Plan (BCP) must be maintained, tested and updated regularly.

2. All staff must be made aware of it.

3. A Business Continuity and Impact Assessment must be conducted annually.

4. Suppliers of network services must be contractually obliged to provide a predetermined

minimum service level. System Development and Maintenance Controls These controls are given as follows:

1. System development or enhancements must have appropriate security controls included to

safeguard their availability and ensure the integrity and confidentiality of the information

they process.

2. All security requirements and controls must be identified and agreed prior to the

development of information systems.

AUDIT POLICY

Purpose of the audit policy: Purpose of this audit policy is to provide the guidelines to the audit team to conduct an audit

on IT based infrastructure system.

W H Y A U D I T I S D O N E ?

a. The Audit is done TO PROTECT ENTIRE SYSTEM from the most common

security threats which includes the following:

a. Access to confidential data(employee accessing confidential data)

b. Unauthorized access of the department computers(employee data kaha se

access karenga, departmental computers se)

c. Password disclosure compromise(department ka computer kaise access kia

kisi ne password bataya honga tab na)

d. Virus infections(aise employee company k lie virus ha)

--------------------------------------------------------------------------------------------

e. Denial of service attacks(jisko mann kia attack kar k chala gaya)

f. Open ports, which may be accessed from outsiders(attack isliye hua because

ports are left open) and

g. Unrestricted modems(port isliye open reh gaye because modem ko restrict

nai kia) b. Audits may be conducted TO ENSURE (CIA) integrity, confidentiality and

availability of information and resources.

c. An IS audit is CONDUCTED TO ACHIEVE 5 OBJECTIVES:


a. Asset safeguarding objective: The information system assets (hardware,

software, data files etc) must be protected by a system of internal audit from

unauthorized access.

b. Data integrity objective.

c. System effectiveness objective. Effectiveness of the system is evaluated by

auditing the characteristics and objectives of the system to meet substantial user

requirements.

d. System Efficiency objective. To optimize the use of various information system

resources. and

e. comply with Information System related policies, guidelines, circulars,

and any other instructions requiring compliance in whatever name called.

Scope of IS Audit:

1. The scope of IS auditing should encompass the

examination and evaluation of

the adequacy and effectiveness of

the internal control system and the quality of performance by the information system.

2. IS Audit will

examine and evaluate the

Planning, organizing, and directing processes

to determine whether reasonable assurance exists that objectives and goals will be

achieved. The scope of the audit will also include the internal control system(s) on the use and

protection of information and the information system, as under:

• Data

• Application systems

• Technology

• Facilities

• People The Information System auditor will consider whether the information obtained from the above

reviews indicates coverage of the appropriate areas. The information system auditor will examine,

among others, the following:

1. GOAL: Information system mission statement and agreed goals and objectives for

information system activities.

of information

system

of IS activities


2. RISK: Assessment of the risks associated with the use of the information systems

and approach to managing those risks.(goal toh set kar lia, usko achieve karne me risk kya

ha)

3. PLAN TO IMPLEMENT STRATEY: Information system strategy plans to implement the

strategy and monitoring of progress against those plans.

4. BUDGET: Information system budgets and monitoring of variances.

---------------------------------------------------------------------------

5. Major contract approval and monitoring of performance of the supplier.

6. Monitoring of performance against service level agreements.

7. Acquisition of major systems and decisions on implementation.

-------------------------------------------------------------------------------

8. Impact of external influences on information system such as internet, merger of suppliers or

liquidation etc.

What Audit policy should do? :

The Audit Policy should lay down the responsibility of audit.

The audit may be conducted by internal auditors or external auditors.

Information System Auditors should be independent of the activities they audit. Independence

permits the auditors to render impartial and unbiased judgment essential to the proper conduct of

audits.

-------------------------------------------------------------------------------------------------------------------------

1. The Policy should lay out the periodicity of reporting(say monthly, quarterly, yearly) and the

authority to whom the reporting is to be made(say to CEO, manager, RBI, SEBI etc)

2. A statement of professional proficiency may be included to state the minimum

qualification and experience requirements of the auditors.(auditor should be CA and should cleared

DISA for bank audit + minimum 5 years experience.)

3. All information system auditors will sign a declaration of fidelity and secrecy before

commencing the audit work.

4. The policy may lay out the extent of testing to be done under the various phases of the audit

• Planning

• Compliance Testing

• Substantive Testing



5. A documented audit program would be developed including the following:

EXPECTED Q: How would you develop the documented audit program

OR Points to be considered when documented audit program is developed.

1. Documentation of the information system auditor's procedures for collecting, analyzing,

interpreting, and documenting information during the audit.

2. Objectives of the audit.

3. Scope, nature, and degree of testing required to achieve the audit objectives in each phase of

the audit.(say SND of Testing to achieve objective of planning phase.)

4. Identification of technical aspects, risks, processes, and transactions which should be

examined.(there are thousands of processes in a organization, you cannot examine all)

5. Procedures for audit will be prepared prior to the commencement of audit work and modified,

as appropriate, during the course of the audit.

6. The policy should define the access rights to be given to the auditors.

This access may include:

1. User level and/or system level access to any computing or communications device.

2. Access to information (electronic, hardcopy, etc.)

3. Access to work areas (labs, offices, cubicles, storage areas, etc.)

4. Access to reports / documents created during internal audit.

5. Access to interactively monitor and log traffic on networks.(dekhna aur note down karna)

7. The Policy should outline the compliance testing areas such as:

• Organizational and Operational Controls

• Security Management Controls

• System development and Documentation Controls

• Application Controls

• Physical and Environmental Controls

• Access Controls

• Business Continuity Controls, etc.

8. The auditor will carry out substantive testing wherever the auditor observes weakness in internal

control or where risk exposure is high. The auditor may also carry out such tests to gather additional

information necessary to form an audit opinion.



9. The Audit Policy would define the compulsory audit working papers to be maintained and their

formats.


[Type text ] [Type text ] [Type text ]

Nov 09: During IS audit of bank what are the kind of working papers and documentation you

would prepare?

AUDIT WORKING PAPERS AND DOCUMENTATION

1. Working papers should record

1. the audit plan,

2. the nature, timing and extent of auditing procedures performed, and

3. the conclusions drawn from the evidence obtained.

2. All significant matters which require the exercise of judgment should also be included in the

working papers.

3. The form and content of the working papers are affected by matters such as:

1. The nature of the engagement,(tax audit, statutory audit)

2. The form of the auditor’s report,(depends on--given to SH, bankers, management)

3. The nature and complexity of client’s business,(WIP stock in manufacturing) and

4. The nature and condition of client’s records (fire last year) and degree of reliance on internal

controls. In case of recurring audits, some working paper files may be classified as permanent audit files

which are updated currently with information of continuing importance to succeeding audits,

as distinct from the current audit files which contain information relating primarily to audit of a

single period.

The permanent audit file normally includes:

code: 0 1 2 3

1 Organizational structure

1. The organization structure of the entity,

2 audit 2. Extracts of copies of important legal documents relevant to audit,

3. Copies of audit reports and observations of earlier years, and

3 Information systems

4. The historical background of the information system in the organization,

5. The IS policies of the organization,

6. A record of the study and evaluation of the internal controls related to the information

system,

0 letter management ka aur issue kia auditor ne.

7. Copies of management letters issued by the auditor, if any.




The current file normally includes:

1. ACCEPT: Correspondence relating to the acceptance of appointment and the scope of the

work,(one fine morning you are received appointment letter from ABC Ltd that you are

appointed as auditor and the scope of your work is …..)

2. PLAN: Evidence of the planning process of the audit and audit programme,

3. PERFORM: A record of the nature, timing, and extent(NTE) of auditing procedures

performed, and the results of such procedures,

4. COMMUNICATE: Copies of letters and notes concerning audit matters communicated

to or discussed with the client, including material weaknesses in relevant internal

controls,

5. RESPONE TO COMMUNICATION: Letters of representation and confirmation received

from the client,

6. CONCLUSION: Conclusions reached by the auditor concerning significant aspects of

the audit, including the manner in which the exceptions and unusual matters, if,

any, disclosed by the auditor’s procedures were resolved and treated, and

7. RELEVANT DOCUMENTS: Copies on the data and system being reported on and the

related audit reports.

Working papers are the property of the auditor. The auditor may, at his discretion, make portions of,

or extracts from his working papers available to the client. The auditor should adopt reasonable

procedures for custody and confidentiality of his working papers and should retain them for a period

of time sufficient to meet the needs of his practice and satisfy any pertinent legal and professional

requirements of record retention.

----------------------------------------------END OF NOV 09 QUESTION-------------------------------------------------------------

Nov 12: Discuss the parameters that would help in planning the documentation process. Planning the Documentation: The following three parameters (factors) would help in planning a documentation process.

1. The importance of planning and understanding the planning process requires

identifying three planning questions:

• Knowing Your Resources:

The three basic resources: time, people, money. One has to check for their availability

and affordability.

• Defining the Scope and Audience:

The same report may undergo significant changes depending on the character of

report and nature of audience. Presentation on Balance Sheet made to bankers and to

investors would be quite different in content and focus.

• Using a Scope Definition Report:

It is critical to know how to complete a Scope Definition Report. This report

helps in developing a workable schedule for completing the project. (You cannot

prepare your schedule until you define your scope that how much you will study in which

subject.)

2. The Documentation Writer: The qualities and skills that the documentation

writer would need. The requirement may often be legal in nature.(eg: Audit

report can be prepared by CA only)



3. Rules to guide documentation writing: The four rules of writing documentation

are as follows:

• Writing in Active Voice: Using active voice in documentation.

• Giving the Consequences: Giving the consequences of the reader's action.

• Writing from General to Specific: Designing the documentation from general to

specific.

• Consistency: Using style, order and format consistently. ----------------------------------------------END OF NOV 12 QUESTION-------------------------------------------------------------

Gathering Information: To be able to have a good documentation, it is necessary to get information about the reader and

the requirement of the document.

• About the Reader:

Finding information about the reader by doing a task analysis.

Three parts of the task: viz. input, process, output will have to be identified before one

could develop an understanding of a reader.

• About the Subject:

The three sources of information about a subject are people, paper, and the object of

the report.

Organizing Information:

Organizing information involves deciding what information to include and how to sequence it.

This covers five organizational sequences and examines how to divide the documentation into

various sections and subsections.

a. Selecting Information: Selecting ‘what the reader needs to know’. Organizing

t h e information into a useful sequence.

b. Organizing the Documentation: Using the five organizational sequences:

subject, difficulty, chronological, importance and analytical.

c. Dividing Into Sections: Dividing documentation into chapters or sections.

d. Dividing Into Subsections: Dividing sections or chapters into subsections.

Writing the Documentation: Writing is governed by the following major rules/principles:

1. Writing in Active Voice: Using active voice in documentation.

2. Giving the Consequences: Giving the consequences of the reader's action.

3. Writing from General to Specific: Designing the documentation from general to specific.

4. Consistency: Using style, order and format consistently.

5. Writing Online Documentation: Laying down guidelines for writing

online documentation. Using appropriate techniques to emphasize text.



Finalizing Documents:

This section identifies the tasks involved in reviewing and testing the document, generating the

glossary and index and formatting the document for final production.

1. Reviewing and Testing: (generally reviewed by third party)

1. Selection of reviewer of the documentation involves identification of subject and

communication skill.

2 . The reviewer must be provided with adequate information regarding the audience and

object of the report.

3. In order to ensure objectivity It is recommended that the reviewer be a person who

has not been involved in the documentation process.

2. Generating the Glossary and Index: (some specific words and short cuts used in

document will be described in glossary)

• Compilation of a glossary and generation of an index are two major tasks for a complete

documentation.

• In order to achieve this task it is necessary to mark the Index and glossary entries at the

stage of documentation itself.

• Word processing software comes with an inbuilt ability of creating an index from the

identified text in the body of the document.

3. Formatting and Production: (eg: compare my formatting of ISCA notes with

every one others in INDIA)

a. The idea of creating a good document is incomprehensible without first deciding on a

good design for the same.

b. This involves choosing effective formatting options for headings, sub-headings, section

breaks, formatting, and allied.

c. It also important to select an appropriate binding style that would aid filing and ease of

consultation.



IS AUDIT REPORTS Structure: Audit reports broadly include the following sections: title page, table of contents,

summary (including the recommendations), introduction, findings and appendices. These

components of an audit report are discussed below: (i) Cover and Title Page : Audit reports should use a standard cover, with a window

showing the title: "Information System Audit" or "Data Audit", the department's name and the

report's date of issue (month and year). These items are repeated at the bottom of each page. The title

page may also indicate the names of the audit team members.

(ii) Table of Contents: The table lists the sections and sub-sections with page numbers

including summary and recommendations, introduction, findings (by audit field) and

appendices (as required). (iii) Summary / Executive Summary: The summary gives a quick overview of the salient

features at the time of the audit in light of the main issues covered by the report. It should not

normally exceed three pages, including the recommendations. (iv) Introduction: Since readers will read the summary, the introduction should not repeat

details. It should include the following elements:

Code: CPS methodology

a. Context: This sub-section briefly describes conditions in the audit entity during the

period under review, for instance, the entity's role, size and organization especially with

regard to information system management, significant pressures on information system

management during the period under review, events that need to be noted, organizational

changes, IT disruptions, changes in roles and programs, results of internal audits or

follow-up to our previous audits, if applicable.

b. Purpose: This sub-section is a short description of what functions and special programs

were audited and the clients' authorities.

c. Scope: The scope lists the period under review, the issues covered in each function and

program, the locations visited and the on-site dates.

d. Methodology: This section briefly describes sampling, data collection techniques and

the basis for auditors' opinions. It also identifies any weaknesses in the methodology to

allow the client and auditee to make informed decisions as a result of the report. (v) Findings: Findings constitute the main part of an audit report. They result from the

examination of each audit issue in the context of established objectives and clients' expectations. If

the auditor is using any standard grading standard like InfoSecGrade or others, the arrived

value should also be stated. (vi) Opinion: If the audit assignment requires the auditor to express an audit opinion, the auditor

shall do so in consonance to the requirement. (vii) Appendices: Appendices can be used when they are essential for understanding the report.

They usually include comprehensive statistics, quotes from publications, documents, and

references.