controls and auditing standards in a computerised environment

CONTROLS AND AUDITING STANDARDS IN A
COMPUTERISED ENVIRONMENT
- A STUDY
Thesis submitted lo
Pondicherry University
for the award of the degree of
DOCTOR OF PHILOSOPHY IN COMMERCE
I~Y
M. REVATHY SRIRAM
Guide und Supervisor
Pr0f.D. RAJAGOPALAN, P~.D.
PONDICHERRY UNIVERSITY
PONDICHERRY - 605 014

Dr.D.RAJAGOPAL4N
Professor and Head
Department of Commerce,
PonJicherry University,
Pondicherry - 605 014.
CERTIFICATE
This is to certify that the Ph.D.thesis entitled "Controls and Auditing Standards
in a Computerised Environment - A Study" is based on the original work done by
M. Revathy Srirnm in the Department of Commerce, Pondicherry Un~versity,
Pondicherry. The research work has not previously formed the basi\ for the award
of any degree, diploma, associateship, fellowship or any other similar title. The entire
work has been planned and carried out by the candidate under my supervision and
guidance.
D. Rajagopalan
Place : Pondicheny
Date: ,
. 5

hi. Revathy Sriram
Management Consultan1
19, Second Main Road,
CLT. Colony,
Mylapore,
Madr;'~ - 600 004.
Research Scholar
Department of Commerce
Pondicherry University
Pondicherry - 605 014
DECLARATION
1 hereby declare that the thesis entitled "Controls and Auditing Standards in a
Cnmputerised Envimnment - A Study" for the award of the degree of Ph.D., is my
original work and it has not previously formed the basis for the award of any degree,
diploma, associateship, fellowship or any other similar title.
M. Revathy Sriram
Place : Pondicherry
Date :

ACKNOWLEDGEMENT
I ow a deep debt of gratitude to my supervisor and guide, Dr.D.Rllja&!opalan
whose invaluable guidance and encouragement enabled the completion of the
present study. His constant support has always been a source of inspiration.
I am grateful to Dr. Amarchand of the University of Madras who has always
been kjnd enough to spare his invaluable time to provide me helpful comments and
advice.
I wish to express my sincere thanks to Dr.T.V.Subramaniam, permanent
Faculty of Bharathidasan University for his critical review. 1 am indebted to the
auditing firms and the organisations for voluntarily co-operating and providing me the
information which forms the basis of my thesis. I wish to thank Flr.V.S.Chandraseksr
and Miss L. Chenchu Lakshmi for the secretarial assistance. My special thanks to
Mr. K.Ramji for the special efforts in providing me support in extensive usage of
word processing. My thanks are also due to my nephew Mr.R. Venkatakrishna, who
helped me to prepare the charts using the hanvard graphics.
I wish to express my special thanks to Mr.D.Sambandam, Pondicherry and
all the members of his family for their constant support and encouragement.
I wish to thank the members of my family and close family friends who were
constant source of inspiration without which this work would not have been
completed.
, . I
< .
hl. Revathy Sriram

CONTENTS
Page Nu.
Certificate
Declaration
Acknowledgemenl
Tahle of Charts and Diag~ams
Chapter 1
Chapter I1
Chapter 111
Chapter IV
Chapter V
Chapter V1
Chapter VII
Chapter VIll
Chapter IX
Introduction
Auditing Standards
End-User Computing
Local Area Network (LAN)
Data Base Management Sysreni
Controls in UNlX Environment
Disaster Recovery Plann~ng
Audit Approach
Summary, Conclusions and
Recclmmendations
Appendix A to 1.i
Bibliography
222
I
XIX

TABLE OF CHARTS AND DIAGRAMS
Figure 1.1 -
Figure 1.2 -
Response to Serious Security Incidents
Average Annual Computer Ahuse Losses
Figure 1.3 -
Figure 1.4 -
Figure 1.5 -
Types of Computer Crime
Relative Seriousness of Threats
Computer Crime Losses
Figure 1.6 -
Results of California Arrests
Figure 1.7 - Use of Technology / Products in 1985, 1988 and 1991
(Chart 1)
Figure 1.7 - Use of Technology / Products in 1985, 1988 and 1991
(Chart 2)
Figure 3.1 -
End-User Computing Risk / Control Levels
10. Figure 4.1 - On-Line System Controls and Audit Problems

Computers were originally used by organisations that could afford them. The
initial costs and the subsequent running cmts were affordable only by a few. The
reason of affordability of the computer only by a few is something of the past
The present scenerio is totally different Every organisation is owning a
computer of some type or the other. The other very few organisations usually are also
utilising computers even if it be not theirs.
The imminent need to maintain the integrity of data processed by the
computers needs to be overemphasised. While controlled use of computers by
management is an aid uncontrolled use of cornputrrs will and does have adverse
impact on the organisations. This would result in inaccurate and incomplete
information forming the basis for decision making.
It is in this background that one has to become aware of the need to have
controls in the usage of computers. With the extensive technological developments
in the hardware and the sophisticated techniques in the development of software, the
nonns of controls necessarily keep changing.
As it is the primary responsibility of senior management to ensure that
necessary controls are in place, they look up to auditors. Auditors have a
responsibility to discharge their duty and maintain professional standards. With

vary~lg types of computer environments, then are appropriate control procedures
to ensun that the data is processed correctly and completely.
Nature of the problem
Fit of the generally accepted auditing standards issued by the American
Institute of Certified Public Accountants states that examination of books of an
organisation is to be performed by persons having adequate technical training and
proficiency as an auditor. The second standard of a CPA field work specifies as
follows: "A sufficient understanding of the internal control structure is to be obtained
to plan the audit and to dekrmine the nature, timing and extent of tests to be
verified".
The Statement of Audit Standards (SAS) further expects the auditor 'To
consider ... complexity and sophistication of the entities operations and systems
including whether the method of controlling data processing is based on manual
procedures. As the entities operations and systems become more complex and
sophisticated, it may be necessary to devote more attention to internal control
structure and elements to obtain the proper understanding so as to facilitate
designing effective subtantive tests.
It further specifies that the auditor should obtain sufficient knowledge of the
accounting system to understand.. the Accounting process involved from the initiation
of transaction to its inclusion in the financial statement including how the computer
is used to process data.

The need for technical uprtire on the part of the auditor is due to the
impact of ekctronic data p A g (wmputerisation of data)
The objectives of audit have not changed It is only the means of achieving
these objectives that have changed
With the technological developments, them haw been changes in hardware
and software. Consequently control concepts have necessarily changed. Hence audit
approaches also need to change.
HARDWARE
Hardware have come a long way from unit record equipments. The first
generation computers characterised by vaccum tubes gave place to second and third
generation computers which utilised transistors and integrated circuits. Subsequently,
the fourth and fifth generation computers with more complex and sophisticated
pheripcrals have appeared on the same.
lhese changes in hardware brought, in their wake, the disappearance of
"Audit trails". It is the audit trail which enables the auditor to trace a transaction
from a source document to a report or a total produced by the computer. The same
audit trail also enables the auditor to reverse the process and be able to find out the
source background or other basic information which have figured in the final report
or total. Computers with multi-programming or multi-processing facilities have come
into the picture. With these concepts, it is possible to have a number of programs
working simultaneously or a single program to be processing different files
simultaneously.

On-line and real time systems have much used facilities These facilitate
processing of data by transmitting them ovcr communication lines. It is possible now
for data being entered at om terminal, processed at other terminal and the results
being made available at a third terminal. Real time systems enable updation of data
immediately in as much as querrying and obtaining of such information
instantaneously is possible. Eg. Bookings of air tickets from anyone office from any
of the many flights on different routes also on different dates.
Along with the advancement of technology in the field of main frame
computers, there have been advanees in the development of small and smaller
computers. The advent of small and smaller computers have been creating big and
bigger problems from the auditor's point of view. The auditor is not assured of
certain basic controls which he is assured of in a main-frame computer environment.
SOFTWARE
Software consists of progtams as distinct from hardware. These programs may
be written by programmers within the organisation or may be bought out from
vendors of software packages. Rigorous discipline is needed in the development of
software before it can be permitted to "Go live". Auditors need to firstly be aware of
the associated discipline with regard to the development of software and secondly
possess the knowledge to evaluate whether the discipline is being observed or not.
Thirdly and most importantly he should be in a position to assess the possible risks
and loss due to non-conformity of the discipline.

Operating sytems an also program but they an special type of program
that are capabk of managing and supervising the activities associated with the
computer system They handle all input, output operations, scheduk jobs, allocate
memory space etc. Operating systems while conferring a gnat deal of bcne6~ are
also a cause for concern. Many weaknesses in the operating system can cause havoc
in the controls that are associated with computer applications.
DATA BASE MANAGEMENT SYSTEMS
DBMS reduces redundancy of data submission. It Links various files and
controls all of them. With the advantages of DBMS there are certain audit concerns
regarding maintaining reliability and integrity of the different files in the DBMS. In
view of the difficulty of tracing the transactions forwards and backwards, the auditor
must have the capacity to test the integrity of the DBMS package.
LOCATION OF THE COMPUTER CENTRE
The practice of installing computers for performing accounting applications
pnmanly and subsequently developing other incidental applications was the caw for
the computer corning under the purview of the financial department The Financial
Controlkr generally was the administrative head for the Data Processing Department
With the awareness created for computer usage and the eagerness of the user
department to develop their own applications the concept of "End User Computing"
has come into existence. The controls that go with multiple terminals, multiple users,
multiple system groups have a multi dimensional aspect and impact

AUDIT
ignoring the computer and treating it as a black box is no longer valid An
auditor cannot effectively function by auditing around the computer and auditing has
come of age Auditor has to audit thro' the computer "if not with the computer".
Whik auditing, th:ough the computer, auditor tests the client's computer programs
by providing his own data and analysing the results.
While performing auditing with the computer, the auditor has his own
generalised audit software which performs the audit functions on the computer
system. Computerisation is taking place utilising to full advantage the latest
technological developments. It is presumed that the controls that are necessarily
associated with each type of environment are built into the system. An auditor, who
has professional responsibility of giving his opinion on the statements audited by him,
should possess adequate skills and capabilities to do so irrespective of statements and
standards being pronounced by professional bodies or not.
DISASTER RECOVER PLANNING OR CONTINGENCY PLANNING
A fire accident which would char the edge of a leather-bound ledger is
adequate to bring down an entire computer installation. Organisations are no longer
mere users of computers They are depending on them for their present existence
and their survival in the future. Natural calamities like fire, floods, and other
catostrophies, magnetic fields, viruses and intentional sabotages from insiden and
outsiders of the organisation are dangers to be safeguarded against. Specific
procedures need to be followed by organisations.

It is necessary to have an elaborate workabk disaster recwery plan so that
whik all preventive steps would be taken to prevent a disaster, there should be a
plan to recover from the disaster, well within the critical period, should it occur.
Whik furnitures and futures would be insured and the auditor checks the
validity of the insurance pcJicy, there is generally no such procedure being adopted
with regard to computers. Computers are at the most insured for their actual cost.
There has been no policy cowi-dered to cover the cost of developing the programs,
cost of re-creating the data as also consequential loss to the business.
The literature in the field of EDP audit and control is very extensive.
Computerisation having been introduced in the developed countries like USA, UK,
Australia for more than five decades, the awareness for controls and the need for
specific audit evaluating the adequacy or otherwise of controls in particular
environment has been in existence. Along with development of technology the
controls have changed and necessarily the auditors have to keep pace with the same.
SURVEY OF LITERATURE
Over 50 publications, mainly from U.S.,U.K, Australia have been studied and
about 25 have been reviewed From the extent of survey conducted, surprisingly, it
is found that there has been no publication yet in India. This may be due to the fact
that computerisation in our country has not been as long as in other countries to have
reported cases of fraud!

None of the professional bodies in India seem to have even issued any
Standards or statemenls as nveakd by a review of the standards issued by the
professional bodies in India.
A practice manual by Brian Jenkins and Anthony] Pinkney provides a
practical approach to an auditor for expressing an audit opinion on the financial
statement of companies where preparation of accounting information has been
computerired Being a publication of a professional body, it is of particular nlevana
to practising accountants who an performing audits in a computerised environment
The principal objective of an audit is to ascertain whether in his opinion the financial
statements on which he is reporting show a true and fair view of the state of affairs.
It is of importance to note the principal features of the audit approach as mentioned
by the auditors. The features mentioned are:
i) Each task undertaken by an auditor is a necessary part of the total work
leading upto his report on the financial statement. Thus, the auditor has to
concentrate his efforts in identifying these activities which would impact the
truth and fairness of the financial statements.
ii) All stages in the audit an related to each other. Thus, the audit work and
evaluation on controls is very closely related to the validation or verification
of the financial statements.
iii) The approach is designed to provide alternative audit procedures so as to
enable most efficient audit in particular circumstances.
Brian Jenkins and Anthony Pinkney '%I audit approach to computers" England,
The Institute of Chartered Accountants England and Wales, 1978.

(iv)
The approach and documentation are developed internationally. Howcnr, the
statury requirements and policies a n based on U.K law.
The kgal procedures and other statutory requirements an not nkvant to Our
country. However, the fan that the auditor should understand the accounting system
and evaluate the systcrn of internal control and carry out functional test to satisfy
himself with the controls arc in place and working the way they should. This
approach is the same whether it is a computer system or a non-computer system.
Great emphasis is laid on understanding and nearding the systemThu book also
recognises the usage of flow charts and/or narrative notes.
While discussing Audit approach for evaluation of internal controls the audhor
emphasises the fact that for an effective evaluation it is first necessary to understand
the nature of controls in a computer system. The auditor is expected to be conversant
with "user controls, programmed procedures and integrity control". Programmed
prwdures include process controls, while integrity controls are controls over
programs and filer They deal with implementation procedures, program security,
computer ciperations and data file security controls. As a means to evaluate controls,
it is suggested that an internal control questionnaire based on control objectives be
prepared and necessary information gathered It is emphasised control objectives do
not change in any environmentThe means of achieving these objectives differ
depending upon the environment
Chapter 1V has a detailed discussion on control program procedure. These
procedures ensure that only valid transactions are processed and recorded completely
and hccumtcly.

(hapter V and VI deal with integrity controls and their evaluation The
integrity contmls are divided into
(a)
@)
(c)
(d)
(e)
Impkmcntation controls
Program security controls
Computer operation controls
Data fik security controls and
System software
Implementation controls deal with adequacy of prwdures for the programs
expected to be implemented. This may consist of new programs and include systems
being developed or existing systems and programs being changed. The more
important of the procedures while implementing a new system are
(a)
(b)
(c)
System design and program preparation
Program and system testing
Cataloguing
Cataloguing is defined as procedures associated with making the "test
programs" into live programs". Cataloguing wil include both manual and software
procedures. The concept of programmed security controls is discussed. These controls
ensure that unauthorised changes are not made to the production programs. This is
of particular importance to the auditor, as an unauthorised change may be made by
an individual so that he would benefit from the same. Example - receipt of increased
wages, excess drawal from his account balance.

Whik dealing with mmpliana test which is refemd to 8s functional test - an
exhaustive tabular statement illustrating a specimen test corresponding to the nature
of control is pmvided
The Chapter "Audit Responsibility to internal control weakness" is of
particular imporlance. The initial step in the audit approach is that the auditor should
be able to identify internal control weakness, if any, and thereafter, assess the impact
of such a weakness on the hancial statement. He has to assess the materiality of
such a weakness. Should the auditor decide based upon his assessment of the
weakness that a material error could occur, he should take such steps as to satisfy
himself whether such an error has arisen and if it has arisen, the extent of the same.
This publication of the Institute of Chartered Accountants of England and
Wales drives home the point that a professional body has recognised the need for a
different approach to audit in a computerised environment as distinct from a manual
system. In view of the book having been published as early as in 1978, technology
wise it is not upto date. However, it is of rekvancc to note that the professional body
has deemed it neccrsary to publish a book of this nature to create an awareness and
provide guidance to the Membcn of the Institute.
Objectives of Auditing in EDP environment' have been laid down as follows:-
(i)
To guide CPAs in auditing business enterprises which use computers for
record keeping.
I
Gnrdon B. Davis 'Xuditing & EDP'. New York, American Institute of Certified
Public Accountants, 1968

(ii)
(iii)
(iv)
To provide a starting point for building a consensus of expert opinion on an
auditing practices for examining such companies
To suggest utility and applicability of different auditing methods when
experiena is still lacking.
To provide soura materials for training and informational purpose. It is of
great importance to note that this publication is dated as early as 1968
Specific mention is made of the fact that EDP does not lessen the need for
an evaluation of the sptem of internal control. On the contrary, it appears that
increased emphasis must be given in the review of internal control to ascertain that
it is effective. It is pertinent to quote that it is stated as early as in 1%8: "Computers
have been commercially available for fifteen years and the recency of the major
impact can be appreciated by noting that it made in 1967 every use of all computers
had betn done in the preceding year, the number was expected to double again in
the succeeding three years."
This statement is very relevant to the fact that though the computers have
been in existence in our country for more than 40 years in some form or the other,
technological developments and usage of computers in the last ten years have more
than doubled compared to that in the previous three decades. The technology
referred to in the book though out-dated, the concepts are of great relevance. The
input processing and output controls are discussed at great length.
In view of the technological importance in the computer medium, some of the
concepts on hardware are not of relevance. However, presentation regarding the
programmed control over processing, evaluation of internal control and safeguarding

of records and 6ks is of cumnt nkvance. Then is reference to three methods of
auditing viz
(a) Auditing without computer
(b) Auditing through the computer
(c) Auditing with the computer
In the current context of technological developments, auditing without the
computer has no relevana. It is more appropriate to audit with the computer. In the
absence of such skill and competence auditing through the computer may be
acceptable standard for effective auditing.
The questionnaire for evaluation of internal control is divided into the
following significant paragraphs, each paragraph having useful questions.
(a) Background
(b) Organisation
(c) Control function
(d) Contrnl over consol
(e) Management praciices
(f) Documentation
(h) Program revisions
(i) Hardware controls
fj) Control over input and output data
(k) Process control relevant to each application
(1) Control over error investigation
(m) Physical safeguards over files
(n) Procedural controls for safeguarding files

(0) Capability for fik nconstmction.
The questronnain provides more than a starting paint for the auditor who
wishes to make a beginning.
The questions a n numbered as A, B, or C according to the general control
significance.
A - representing con1101 element which may affect the auditor's evaluation of
B -
C -
internal control
Control element which tends to affect data processing safeguards, but is
however not likely to affect the audit procedures
Application affecting operational effectiveness or efficiency. 'Elise G.Jancura
and Robert Boos dealt with
Controls in system design and development
Controls in distributed and integrated system.
A detailed flow chan specifying the operation, the designation of the person
performing the operation and the process are explained in depth. Though the
narration is curnbenomc, splitting up of the entire operations into various ingredients
and connecting each step to the main flow chart is useful. The chapter on computer
assisted auditing techniques deals with test data method, parallel simulation and
usage of other programs written for a specific purpose or generalised audit software.
1. Elise G. Jancura and Robert Boos "Establishing controls and auditing the
compuferised accounting system" New York, Van Nostrand Reinhold
Company, 1981.

While this book makes an attempt in emphasising the need for establishing
controls and auditing computerised accounting system, it does not specifically
highlight the methodology to be adopted by EDP auditors.
1W.Thomas Porter and William E Peny have discussed the impact of EDP
on auditing and control. They have discussed the concept of information as distinct
from data. They have brought out the fact that one of the most difficult tasks an
auditor has to perform while auditing is comprehending the systems. Flow charting
is one of the wry valuable tools that help the explanation of a system function. The
concept of flow charting with detailed instructions and illustrations is well brought
out. There is the problem of timeliness. There are tendencies very often to modify
the system without updating appropriate flow charts. This problem could be go\ over
by utilising the facilities provided in the automatic flow-charting systems. Flow charts
of a programme could be obtained froni the Source Code Statement. A specific
mention is made of 'HIPO' - (Hierarchy plus Input, Process, Output) is a
documentation aid. It has the ability not only to document the functions but also to
show the hierarchical inter- relationships between these two functions. This aspect is
extremely useful to the auditor. The subsequent chapters deal with controls in EDP
system under two categories:
(a)
(b)
General and administrative controls
Application controls
Every system is liable to have an exposure. Exposures or risks are threats to
a system. Controls are a means to reduce these risks. In a computerised system, there
W.Thomas Porter and William E Peny "EDP Controls and Auditing" - Third
edition , Massachusetts, Kent Publishing Company, Boston, 1981.

is conantration of duties and functions which kads to certain mmpkety. Hena
there are grcater potential for control problems'
AdministratiK controls deal with policies and procedures They cross
application boundaries in view of the centralisation of the data processing activities.
There is conantration of many processing steps In view of this,there needs to be
segregation of duties specially in incompatible functions like programming and
operation. A useful checklist for organisational control is provided. Organisation of
EDP department is of utmost importance and special attention should be paid to the
following:
(a)
(b)
(c)
(d)
(e)
System and programming of controls
Review and approval of new systems
Programming-testing procedurrs
Programming-chanfc procedures
Documentation standards
Thcse would ensure a high degree of processing reliability. There should be
standards established for operating practices. They should include
(a)
(b)
(c)
(d)
(fj
Access to computer room
Library and file control standards
Data conversion standards
Physical security of files and equipment (c) Back-up facilities
Passwords.
WThomas Porter and William E Perry "EDP Controls and Auditing" - Third
edition , Massachusetts, Kent Publishing Company, Boston, 1981.

Interesting probkm of a live care has been presented It deals with Equity
Funding, insurance fraud.
Application controls are designed to meet the specific control requirements
of each processing application. The controls are classified as preventive, detective and
corrective controls. Preventive controls arc congtrols which stop problems from
muring and expected to help "things happen as they should". Preventive controls are
located throughout the entire EDP System. These are executed before the data
enters the system
The more important of preventive controls as discussed' are
(a) Source data authorisation
(b) Data conversion
(c) Turn around documents
(d) Pre-numbered forms
(e) Input validation
(f) Controls over processing
Detective controls are expected to bring potential problems to the attention
of individuals for appropriate action. Examples of detective controls are
(a) Control Register
(b) Control totals
(c) Documentation and testing
(d) Labels
(e) Output
W.Thomas Poner and William E Perry "EDP Controls and Auditing" - Third
edition , Massachusetts, Kent Publishing Company, Boston, 1981.

Corrective mntrols arise in the investigation and correction of cause of
expower which have been detected Typical m p k s of comctive controls are
(a)
(b)
(c)
(d)
Audit trails
Discrepancy reports
Back up and
Recovery
While discussing on Review and evaluation of controls in EDP Audit system,
it is recommended that understanding and testing of the system should be achieved
through an analysis of the client's entire system of internal control. Once review and
testing is over, it is possible to evaluate the adequacy or othenvise of the control
system and make recommendations if any. There is an interesting case study provided
with a useful questionnaire with hypothetical answers.
The audit approach when the client's use service centre is different from usage
of a computer in-house. The audit approach when the client uses a service centre is
discussed' A specific mention is made of advanced auditing techniques including test
audit method, test case, system evaluation, integrity, test facility and parfallel
simulation It is vcry well brought out that in an environment of accelerated changes
in computer technology, newer and upto date auditing techniques are needed.
' W.Thomas Porter and William E Peny '%DP Controla and Auditing" - Third
edition , Massachusetts, Kent Publishing Company, Boston, 1981.

lS.Rao Vallabhaneni, traces the importance of software in a computerised
environment He mentions that 50 to 75% of the time of the system analysts and
programmers is spent in maintaining the existing software and that more than 50%
of the operating budget is for software. He brings out the fact that inspite of the
abovc mentioned significant facts, auditors do not spend enough time reviewing,
testing and evaluating the controls in the application systems when they are in the
process of king developed He correctly mentions that more time is spent on
software development actlvitles than lor reviewing software maintenance controls. He
explains the difficulties faced by systems and programming staff who are under
pressure from the users and suffer from lack of appreciation of concepts by senior
management. Many a time software is developed without considering future
maintenance. Very few programs and systems are developed using structured
techniques. This results in great deal of patch work being done. He refers to
"spaghetti code" which is diff~culto control, maintain, modify or audit In view of the
absence of usage of structured techniques the systems staff are constrained to use an
adhoc approach.
Maintaining software is a human activity which is error-prone and has a high
risk Unless documentation is adequate a previously bug-free program may land up
with problems unless the modified program is thoroughly tested.
The emphasis of this book is to highlight the importance of software
maintenance activities along with their associated risks and exposures and to provide
guidance to auditors for evolving procedures and approaches. The focus of the book
- --
' S. Rao Vallabhaneni, 'Auditing the maintenance of software" New Jersey,
Prentice-Hall Inc.1987.

is on the Internal Auditor and makes reference to SAS No.9, issued by the American
Institute of Ccnificd Public Accountants - the independent external auditor should
consider the procedures if any performed by the internal auditors in determining the
nature, timing and extent of his own auditing procedures".
Thus, it naturaliy follows that if the internal audit's review of software
maintenana is more comprehensive, the external auditor's scope should be less
comprehensive. The term software maintenance is used to describe all changes made
to a computer program after it has been implemented in a live environment He
refers to US General Accounting Offiar (GAO) Repon - Page 5, footnote :
The GAO studied 15 computer sites in detail and received responses for
mailed questionnaires from several hundreds. It is mentioned that though the study
was relating to Government environment, it is equally applicable to private and public
sectors. Some of the problems enumerated are:
(i)
(ii)
(iii)
(iv)
(v)
Software maintenance cells are not easily identifiable
Expert user requested modifications are not always based on real need
User requirements in the software development phase are not adequately
defined.
Application systems document is inadequate if not missing.
Gmputer programmer's attitude towards software maintenance is not
enthusiastic.
These points are of relevance to the environment in our country also. The
time and effort spent on system development phase is not always productive either
because users do not define their requirements precisely or the systems staff decide

on thelr own on certaln requirements of the users As most of the appl~catlons are
to be modified under pressure, documentation procedures are glvcn the go by
Pnonty 1s for keeplng the system golng wth the modlficatlon In the ctrcumstances,
the capaclty of the audltor to understand the modlficatron and evaluate the controls
needs specla1 mentlon
The author has d~nded the book Into three parts, the first part deallng wth
ennronrnent, the second part wth control guldellnes and the th~rd one wth audit
methodology; the fourth one belng on newng the future He explalns the software
malntenancc 11fe cycles (SMLC) as d~stlnct from SDLC by d~vldlng the methodology
Into different phases For each of the phases he lays down the ohject~ves and
actlntles and from the aud~tor's polnt of vlew the final dellverables for control revlew
and flnal evaluat~on He h~ghl~ghts the polnt that aud~tors, spec~ally the ~nternal
aud~tors w~th resources use for software malntenance are adequate and that they are
used effectively and efficiently He hlghl~ghts In chapter IV that the audltor needs to
be aware of what can go wrong m software malntenance, he hlghl~ghts three types
of control, nz preventive, detectwe and correctlve wh~ch could prevent ~rregularlt~es
and omlsslons dunng ,oftware malntenance He provldes a table of aud~tools and
techniques - use matrut
The bwk 1s an excellent treatlse of the procedure to be followed In an Ideal
srtuatlon Whlle 11 may not be possible to grve an deal, a readlng of the book by an
aud~tor creates an awareness of the really of the problem and posslble practical steps
he should take to ensure adequate controls are Introduced In the software
rnatntenance phases

Technology is advancing important supportive functions that protect the
technology from intentional losses is not keeping pace.' He makes reference to the
systems auditability and control reports produced by Stanford Research Institute
International of 1977 and observes that auditing which is an important supportive
function is lagging far behind. In view of the auditors lack of sufficient knowledge of
the technology, he is constrained to rely on the trustworthiness of computers,
computer programmers, operators and other computer staff. An auditor is expected
to be independent in attitude and appearance and the dependence of the auditor on
data processing staff is violative of basic audit principle. The author has very
relevantly mentioned that the auditors performing their function in a computerised
environment have realised that they have to acquire necessary skills to perform their
lobs competently. Similarly, data processing management are realising the need and
value of the services of the auditors who evaluate the adequacy of controls in the
computerised environment. The book which has the focus on creating an awareness
in the management of organisations which have introduced computers deals with the
subject in a non-technical manner. The authors make special reference to transmittal
memorandum 1 circular Ail1 on security of federal automated information systems
issued by the US office of management. This memorandum establishes a
comprehensive policy regarding establishment of computer security programmes in
all non-defence computer centres also. The objective is to establish of procedures for
adopting security standards, a requirement for security in all hardware and software
procurements, guidance on conducting risk analysis, performing security audits,
developing contingency plans and establishing personnel security policies.
' Donn P.Parker1.k1onogers guide to Cornpuler&cutity". Reston, Virginia, Reston
Publishing Company Inc., A Prentice-Hall Company 1981.

'Ihis memorandum is considered a mile-stone for computer security even as
early as 1978 One whole section is devoted to the nature of computer security. A
useful table giving details of various types of security areas to be safeguarded and
how it could be safeguarded are explained lucidly. Concepts of risks and threats an
explained The author 1s of the opinion that what may appear as accidental and
unintentional acts may not in reality be so. He drives home the point that one should
be prepared for the worst and provide adequate security functions. While discussing
the aspect of detterance which would be a preventive measure for the likelihood of
security violations, the author makes special reference to audit. He very pertinently
points out "one of the greatest values of auditing is detterence". The aspects of
preventive, detective, recovery and corrective controls are discussed with
effectiveness. The importance of contingency and back up plans is discussed in detail.
While discussing the recovery issues, the factors to be taken particular care of are
mentioned as
(a)
(b)
(c)
Stafllng : the safety of people is of primary concern
Facilities and neighbouring site : considering the risk factors in the
neighbourhood of computer room is of immense importance.
Utilities : automatic local telephone switching centres or automative
underground cables would affect on- tine systems. These need to be protected
to the same extent as computer or power supply or air-conditioning
equipment. Other important factors Iik documentation standards, storing of
production programs, operation system utilities, and data in a place away from
the main operation which are mentioned are helpful. The book deals also with
security factors for a computer site selection.

The aspect of earthquake which seems a theoratical conapt in our country
has been considered as a possible reality by the author and guidance provided.
Suggestion regarding consulting geologists are made.
There is an exclusive chapter on computer security and the law, malting special
reference to the k'rivacy Act of 1974 and the Foreign Practias Act of 1977.
Section 3 of the book deals with computer security program and deals in great
detail on the following subjects.
(i)
(ii)
Identification and valuation of assets
Identification of threats and risk assessment
While dealing with safeguards, special mention is made ofauditability. It
mentions that safeguards must be testable for the purpose of auditing its performance
and compliance with specifications. While illustrating this point, an example is glven
of an auditor visiting a data processing facility and asking to be shown recovery from
remote back- up files. The EDP department sent a vehicle to collect the back-up
files, programs and operating instmctions. It is interestingly reported that at this
point, the test was terminated because if all the back up materials were returned to
the computer centre, there will be no back up material at the remote site. This lead
to the organisation having two copies at the back-up site.
While concluding that EDP auditing is an important activity for computer
security, it is mentioned that auditing tools and techniques must be considered as one
of the most important safeguards. An interesting matrix on EDP audit tools by
occupation applicability is revealing.

"Mino computer security, auditabiiity and controls" deals with the subject io
three parts.'
1. Microcomputers in general
Z Stand-alone microcomputer systems and
3. Micros connected to mainframe systems.
In Part I while dealing generally with micro computers, the book provida
statistics from a report regarding the growth of micro computers. He quotes th
market has gone from US $ 200 million in sales to a projected 426 billion dollars in
sales in 1983. In 1983 about one million units were sold and it is expected that 45
million units may be sold by 1986 or 1987.
A tabular statement providing !he prevailing character~it~cs and associated
threats are illustrated. Among the prevailing character~vlics the following are
mentioned :
* Prolifiration of application development
* Staff limitation
* Applications software
Hardware
Vendor system software, standards and practices
Physical environments, file and media storage outside
Uunauthorised access.
' Javier F.Kuong, Gerald I. Isaacson, Chester M. Winters "Microcomputer security.
auditability and controls" Wellesley Hills, Mass. Management Advisory
Publications. 1985.

Under each of these heads, the conditions that are prevalent in a micro
computer environment are discussed with the associated threat A detailed reading
of the above threats focuses attention on the fact that there is a clear need to have
a well formulated set of control objectives with effective safeguards which provides
solutions for a secure use of the microcomputers.
Chapter 3 of the book deals with auditability considerations. A useful table
giving the prevailing condition and the corresponding auditing concerns and
considerations is provided. To sum up, the problem generally faced by auditors are
(1) When same application is processed on different computers, how is the
integrity of the application to be decided unless all the units are aud~ted.
(2) With paucity of staff, there is no seperation of duties.
(3) Audit trails may be lacking in view of lack of facility for logging. When
software packages are developeJ lack of documentation exists. Information
regarding what types of error handling and controls are included is not easily
available. The author proceeds to deal with the control system dividing it to
three zones as follows:
(1) General and administrative controls
(2) Micro computer system
(3) Micro computer software
follows :
While dealing with connected micro systems he deals under three zones as
(a)
@)
(c)
Data communication
Micro computer
Mainframe penetration by Hacking

The fact that security and protection of micro computers is as important if not
more important as the security of log system is emphasised. While dealing with
general aspects of micro computer security, software and data integrity issues of
concern are mentioned as follows:-
* Who can excess the micros
To what extent can they access
How is the data protected from the unauthorised distribution
* What is the possibility of loss of critical data
How is data integrity to be maintained
What is the possibility of intrusion from outsiders.
What steps are to be taken for maintaining continuity of operations.
The book provides
(1) sound framework for dealing with internal and security controls
(2) An overall coverage of security auditability and controls
(3) Acomplete set of management policies and standards for management control
of this new technology
(4) A comprehensive list of control objectives, control techniques for different
types of micro computen.
A set of specific objectives along with a list of specific control techniques
which would meet the control objective are mentioned.'
' Javier F. Kuong "ControLs for Advoncedlon- ZinelData-base systems", Part 1 and
Pan 2 - 44, Washington Street, Wellesley Hills, Mass.02181, Management Advisory
Publications, 1983.

The author discusses as to what kind of control the designer and the auditor
should consider to build security and integrity in the advanced on line systems. He
also deals with audit approaches and techniques which would effectively and
efficiently audit and review the systems. A tabular statement distinguishing the various
features of the systems with the respective implications of such a feature are well
brought out While dealing with internal controls, the author classifies integrity under
four categories:
(i)
(ii)
(iii)
(iv)
Accuracy
Securitylprivaq
Continuity
Environment
(9
(ii)
(iii)
(iv)
(v)
(vi)
(W
(viii)
The author divides the control zones under 8 heads:
Data entry
Data communication
Systems environment in general controls
On line application programs
Data base
Data base administration
Environmental software
Data base control zones and audit base development standards
Under each of these heads, the author deals with the following:
(i)
(ii)
General control objectives
Various control points

(iii)
Under each of the control points, the control objective and the corresponding
control techniques a n discussed in detail. The two pans of the book contain
a precise presentation of the entire subject
Computer Security
Keith Heamdcn' presents a collection of 14 anicles on computer crime and
people, computer crime in the 1980r, risk management and computer security. While
all the articles have special reference to the accepted procedures for security
maintenance, there is narration of live cases of crimes committed on computer. The
importance of these article is that computer crimes and frauds are not academic
issues, but are realities which have been perpetrated in most cases by computer
literates. This has been possible by penetrating the vulnerable points in the control
systems of computers.
Security is the integral part of the design and implementation of an
information system. V.P.Lane2 interestingly brings out the fact because that in many
instances security involves cost, the decision of the management may be to ignore
certain security requirements, considering only the cost factor, He highlights the fact
that good security must be built into the system software before individual
applications are designed. He deals with physical security and data security. While
discussing physical security, he classified it under two major heads viz(1) protection
Keith Hearnden, A Handbook ofComputer Security Centre for Ertension
Studies. bughborough University.
' V.P.Lane "Security of Computer Based Information' Systems-Houndmills,
Basingstoke, Hampshire, Macmillan Education Ltd., 1985.

against natural disasters like flood and fire (2) protection against intruders. Under the
head natural disasters, he places special importance to fire and discusses at length the
advantages and disadvantages of carbon-di-oxide as against Halon and water
sprinklers.
While discussing access control and intruders, he highlights three ways of
controlling access.
(i)
(ii)
(iii)
By using receptionist and security officers
By using mechanical devices such as locks and keys
Electronic systems using identity cardslcard readers
A systematic approach is necessary if a realistic plan for physical security has
to be evolved.The author stresses the view that the management must assess what
they are trying to prevent and protect. To achieve this, he suggests the following
shouldbe performed :-
(i)
(ii)
(iii)
(iv)
Identify undesirable events
Evaluate physical threats and the probability of such an event occuring
Estimate possible loss to which the computer/premises are exposed
The expected annual loss.
While discussing data security, it is stated that it could be maintained by four
kinds of control viz
(a)
(b)
(c)
(d)
Access
Information flow
Inference
Criptographic controls.

The author stresses the point that while these methods can reduce danger of
compromise of data, they cannot totally eliminate the possibility. The security role of
components of computer configurations is highlighted by each of the aspects of
hardware, systems software etc While discussing the system software i.e. the
operating system, its security functions are classified under two heads vir Implicit
security function and Explicit security functions. Under Implicit security functions are
included those security features that manage and control the system resources and
application programs. The explicit function include su~eilance and identification,
access control and isolation. The chapter dealing with people and security highlights
the fact that sometimes the position of power exercised by a single individual like
system administrator is both a weakness and a strength. He suggests remedial
measures as
(i)
(ii)
(iii)
Job rotation
Supervision by a superior
Journalising i.e. recording request from the administrator or log to facilitate
auditing and examine the log for unauthorised activities.
Security aspects of the operation of computer facilities include training of
computer operators, library management system as also short term recovely
procedures. It is emphasised that management must highlight the fact that security
is needed even during routine operating of the system, to make the effort of planning
overall security aspects a success. Special topics like privacy and data protection
legislation and protection of proprietary software are discussed. The author concludes
that software is currency; It is essential that those who provide the currency are
protected from counterfeiting and duplicity.

Chapter 11 of the book deals with a number of real life incidents Amongst
more interesting cases are that of a supervisor of a payments department in a local
authority in London. He found a method of creating false documents. This resulted
in a loss of approximately 40,000 pounds. Yet another case deals with how an
executive officer utilised the computerised salary system to defraud health authority.
A novel, yet a case of great conarn is where computer personnel stole the computer
files and demanded ransome for restoring them. Fortunately, the culprits were caught
The last case reported is regarding a boiler explosion which destroyed the computer
office site. The author concludes that the misfortune did not become a calamity
because of the contingency plans of the company. The 1981 survey and the 1984
survey regarding incidents involving theft and misuse are very revealing.
James Arlin Cooper' discusses early development and environmental aspects
under the following heads:
* Physical security
* Personnel security
* Regulatory security
Hardware security
Software network security.
Each of these environments are discussed in great detail under various heads
of prevention, detention and correction. It is of impurtance to note that a mention
is made of the computer Act of 1987. The Act requires the establishment of security
'
James Arlin Coo~rNCompukrand Communications Security Strategies for the
1990s". New ~brk, ~c&aw- ill Book Campany, 1221 c venue of the Americas,
1989.

standards for Civilian agency computers and communication sperns. The author
makes a comparative study of the regulatory requirements in different countries like
UK, Canada, France and Sweden A reading of these legislations and their
development makes one realise that other countries from their experience have found
that legislations arc neassary which makes us to think that in view of the wide
computerisation, it would not be too long before our country also feels the need.
While discussing the software security environment, the author highlights the fact that
the verification of system security features and system security performance can best
bc achieved only by EDP auditor function. In the author's words,"EDP audit, if
properly done, gives additional insigh4 identi@ signals that point out security,
weaknesses or failures and helps prevent security by-passes resulting from collusion!'
He even goes to the extent of mentioning that a 30 million fraud which he dis( hisses
in his book was possible because audit procedures were relared. He discusses
amongst others 14 tools and techniques and concludes that audit procedures give a
degree of protection against intentional attacks. They make a perpetrator's job
difficult as the chances of detection are high. While discussing the current
perspectives of computer security, he highlight^ the security strength by discussing the
encryption techniques and also docs not lose sight of the negative side of the security
i.e. weakness. The problems of controlling access uniformly and reliably over widely
dispersed locations is difficult. The author discusses the research perpespectives of
the 1990s as also the outlook for the 1991s.

DISASTFX RECOVERY PLWNING
The need for planning for disaster recovery in a computerised environment
is explained' The three areas of exposure that the management needs to review as
described by the author arc financial loss, legal responsibility and business
interruption
Part I deals with management considerations. A detailed questionnaire deals
with disaster recovery priority concerns of management under the heads:
(1) Staff protection and actions
(2) Maintenance of customer services and
(3) Cash flow maintenance.
(4) Vital documi.nts protection
(5) Facilities equipments,
(6) Programs and
(7) Supplies.
A reference is made to three levels of security and disaster recovery measures
viz mandatory measures, necessary measures and desirable.
Mandatory measures are those needed by law. Necessary measures are those
reasonable precautions which need to be taken.
The desirable measures although necessary are not needed to be implemented
as immediately as mandatory measures. Desirable measures are implemented as and
' The Chantico Series, ''Disaster Recovery Contingency Planning and Program
Eualuation". Massachusetts, QED Information Sciences Inc. 1985.

when circumstances permit A cost benefit analysis is made taking into consideration
the perceived and desirable needs.
The second pan deals with conducting the review programme. It is considered
necessary to establish disaster recovery review objectives. The first and foremost, the
types of disaster need to bc identified followed by identifying the areas which may be
impacted by a disaster. It is necessary to review the disaster recovery controls. A
useful workshop concerning internal back up site, checklist is very educative. A
specimen typical agreement with time brokers vir those who would find another site
that a company can use in the event of a disaster is informative. The author gives
procedure for testing the disaster recovery programme and classifies the testing into,
static testing and dynamic testing. Ht: deals with different techniques for testing and
giver the base for selecting the appropriate technique. The basis for evaluating the
basis for disaster recovery test are discussed. The importunt aspect regarding
insurance coverage is highlighted. The fact that extra insurance is needed on back
up site is also mentioned.The principle of insurance coverage, as is wellknown, is to
transfer the risk of major loss to another organisation. There should be a competent
person for deciding the degree of risk to be insured. It is recommended that the
cover should be for each class of equipment, records, media, mentioning their
replacement costs and actual cash value. The points to be considered while discussing
with the insurance manager include also extra emergency expense, third party liability,
revenue bearing data. The extra emergency expenses include rental of temporary
facilities, back-up equipment, moving cost, tempor.iry insurance cost. The third party
liability arises only in the case of service bureaus. The example of revenue bearing
data would be the data regarding the outstanding balances. Following the testing of

the disaster recovery program would be the procedure to evaluate the DRP. Various
concerns and opinions regarding the adequacy of the disaster recovery programme
need to be formed This opinion is to be supported by sufficient evidence colketed
during the review process. It is necessary to evaluate each concern individually and
then the totality of the individual evaluations should be reviewed in making a final
judgment A useful guideline regarding writing disaster report is provided. It is
recommended that it should have the following chapters-
(i) Management summary
(ii) Scope of review
(iii) Background
(iv) Findings
(v) Opinion
(n) Its impact of opinion
(vii) Recommendation.
Robert R. Moellerl deals with computer audit, control and security aspects
in a computcrised environment and the appropriate audit methodology. The controls
are considered under the following three environments viz
(1) large computer centre,
(2) mini micro computer centres and
(3) distributed network.
In Section 2, he deals with auditing data processing applications. He deals with
the methodology to be obsemd in selecting applications for review. He describes the
' Robert R.Moeller, "Computer Audit, Control and Security" United States of
America, John Wiky & Sons, 1989.

procedures to be followed Different testing techniques and methods of evidence
gathering in a paper kss environment arc discussed. The author emphasises the need
for the auditor's role in reviewing new applications and their development.
In Section 3 he emphasises the need for
(a)
(b)
(c)
physical security
information security and integrity and
an effective disaster recovery plan.
There is a special chapter on audit and control of end-user computing. The
many forms of end-user computing, the controls associated with end-user computing
are discussed. The author provides a list of control objectivvs and proccdures for
reviewing various controls. The tabular statements are extremely useful and are in
detail. The auditor can make a ready reference to anyone situation in which he may
be placed and immediately have anexhaustive checklist. The author has provided this
information also on a diskette. This can be used on an IBM PC This enables the
auditor to carry the floppy and have a ready reference to the list immediately in any
of the client's offices. The author discusses the successful modern internal audit
function. He is of the view that an audit professional of the future would have to
have strengths in financial, operational and computer auditing. He concedes that
while it is an ideal situation, an individual who possess all the qualifications may not
be immediately available. His remarks are very significant. His description represents
the audit of the future in the modern organisation and it should be .in audit
organisation's goal to build personnel with these skills. He adds, that there is
continued need for special techniques for computer audit in new of the technical
environment in the organisation. While describing the audit department of the future,

he states that "the computer auditor specialist of today who spends much time
looking at the general controls within the computer operations area docs not get into
user areas to evolve application controls, and assess possible risks, runs the danger
of becoming obselele in the era of modern data processing procedure. The auditor
should denlop financial - or operational audit skills, as well as computer and audit
skills to operate as the organisation's auditor of the future". This statement of the
author takes into consideration that the present day auditor is ;able to evaluate the
general controls!
It is of significance to note that in our country auditors are not even able to
evaluate the general controls. In view of the wide gap of the expectation of the audit
department of the future, in the present position in our country there needs to be
realisation about training auditors to attain better skills and competence to really
operate as organisation's auditors of the future.
William C Mair, Donald R.Wwd and Keagle W.Davisl have made a very
comprehensive presentation of the various aspects of auditing in a computerised
en\,ironment. The matrix presentation is the highlight of the book. There are four
matrixes as follows:
' William C.Mair, Donald R.Wood and Keagle W.Davis "Computer Control and
Audit" Minneapolis, Minnesota, Touche Ross & Co., 1978.

Application aMtml evnlnation table
It dealswith application causes of exposures under the heads input, processing,
output and others. For each of these muses, preventive, detective and corrective
controls an considered.
System development wntml evaluation table
Under the causes of exposure, it deals with incompkte economic evaluation,
management abdication, inadequate specifications, system design errors, incompetent
personnel, unmanageable application etc The controls again are classified under
preventive, detective and corrective controls. The reliance on controls are classified
as
(1) useful but not especially effective
(2) control cause but should be accompanied by additional controls
(3) Reliable controls
Computer abuse wntml evaluation table
The abuse is classified under object tool and environment and the controls
again are classified as preventive detective and corrective.
The last table deals with information processing facility control evaluation.
Causes of Infomation Pressing Facility exposures are classified as human errors,
hardware defects - software failures, computer abuse and catastrophy. The controls
are classifred under the heads preventive, detective and corrective. The authors have

achieved the objective of helping the auditors to understand as to what is meant by
adequate control in data processing environment.
Mr.Per Brinch Hansen' provides a oveniew of operating systems and gives
a technical description thereafter of the various aspects of the operation system.
Ignoring the technical contenf it provides a good understanding of the concept of an
operating system and its capabilities and how it works.
William E. Perry2 divides the auditing information system function into 30
tasks and classifies them under the following functions:
* Scoping the environment
Understanding the information system
' Identifying the audit risk
Identifying the audit evidences
* Identifying key control points
' ldentifying control weaknesses
* Verifying the integrity of the computer files
Conducting the audit and concluding the audit.
The relevant tasks under each of these functions are discussed in great detail.
The author provides an approach for audit of information systems by concentrating
on the business processing sections of information system. The analytical approach
' Per Brinch Hansen, "Operating System Principles", New Delhi, India, Prentice-Hall
of India Private Limited, 1990.
William E. Perry Yuditing Information Systems - A step-by-step audit
approach. Carol Stream, ED? Auditors Foundat~on, 1983.

is of immense use and this approach has been adopted by me in my questionnaire
and discussion with the auditors.
S.Rao Vallabhaneni,' while introducing the concept of software development
process, presents both the management and the auditors concern over software. He
discusses in detail the problems and issues that arise in development of application
system whether it be developed in-house or by outsiders. He clarifies the
responsibility of the senior management, data processing management and the
end-user in relation to the software development problems and issues. The fact that
the auditor especially the inurnal auditor has a specific responsibility with regard to
the software development process is highlighted The author discusses the audit
strategies and the control guidelines. He discusses in detail the audit methodology in
the following areas.
* Planning phase requirements,
Design,
* Programmin&
' Testing,
* Conversion,
' Post implementation.
He concludes that if an auditing is undertaken of the software development,
the chances of its being usable, maintainable, auditable, controllable and securable
are very high. The author discusses 15 case studies in different environments. Under
each of these case studies, he describes the system audit scope and objectives and
I
S.Rao Vallabhaneni, "Auditing Software Development - A manual with case
Studies", New York, John Wiley & Sons 1990.

!itdiy mentions audit findings and ncommendations While summarising the findings
of the 15 case studies, he concludes that lcnowlcdge of auditing software development
when practiced properly would make organisations more aware of system integrity
and security controls.
Michael A Murph) and Xenia Ley Parker1 of Coopers Lybrand, International
authorities on EDP Auditing deal with the impact of EDP on Auditing as also the
information technology concepts. The entire book is written with the auditor in mind
Even technical aspects an discussed in great detail in a manner which can be
understood by an auditor. In their chapter of information systems, they deal with
business systems to enable the auditors as also the technical personnel to get an
oveniew of a computer application systems. A special chapter deals with application
controls.The authors deal with methods for documenting systems including usage of
flow charts.While discussing audit of systems development, they highlight the practice
and methodologies to be adopted Then is a special chapter on End-user computing.
It is of immense importance to ow current scenario with the proliferation of personal
wmputcn The authors discuss the management risks and issues as also user control
and risk While discussing the applications of end-user's, they make spccilic
referena to usage of spreadsheets, and the associated risks and the specific controls
to be used. The auditors' role in end-user computing is discussed and a view is
expressed that the auditor should evaluate the controls in the following risk areas :-
Software and data integrity
Back-up and contingency planning
' Michael A Murphy and Xenia Ley Parker "Hand book of EDPAuditing" Coopers
Lybrand, Boston, Massachussets, Warren, Gorharn & Lamong Inc. 1989.

Auditabiity
Multi-user micro computer
Communication security
Controls in wMce bureau arc also discussed There is specific reference to
third party review of se~vice bureau. Z\ detailed vmrkplan along with a specimen of
a summary and third party review of application and data centres is of immense use.
The chapter on testing techniques by computerised systems includes the topic
on use of computer assisted audit techniques (CAAT).
The 1903 cumulative supplement deals with more current concepts like Expert
Systems While discussing the information technology, concepts, and meeting future
needs the authors who have international reputation have stated as follows:-
"Future auditing impacts of new information technology is significantly altering
the conduct of au ditf.. At a suing to the credibility of management assertions has
been om of the provisions major responsibilities during its entire history. For years,
the service has been epitomiscd by the annual audited financial statement To-day,
the annual financial statement - while still sening a valuable role by becoming a
smaller pan of the information needed by management.lenders and stock holders to
make informed decisions ... As other sources of information become more and more
important, there is a current need to develop ways to similarly assure their currency
compktenesr, neutrality, freedom from bias and credibility.
The challenge - and the opportunity for the public accounting profession is
considerable. Professional standards will need to be developed to cover these possible

new senicer In addition, the responsibility that public accountants would assume and
the legal exposures they would incur would need to be assessed. Most important,
however, there is a clear indication of need, and the profession is well situated to
respond".
It is important to note that the situation regarding t~chnological developments
and usage of computers have change in our country also. The profession in our
country is not well equipped to respond and the management of organisations an not
as yet ceased of the problem.
Research publications
The publication of the Institute of the Internal Auditors USA' reviews, risk,
controls and audit techniques while describing the fast changing technology to help
internal auditors to perform their jobs better. The report consists of 11 modules as
follows :-
Executive summary
Audit and control environment
Using information technology in audit
Managing computer resources
Managing information and development systems
Business systems
End-user - departmental systems
Telecommunications Security
'
Price Waterhouse, "Systems Audilabilily and Control", The Institute of Internal
Auditors, Orlando, 1991.

Contingency Planning
Emerging technologies
The project was financed by IBM and Price Water Hons performed the work
Thc report ckarly recogniscs that the internal auditor's responsibility regarding
information technology has changed tremendously. The report concludes that as a
major aspect of strategy planning, the auditor should have an overall assessment of
associated risks and concerns, to cmphasise the fact that the auditors need to be
current It is necessary for the internal auditors to understand the environment and
the technology, to enable them to inform the management correctly about the actual
and potenticl risks and control concepts.
Mr. Kamal Guptal Technical Director of the Institute of Chartered Institute
of India while discussing various aspects of audit, devotes whole chapter on auditing
EDP based accounts. A reference is made to the various standards and
pronouncements of professional bodies abroad. It is recognised that the increasing
use of computers has changed the approach and techniques of audit also". It is
reliably learnt that in view of the increased use of computers, the Institute of
Chartered Accountants itself has made a start in providing guidelines to its members
for procedures to be followed while auditing in a computerised environment It is
learnt that the Indian Institute also may be within 2/3 years after the process of
different committees, approving the same, is completed issue official professional
standards as a statement hopefully.
' Kamal Gupta "Contemporary Auditing", New Delhi, Tata McGraw-Hill Publishing
6. Ltd1986.

Professional bodits elsewhere in the world, haw issued standards for Auditing
practice in a wmputeriscd environment.
S.Rao Vallabhanenil discusses the audit methodology and control guidelines.
He classiKcs the computer security under the following heads:-
* Physicalsecurity
* Personnel security
Data security
Application software security
System software security
' Telecommunication security
Computer operation security
While critically analysing the various concerns, he has prepared useful
worksheets for risk assessments in the different areas. The criteria considered is very
exhaustive and the methodology very practical. He has provided values for the risk
and weightage for the criteria and anived at the total risk score. He has a very useful
suggestion of preparing a risk ranking worksheet which, from the data collected on
each of the computer security areas, grades, the risk level as "low, medium and high".
An analysis of this approach and his conclusions have a practical bearing. The
methodology adopted for risk assessments for the purpose of my study are similar to
the one proposed by this author. A copy of the questionnaire for risk assessment
under each area of security and risk assessment work sheet are enclosed (ReLAppendh).
' S.Rao Vallabhaneni, "Auditing Cornpuler Security -A manual with case
studies". New York, John Wiley & Sons, 1989.

Wabley and Peter1 deal with computer auditing as a conceptual foundation
The topic of internal control structure is presented under the heads of organisation
controls, personnel practices, standard operating procedures as also systems
development documentation controls Specific mention is made to the systems
documentation standards. The documentation is expected to have the following :
Problem definition
System documentation
Program documentation
Operations documentation
User documentation
While conceding that maintaining gwd standards of documentation is
necessary, the author realiscs the difficulties in maintaining the same. He makes
specific reference to software aids to documentation. The section dealing with
auditing EDP systems is of importance and the auditing is divided by authors into the
following tasks :-
Audit of computer programs
Audit of data files and data bases
Audit of computer processing - general concepts
Audit of computer processing - user control systems
Audit of computer processing - third party systems
I
Donald AWatne and Peter B.B. Tumey, ']Auditing EDP Systems" New Jersey,
Prenticc-Hall International. Inc. 1984.

Mention is made to usage of expert systems and the role of auditor in auditing
such an environment It is interesting to note that the author mentions that the
auditor should use the expen system as a twl to be more effective and efficient
Ron Weber'sl book is a bible to auditors who wish to gain basic knwrkdp
of computericed environment, associated controls, evidence collection methodologies,
and evidence evaluation procedures. There are important chapters on managing EDP
audit function. The author highlights the importance of changing EDP audit function.
With the advent of micro computers, growth of end- user computing and impact of
knowledge systems and the growth in data communications, the authors feel the EDP
auditor should keep pace with the new technology. An interesting question posed by
the author is as to how an auditor can determine what ciianges need to be made to
controls and audit procedures when an organisation changes from its existing
technology to new technology for its data processing. He concludes that the role of
EDP auditor and basic audit methodologies remain unchanged. However, the EDP
auditor must understand the new technologies, be capable of determining their
impact on controls and audit procedures and ensure that appropriate evidence
coUection twls and techniques have been developed
Michael G. Grottola' elaborates on using UNIX to Audit Unix. He provides
guidelines as to how the operating system UNlX can be controlled by its owners. His
book deals with facts concerning what to look for in an UNIX system, how to
Ron Weber, "EDPAuditing Conceptual foundations and pmctice" New York,
Mcgraw-Hill Bwk Cn., 1988
Michael G.Grottola, "The UVEaudit. Using UNM &Audit UN1X"', New York,
McGraw-Hill Inc, 1993.

examine it and how to report its findings. The author mentions that using a UNIX
operating system to audit the environment thus require apart from audit experience,
UNIX litracy. It provides useful guidelines for the auditor to become "Unix Literate".
There is a chapter on which it takes the auditor through the various process of
installing the UNIX system. It gives a brief description of each of the commands. The
book contains useful information on how an effective audit can be conducted in an
UNIX environment using the UNIX commands themselves.
Unix Security is an important subject. Mr.N.Derek Amold' while helping the
reader to learn about the UNIX operating system, concepts and securities, also helps
the understanding concepts of information control and security aspects. A special
chapter on audit programs refer to the several ways the systems auditor can keep
track of what is going on in the system. It highlights the fact that more the system
administrator knows about the activities of the system, better steps can be taken to
secure the system. The importance of End- user maintenance is highlighted. The
possibility of new user's messing up needs to be borne in mind. The vulnerabilities
because of installation of special devices are discussed. It is mentioned that devices
which have the potential to bypass standard unix security are being built. On the face
of it though the publication looks as if it is highly technical, it is of immense use to
the auditor as it contains useful guideline for the usage of different commands. The
ways of bypassing security by using yet other commands are highlighted. There are
special chapters on data base security in unix environment. The chapter of "breaking
techniques" is very revealing as it describes the method used by an attacker. As the
author mentioned, this is of particular use to the administrator. The techniques
N. Derek Arnold UNIX Security. New York, McGraw-Hill Inc., 1992

mentioned in the chapter are of immense importance, as the knowledge of the facts
will help the auditor to know what could heppen. Yet another chapter on VIRUS
infection helps to get an understanding of how a virus works in a UNIX environment
This chapter provides some guidelines on how viruses can be prevented and if
prevention fails how to detect them. The problems associated with prevention and
detection discussed in this chapter gives an insight into the problem that one will face
when a virus infiltrates in a computer system in a unix environment
Database management system and system functions are explained lucidly by
Gordon G.Everestl Specific chapters on data base integrity dealing with back up and
recovery, quality control and concurrent update access control and encryption are of
utmost importance to the auditor. The author explains in simple language the
concepts of data base, provides guidelines for theauditor to acquire knowledge on the
necessary controls in a data base environment. The awareness of the knowledge of
the controls and the procedures which should be implemented in a data base system
facilitates the auditor to test the adequacy of the controls in a data base management
system environment
The literature surveyed deals with different computer environment and the
controls and audit concerns associated with it Each of the technological
developments have been dealt with in detail.
However, a concerted study of what the auditor is expected to do in a
Computerised environment as per the auditing standards of different professional
Gordon G. Everest "Data Base Management, Objectives System finctions. &
Administration", New York, McGraw Hill Book Company, 1986.

odies taking into consideration control objectives and audit concerns in specific
computcrised environment, specially as prevalent in India, is not available.
The study has been undertaken to attempt to fill upthis gap. A sample survey
ofcontroland audit practices has been undertaken and analysis included.
IMPORTANCE OF THE STUDY
The present study is an attempt at evaluating the controls in different
computerised environments generally and specifically like End User Computing, net
working, Data base management. A study of the controls that should exist in the
different computerised enviroments has been made. This has been compared with the
controls that are existing in a sample set of organisations in different environments.
The audit concerns in each of the environments in particular and in a computerised
environment generally has been stated.An analysis of the findings has been reported
with suggestions, based on the findings.
A study of the professional statements and auditing standards of different
professional bodies has been made. An audit approach which has been well
recognised has been described The audit procedures followed as described by the
organisations which have ken included in the sample has been analysed. Similarly
five leading firms of statutory auditon have been approached and the procedures that
they follow while auditing on a computerised environment had been noted by way of
answers obtained from them on the questionnaire provided to them. The hypothesis
for this thesis is that the controls and auditing standards in a computerised
environment as prevailing in India is inadequate. The analysis of the control

procedures in organisations and the audit procedures followed as reported by the
organisations and the audit approach as mentioned by leading auditors have been
undertaken to verify the hypothesis.
The information technology security probkmsbecome very vital and important
as most organisations have automated their activities. Even electronic links ari being
established with their trade partners (ED1 EFD). Taking advantage of the
technological developments organisations are computerising extensively. Along with
this development the security problems are also on the increase. Most of the
companies have some inadequacy or the other in their IT security. Organisations are
failing to wake upto this problem while as now in our country there have been no
formally reported cases of fraud and loases.
Taking into consideration the experience of other countries, it would be a
matter of time before sophisticated crimes and frauds associated with computers
would be as common place as frauds in a non-computerised invironment.
Macro Kapp, Director, hpers & Lybrand, London in his presentation "IT
Security in a changing world" at the South EastAsia Regional Computer Conference,
December 1989 discussed the possible problems and estimated that worldwide losses
caused by IT security would be S 15-30 billion or so. A body of French Insurance
Industry, APSAIRD has published data for France in the year 1987. The table below
gives the detail. It is very shocking and revealing to note that more than 72% of the
losses are caused by
(a)
(b)
System Design Programming Errors
Fraud Software Sabotage

(c)
(d)
Theft and disclosure of data
Theft of software.
Data regarding losses due to IT security are available for countries other than
India. In advanced countries,Auditing Techniques are tyng to keep pace with
technological development. In our country technological development have bern
taken advantage of and specially during the last decade. The impact of
computerisation on organisations has been very very significant. However, the aspects
of control and audit has been lost sight of under the impression, most probably that
companies are falliable and hence personnel and systems associated with the
computers have to be infalliable!!
It is III this context that the aspect of making a study of the control procedures
that need to be implemented in different computer environments and the
corresponding audit methodologies to be adopted has been undertaken to evaluate
the adequacy of controls and take preventive, detective and corrective steps to
minimise the impact of possible losses.
SCENARIO IN OTHER PARTS OF THE WORLD
A new pattern of computer related crime is emerging. It is characterised by
a shift from insiders to outsiders and from applications to systems. The risk is to
management in general, but computer auditors in particular. In response to this
pattern, computer auditors may wish to leave the audit of ;~pplications to others and
shift their focus to systems. In the earlier decades, it was speculated that there would
be exploitation of system vulnerabilities. But what was actually seen was the

exploitation of application vulnerabilities. There was a concern about interference
with or contamination of the application programmes by unauthorised people. What
was seen was manipulation of the input by authorised people! The computer auditors
emphasised shift to applications.'
There was speculation about attacks from outsiders. What was actually
happening was that there were attacks by insiders. It became clear that while system
access controls were necessary, they were not sufficient. People could not be relied
upon to behave safely. In such circumstances, access controls would not bc effective.
The empahsis of the auditor shifted to such areas as password management,
separation of duties and user accountability. It is reported that the traditionally
managed systems are contributing to the vulnerability. The analysis of the attacks
which had been studied demonstrate that serious problems would be caused and they
are likely to be in the increase.'
The contributing factors :
(i)
There are large number of previlege users on the target systems. In some
cases, all of the users are privileged. In many cases, privilege on one system
transmits into priviliging on nearby system. The analysis proved that if a
hacker is able to gain previlege on a system, he is able to change passwords
on dormant accounts and add "secret doorsn he can contaminate the system
' "Computer. related &me and auditing in the rnineties" by William H.Murray
1990 Volume I1 The EDP Auditor Journal.
' "Computer - related dine and auditing in the mineties" by William H.Murray
1990 Volume 11 The EDP Auditor Journal.

in such a way that it will be impossible to exclude him without seriously
disrupting operations.
(ii)
(iii)
(iv)
The second factor is the continued reliance on re-usable passwords. This leads
to wlnerability to dictionary attacks.
The presence on the system of active but rarely used passwords.
The presence on the system of widely authorised and used, very general, fully
previleged but otherwise insecured programmes. The statistics prove that the
sample of 150 MVS systems 103 (67%) had one or twomore of these
programmes and of these 88 (85%) still had the default lockwards in place.
An analysis of various instances of attacks on the computer suggests a shift in
the source and nature of the exposure. These exposures are so widely
documented that any exploitation will be extraordinarily embarassing to
management and to computer audit. The study recommends that while
auditors are not responsible for preventing computer related crime, they are
responsible for identifying and reporting to management conditions which
contribute to the crime.
The recommendations of the study have been as follows :
(i)
Identify and report excessive previlege
The auditor should identify all user profiles that contain system management
previleges. The presence of more than one should be reported.
Identify and report programmes that run with system previleges. Application
code and system management code should run in application state with the previlege
of the user. The auditor should identify and report all such codes that run with the
system previleges. The auditor should look for and report any evidence that these

programmes were available to others. The use of the default lockwords to one such
evidence.
Identify and rtvoke dormant profiles
remedied.
A large number of such profiles constitute a risk to the srjtem and should be
Identib unused or unnecessary ports
The auditor can contribute appropriate management consideration. Any
evidence of unused or unnecessary codes were reconciling the presence of system
codes to their use and also by examining the process by which such decisio~c are
made.
The recommendation reflect standards of practice that the auditor should
expect. These practices are motivated by emerging exposure to outsider attack.
However, these can be expected to reduce the exposure even more from the likely
t!lreats from insiders.
Statistics have been provided on the computer crime. The statistics has been
collected from 3 discreet surveys. The 1986 computer crime survey consisted of
contacting 250 prosecutors' offices. 75 cases were reported.'
' Computer m'me and abuse by J.J.Buck Blook Becker EDPAA Audit Journal,
Volume 11, 1990,

US.
In 1989 computer survey consisted of mailing to 2500 prosecutors' offices in
The third survey conducted in late 1988 was with the cooperation of the
information systems security association. The survey went to 3500 computer security
professionals. Approximately 14% responded.
Computer crime availability of information
On the basis of the three surveys, it was clear that very few computer crimes
are reported to prosecution authorities. The chart (1.1) on responses to serious
security incidents shows that as against 2% in 1987 it was 6% in 1988. The research
further prove:\ that any study of reported computer crime cases may nor be
representative of the universe of "serious security incidents" known to the respondents
in the centre survey. There was a survey conducted when computer security
professionals were asked for "known information security losses" for 1988. The
average loss reported was $1,09,000. Figure 1.2 represents average annual computer
abuse loss.
In 1986 theft of money represented almost half of all prosecuted computer
crime cases and theft of services represented only 10%. By 1988 money theft
exceeded theft of services only 36% to 34% (Figure 1.3).
More than half of the cases in our natural sample of computer crime
prosecutions involved losses of S 10,000 or lcs only 125% involved losses of $ 1,00,000
or more (Figure 1.5).

The National Centre for Computer Crime Data (NCCCD) published an
anlaysis for whic focused on the California (USA) data (Fig.l.6). Computer
Professionals predicted phenomenal growth in software products to prevent virus
attacks (Fig. 1.7).
Trends in Computer abuse
The National Centre for Computer Crime Data has the opportunity to
compare the make up prosecuted cases before 1986 and after 1986. They have
attempted to infer some significance from the changes and they are as follows:
No significant development is the growing evidence of the vulnerability of
computer communication n,:tworks.
Figure 1.4 deta~ls the types of the computer crimes. Computer security
professionals predicts enormous growth in the use of software to prevent viruses.
However, it was proved that vinrses are less of a concern than down time, destruction
of data or extraordinary disclosure of data.
Implications of computer crime
Computer crime become a media issue whenever a major case comes up. Wise
computer security professionals and auditors have been able to convert public interest
in crime to enlarged budgets for computer security efforts. The survey finally
concluded that controlling computer systems to reduce computer crime is a serious
challenge. The problem has been growing and the assets which can be broad to beer
against computer crime have also grown. The authors have concluded that the key

I
FIG 1.7 : USE OF TECHNOLOGY/PRODUCTS
IN 1985, 1988 & 1991 (CHART 2)
% Percentage of Users
70 1 I
Advanced Intrusion Audit Secure Secure Secure Anti-vlrur
Encryption Detection Analysis Operating Networks DBMS's products
Expert Aids Syatema
Syatema
Sources : NCCCD and RGC Associates
Security Survey

to this problem is commitment. 'here is need for generating commitments to security.
Technological solutions would not solve the problem.
Computer abuse in Australia'
Statistics recently released by Australian computer Abuse Research Bureau
identify that reported computer abuse incidents have increased dramatically. Nine
years the Bureau collected reports of 205 cases representing almost $ 11 million. In
1989 alone, there were 51 reported cases representing $ 26 million. In the 10 years
that the bureau has been in operation they have identified a number of ~nteresting
aspects relating to the TOP 9 TEST was a measuring mechanism developed by
Gerry Benboo and his friends. C appeidix top tests. Of the 392 responding
organisations .02% pass the test with 60% of the respondents not receiving a ranking
at all. The study was reperformed recently with the same poor results.
Industrial groupings
ACARP statistics confirm that approximately 36% of computer fraud by value
is performed in the financial sector.
Fraud reporting
There is an understandable reluctancc to publicly disclose information which
is considered confidential and computer abuse falls into that category. In Australia
it is observed that a computer crime is performed in 80% of instances by internal
-
' Computer Abuse in Australia by Garry Bonbow EDPAA Audit Journal 1990
Volume 2

employees and yet only 20% of the organisations are prepared to perform security
evaluations on prospective employees. It is reported that in 1984 the American
Banking System electronically transmitted in excess of S 180 billion everyday. It is
reported that "given the known statement of computer security this is not a surprise
that computer experts around the world are on the edge waiting for an organised
attack which should spell disaster for corporate identities either to consider
invincible".
OBJECTIVES OF THE STUDY
The basic hypothesis for this thesis is to prove or disprove that controls in a
computer environment as they exist now are insufficient and that auditing practices
followed to evaluate the controls and report on them are well below the accepted
standards.
In specific terms, the objectives of this study are to:
(1) Identify existing control systems select types of computerised environments
(Personal Computers, End User Computing, LAN, DBMS etc.) ;
(2) Review the procedures which the selective auditors are adopting in those
computerised environments to satisfy themselves that the internal controls are
adequate in terms of the completeness, accuracy and reliability of the
information which forms the basis of the financial statement of the
organisation;
(3) Examine the levels of efficiency of control procedures in the light of well-laid
out standards of controls in different environments;

(4) Evaluate overall level of controls meant to ensure the appropriateness of audit
requirements; and
(5) Suggest suitable control mechanism to improve effectiveness of audit practices
in a computeriscd environment
SOURCES OF DATA
Study is based both on primary and secondary data. The secondary data
sources are well-known publications of studies effected in US4 and UK Primary
data is that personally collected from organisations and auditors.
Secondary data
1. Systems Auditability & Control Reports published by Institute of Internal
Auditors USA
2 A Handbook of Computer Security edited by Keith Heardnden.
3. Auditing computer security - A manual wityh case studies by S.Rao
Vallabhaneni.
To generate plausible hypothesis for study a focus group discussion was
adopted with experts fully conversant with EdP auditing practices and then the
consensus from the group was stated as an initial hypothesis for further researchin
this study.
The actual methodology adopted for this research falls under the category of
indepth case study method. There are two typical methods available for doing

esearch with empirical data. One is large sample survey method and another indepth
w e study method. Generally large sample survey method is resorted to when the
system being studied or being researched is very familiar to the respondents and they
can correctly interpret and answer the questions posed to them. Wherever for the
first time a research is undertaken to study the performance of any system, it is
preferable to have a detailed checklist of relevant questions pertaining to the study
which could be personally administered by the researcher so that he/she can clarify
the meaning and interpretation of the questions to the various respondents. In that
process, additional insights can be obtained about the performance of the system
thorugh personal discussions. Understandably, the umber of such cases cannot be too
large to facilitate indepth discussion. So in this research, the study has the second
method of indepth case study. Also in this method the number of organisations and
the number of respondents taken are not too large. Hence conventional statistical
tests for validating the responses will not be meaningful.
Selective data which is not biased has been selected for sampling purposes.
Leading audit firms who have extensive clientele both in public sector and private
sector, operating in different areas of financial, marketing, manufacturing etc had
been chosen. As regards organisations, which have been using computers a sample
size of 30 was tested. As leading auditors were contacted for auditing methodology
adopted by them, data would represent audit procedures adopted in more than 100
organisations.
As regards wmputerised environment, the sample size of 30 installations
include different types of management like public sector, private sector, public limited
companies, private limited companies, financial institutions, banking etc.

The methodology and sample size are defended on the following grounds:
1. The findings of the study are though substantially based on the responses to
the questionnaire still considerable personal intervention has taken place with
the Managers concerned to get deeper insights into their problems and state
of affairs. This would not be possible if a larger sample is taken.
2. (a) The organisations chosen for the study are typical of most of the Indian
Commercial organisations.
(b)
(c)
The auditors interviewed are also the reputed ones.
The variation in the responses in the sample organisationslauditors is
practically nil. This gives substantive credibility to the findings and
hence generalisations also are valid.
The fundamental principle in sampling theory that lesser the variation in
responses small sample will be adequate has been adopted.
LIMITATIONS OF THE STUDY
The study has the following limitations:
a) The data for the study is not voluminous though illustrative. This is due to the
fact that a representative sample which has not been subjective has been
chosen.
b) Throughout the study no distinction has been made between different
management styles of the various organisations. This is due to the fact that
though the style of management may vary the concept of basic accountability
of top management does not cease.

c) The auditors selected are mostly seniors and well established in the profession.
Juniors and freshen have not been many in the sample. This is due to the fact
that larger organisation with wider computerisation are mostly audited by
seniors. However, in the smaller organisations, it is mostly PC based and
controls in PC environments have been fairly well covered in the samples.
ARRANGEMENT OF TEE CHAPTERS
The thesis has been divided into nine chapters. Chapter I1 deals with auditing
standards where the need for standards is emphasised. The professional
pronouncements in the form of Standards of international bodies like the American
Institute of Certified Public Accountants. Institute of Chartered Accountants of
England and Wales, Institute of Internal Auditors, USA, EDP Auditors Association,
USA are referred to with special reference to those standards which are applicable
to auditing in a computerised environment. Reference is also made to 1SO-9000-3,
wherein quality standards required for software development are specifically
mentioned.
Chapters 111, IV, V and VI deal with controls in specific environments. Four
important and more commonly used environments have been chosen. Chapter III
deals with controls in Eud-User computing. The reasons for the rapid growth of
End-User computing, control concerns and audit considerations are also highlighted.
A copy of the questionnaire which was used to make a sample survey of five
organisations having End-User computing is enclosed. The findings at the end of the
chapter are based not only on the information collected from the responses to the

questionnaire, but also of the research team of the US of Institute of Internal Auditor
as published in their Report, "Systems Auditability and Control".
Chapter IV deals with Local Area Network. A technology overview is
provided. The current utilisation of LAN in different organisations are discussed.
Accepted procedures regarding the establishment of controls and auditing procedures
are discussed. A sample questionnaire to evaluate the controls in organisations having
LAN is enclosed. This questionnaire was utilised to secure responses from five
organisations and a comparison of existing practices for implementation of controls
and audit procedures in these environment is compared with accepted controls and
audit procedures in a local area environment. This is followed by analysis and
findings. The findings include my own based on the lesponses from five organisations
as also the IAA's findings as reported in SAC The suggestions regarding effective
implementation of controls in a LAN and specific audit procedures needed form the
subject matter of the section regarding suggestions.
Chapter V deals with the topic of Database Management System (DBMS).
While explaining the concept the specific vulnerabilities of the environment and the
steps to be taken to plug the loapholes are discussed. The procedures and systems
as followed in organisations which have implemented the DBMS is discussed. The
standard accepted procedures, control objectives and audit guidelines in a database
management system environment are stated. The controls and audit procedures as
they exist are compared with norms. The results are analysed and the findings
reported. The findings also include those reported in SAC of IAA. The final section
Contains suggestions regarding implementation of controls and practices of the
acceptable audit procedures.

Chapter VI deals with controls in a UNIXenvironment. The operating systems
UNIX had been the subject matter of controversy. It was even stated that "UNIX
security" is a contradiction in terms as the original version of the operating system
UNIX had a great deal of vulnerabilities. Over a period of time, later versions had
attempted to plug the loopholes. Many proprietory operating systems of UNIX have
also been supplied by vendors. A general discussion on UNIX operating system with
possible loopholes and attempts made by subsequent versions of different vendors to
plug the same are also discussed. Special audit concerns in this operating system and
how the auditor should audit the system by UNIX itself are discussed. Based on the
questionnaire enclosed, responses have been obtained from five organisations and
analysis and findings have been reported. Suggestions for implementation of effective
controls and proner procedures to be adopted hy auditors are discussed.
Chap:er VII deals with Disaster Recovery Plan. The importance of Disaster
Recovery Plan is highlighted and instances of successful disaster recovery plan (DRP)
and failures due to the absence of DRP are highlighted.
The anticipation of possible exposures and providing for the same is
duscussed. The contents of DRP, the method of implementation and review are
highlighted. The role of the auditor with regard to the disaster recovery plan is
discussed.
A sample questionnaire for collecting information from a sample of 30
organisations is enclosed. Analysis of the findings have been reported. Suggestions for
effective implementation of DRP and the role of the auditor are also brought out.

The technological developments are continuously taking place in the area of
development, storage, communication, database etc. Concepts of CASE tools,
Recngineering and ED1 have been highlighted. Control objectives and audit concerns
in these areas have been discussed and, included in the chapter "Summary,
Conclusions and Recommendations".
Chapter Vlll deals with an audit approach. Without considering any specific
environment, a general approach which an auditor should have when auditing a
computerised environment is highlighted.
The current scenario is discussed briefly. A detailed discussion on
well-accepted approaches for auditing in a computerisltd environment is attempted
giving the various step5 and the tasks involved in each step. A sample questionnaire
is enclosed to illustrate information regarding the approach of auditors as currently
practised.
Practising Auditors' responses for the questionnaire has been analysed. This
is also supported by information gathered from a sample of 30 organisations
regarding audit practices of their respective organisations.
conclusion.
Chapter IX presents a summary of the findings and draws an overall

CHAPTER I1
AUDITING STANDARDS
INTRODUCTION
Auditing Standards as the very name indicates refers to Standards for Audit
performance. They are the measures of quality of performance of auditing procedure
and the objective to be attained by using the procedures followed.
The auditor's objective is to reach a conclusion on whether the financial
statements taken as a whole are materially mis-stated. The auditor is expected to
accumulate the potential of such adjustments and evaluate the combined effect. If he
has concluded that the financial statements are materially affected by an irregularity
he should either insist on the financial statements being revised or if they are not
revised he should qualify his opinion on the financial statements. He should disclose
substantive reasons for his opinion.
In a computerised environment it is expected that the auditor should satisfy
himself that the controls are adequate enough to produce accurate and complete
financial statements. Should he not have evaluated the controls or having evaluated
the controls he concludes that they are inadequate and hence the likelihood of the
financial statements being materially misstated, the auditor is expected to qualify his
opinion.

American Institute of Certified Public Accountants (AICPA) issues standards
on Auditing Standards. (SAS) which concern the external Auditors responsibilities.
Periodically new SASS are issued superceding the earlier ones.
SAS 31 deals with evidential matter.
SAS No.31 (AU Section 326.12): as emended by SAS No. 48,makes it clear
that audit evidence is not affected by the use of computer processing. Only the
method by which the auditor gathers that evidence can be affected.
The auditor's specific audit objectives do not change whether accounting data
is processed manually or by computer. However, the methods of applying audit
procedures to gather evidence may he influenced by the method of data processing.
The auditor can use either manual audit procedures, computer-assisted audit
techniques, or a combination of both to obtain sufficient, competent evidential
matter. However, in some accounting systems that use a computer for processing
significant accounting applications, it may be difficult or impossible for the auditor
to obtain certain data for inspection, inquiry, or confirmation without computer
assistance.
The American Institute of Certified Public Accounts Computer Auditing subcommittee
provides guidance on the effect of computerisation on the audit process.
This committee advises the Audit Standards Board and other NCPA Committees on
matters relating to Audits that involve computerised systems. The AICPA has come
Out with several publications providing guidance related to the computer
environment. However, these are not official pronouncements but only guidelines.

1. Management Control and Audit of Advanced EDP systems was issued
in 1983. This guideline describes the characteristics of advanced EDP
systems. It discurses control mechanisms and auditing of such systems.
2 Audit & considerations in an "on-line environment" is another guideline
published in 1983. This guideline contains a description of the various
environments that are encompassed by 'on-line systems'.
This guideline identifies the impact of the 'on- line environment' on the
auditor's study and evaluation of the system of internal accounting control.
"Controls over using and changing computer programmes is a guideline issued in 1979
which provides guidance to ensure thatno unauthorised changes are made to the
programme and that any changes are duly authorised by Management".
"Computer-assisted audit techniques" .The guideline issued as early as in 1979
describes audit tools and techniques that are relevant for auditing effectively in a
computerised environment.
An Accounting Guide entitled "Audit of Service Centre" was originally issued
in 1974 and subsequently revised in 1987. This guide addresses the special problem
for auditing organisations which utilise external service centre facility. The revised
guide has incorporated all relevant auditing pronouncements as also the general
guidance in SAS 44 "Special purpose reports on official accounting control by service
organisations. The guide has three chapters as follows:
i. Effect of an organisation's use of an EDP Service Centre on the
auditor's study and evaluation of internal control.

ii. Reponing of reviews on EDP Service Centre;
iii. Using reports on internal control at EDP Service Centre on the
auditor's study and evaluation of internal control.
i. Effect of an organisation's use of EDP Senin Centre on the auditor's study
and evaluation of internal wntrol
This Chapter discusses the impact of using EDP Service Centre on the system
of internal accounting control and the user organisation. It also deals with the impact
which it will have on the auditor's study and evaluation of the system of the
organisation. It makes specific mention of the circumstances in which the auditor of
such an organisation should include in the study control procedures at an EDP
Service Centre.
ii.
Reporting of reviews on EDP Service Centres
The EDP Service Centre would generally be used by different organisations
who may be having different auditors. It would be difficult for the service centre to
subject itself for a review by aU the auditors. In this chapter, a reasonable alternative
has been suggested by which a single auditor specifically reviews the internal control
procedures of the senice Centre and reports the results of other auditors.
The guide describes the manner in which the auditor of the Service Centre
would report the results of the Review of the SeM'ce Centre. The guide further
provides that while the auditors use the report of the service centre auditor, they
would continue to retain the responsibility for evaluating the internal control system
at the senice centre.

Using reports on internal control at EDP Service Cent=
The guide discusses how the service auditor's report can be utilised by the
auditor of the organisation in evaluating the integrity of the financial statements of
the client.
AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS, U.SA.
The American Institute of Certified Public Accountant (AICPA) issues
procedure studies which though not authoritative, provide practical assistance in
carrying out auditing procedures.
Computer Audit sub committee of AICPA have five separate Task Forces for
developing auditing procedure studies in computerised environment. The studies
which have been completed and released for member's benefit ;ire as follows:
a) Auditors use of micro-computer published in 1986. This provides guidance to
auditors to use micro-computers as an audit tool.
b) Auditing in a paperless environment
This study describes the benefit of a paperless environemnt on the audit
approach, specially in view of the inherent risk when there is no paper trail to
substantiate the transactions.
c. Audit impact on small (micro-mini) computer systems
The study provides guidance when clients operate in the above environment
with special reference to the fact that reliance on computer controls unlikely.

d. Audit impact on mid-size (mini/minilreme) computer systems
This study will guide when clients use not so much complex a compute:
systems but there is some reliance on computer controls.
c Audit impact of large (complex) computer systems
This study will provide guidance on following inherent and control risks in
auditing an organisation in the above environment. There is greater likelihood of
there being significant relevance on controls.
Auditing standards Board has approved the issue of a set of general standards
called Attestation Standards. These specifically affect some computer-related
engagement They are u7itten broadly to apply to all attestation certificates in which
a certified public accountant issues a report which conta~:ls conclusion on an assertion
after examining such assertion.
Attestation standards deal with
a) Technical competence
b) Due care
c) Adequate Planning
d) Sufficient evidence
e) Proper reporting
Attestation standards are thus similar to the generally accepted auditing
standards (GAAS).

INSTITUTE OF INTERNAL AUDITORS, U.S.A.
The Institute of Internal Auditors in 1977 published a Report (systems
auditability and control report). IBM provided a grant to IIA and the study was
conducted by Stanford Research Institute which published in three volumes as:
i. Executive report
ii.
iii.
Control Practices report
Audit practices report.
Though published almost two decades ago, many of the findings and
conclusions of the study are relevant and proper to the audit and control of EDP
Systems of the current day.
Executive mport
This provides an overview of the audit of EDP systems and the study has
concluded that in spite of data processing systems and internal audit techniques
continuing to evolve mrdination between the two disciplines is not keeping pace.
Control practices report while discussing specific control techniques classifies
the control as general control and application control. The study recommends that
the auditor should be associated with pre-installation review so that better systems
and effective controls could be applied.
The Audit Practices Report contains a list of 28 audit tools and techniques for
effective use by auditors while auditing in a computerised environment.

The Institute of Internal Auditors again under a grant from IBM and research
by Price Waterhouse published the systems auditability and control report in 1991.
The grant was as large as US $500000 and over 150 volunteers participated in the
development and review of the SAS report. The report consists of 12 modules as
follows:
Executive summary
Audit and Control environment
Using Information Technology in Auditing
Managing Computer Resources
Managing Information and Developing systems
Business systems
End-user and department computing
Telecommunications
Security
Contingency Planning
Emerging Technologies
Index
The Research Report in its Executive summary concludes as follows:
"Professional internal auditors of the 1992 have the necessary understanding
and skills to review controls over information technology. As control specialists,
auditors assist management in its responsibility to implement cost-effective controls
to mitigate the risks associated with the use of information technology and to meet
the objectives of the organisation.

Responsible information systems professionals and system users of the 1990s
understand information technology risks, implement proper controls and ensure
auditability of information systems The SAS Repon provides the guidanoc to
management and practitioners in internal audit, information systems, user functions
and other groups interested in the control and audit of all areas of information
system and technology.
The EDP Auditors Association which has its headquarters in USA is the only
professional Association dedicated solely to EDP auditing. The EDP Auditors
Association was established in 1985.
EDP Auditors Foundation (EDPAF)
The EDP Auditors Foundation develops and promulgates official auditing
standards applicable to EDP auditing. Its objectives as stated are:
1. Develop and maintain professional standards, provide credentials as
Certified Information Systems Auditors (CISA) to individuals whose
competence meets the organisation's standards.
2 Provide education in EDP auditing.
3. Conduct Rescarch in EDP auditing and Controls
4. Assist qualified individuals in the study of EDP Auditing
ETHICS AND STANDARDS
EDP Auditors Foundation has established a code of professional conduct for
Grtified Information Systems Auditors. The EDP Auditors Association published in

1987 a "General Standards for Information Systems Auditing". The EDP Auditors
Association has a Standards Board which is a Standing Committee. The Board's
formally adopted mission is as follows:
'To advance the quality of information systems auditing, it is the responsibility
of the Standards Board to promulgate and maintain standards of practices. These
standards apply to members of the EDPAA and to holders of the certification in
information systems auditing.
The Standards authority is derived from the code of professional ethics which
provides that members of the EDPAA and holders of CISA will apply Information
Systems Auditing Standards adopted by the EDPA Foundation. As is mentioned by
the EDPAF, the authority of guidelines and procedures is secondary to the standards
themselves.
The relationship between Information Systems Auditing Standards and other
auditing standards: The information systems auditing standards promulgated by the
EDPA Foundation are intended to supercede auditing standards developed by other
professional bodies. However, where there is a situation when aconflict is perceived
to exist between the Standards of EDPA Foundation and any other professional
body, it is the responsibility of the EDPA Association Foundation to use the
professional judgment to resolve the matter.
GENERAL STANDARDS FOR INFORMATION SYSTEMS AUDITING
EDP Auditors foundation has stated that the following ten standards are
applicable to Information Systems auditing:

Independence
General Standard No. 1
Attitude and Appearance: In all matters related to auditing, the information
systems auditor is to be independent of the auditee in attitude and appearance.
General Standard No.2
Organisational Relationship- The information systems audit function is to be
sufficiently independent of the area being audited to permit objective completion of
the audit
General Standard No3
Code of Professional ethics - The information systems auditor is to adhere to
the Code of Professional Ethics of the EDP Auditors Foundation.
Technical competence
General Standard No.4
Skills and knowledge - The information systems auditor is to be technically
competent, possessing the skills and knowledge necessary in the performance of the
auditor's work
General standard No.5
Continuing Professional Education - The information systems auditor is to
maintain technical competence through appropriate continuing education.

General Standard Na6
Planning and Supervision: - Information Systems audits are to beplanned and
supervised to provide assurance that audit objectives are achieved and compliance
with these standards is met
General Standard No. 7
Evidence Requirement - During the course of the audit, the information
systems auditor is to obtain evidence of a nature and sufficiency to support findings
and conclusions reported.
General Standard No.8
Due Professional care - Due professional care is to be exercised in all aspects
of the information systems auditor's work, including observance of applicable auditing
standards.
Reporting
General Standard No. 9
Reporting of Audit Coverage - In preparing reports, the information systems
auditor is to state the objectives of the audit, the period of coverage and the nature
and extent of the audit work performed.

General Standard No.10
Reporting of Findings and conclusions - In preparing reports, the information
systems auditor is to state findings and conclusions concerning the audit work
performed and any reservations or qualifications that the auditor has with respect to
the audit
The effective date of the standards is from January 1, 1988.
The two statements on independence issued by the Board of EDPA
Foundation are effective from 1st July 1989.
Statement No.1 deals with with independence, attitude and appearance -
organisational relationship.
It lays down the following:
(a)
(b)
(c)
Information systems auditor should have an independent attitude
towards audit
If the auditor's independence is impaired, the auditor should not
participate in the audit The auditor's independence is deemed to have
been impaired if the auditor has expectation of financial gain or any
other advantage due to his influence as an auditor.
Perception of auditor's independence could affect the acceptance of
auditor's work. For example, if the auditor becomes aware that a
situation or relationship is perceived to impair his independence the

auditor is expected to inform the auditee management as early as
possible of the perceived impairment.
(d)
(e)
(f)
(g)
An auditor should be organisationally independent of the area being
audited to ensure that the audit is objective and fair.
When the auditor's independence is impaired and if he continues to be
associated with the audit a disclosure needs to be made.
Independence of the auditor needs to be continuously assessed by the
auditor and management.
The auditor's work and report should represent a discharge of
professional responsibility which exemplifies integrity and objectivity.
Statement No.2
This statement deals with involvement in the systems development process.
This statement provides definition for the systems:
(a)
(b)
(c)
Application systems
Systems development process
Application development review
This statement lays down that
(a)
the Auditor should maintain an attitude and appearance of
independence in conducting application development review.
(b)
The auditor should be independent of the project team. However, the
auditor may recommend control and other systems inherent without
impairing his independence.

(c)
(d)
(e)
The performance of application development review does not impair
the auditor's ability to perform an independent evaluation of the
application after its implementation;
The independence of the auditor may be impaired if the auditor
becomes actively involved in the design and implementation of the
application system; example, by becoming a decision-making member
of the project team.
The auditor's involvement merely as a member of the Project Team
(not as a decision making member) in the design and implementation
of audit tools and techniques, does not impair the auditor's
independence.
Statement Nos. 3, 4, 5, 6 and 8 deal with performance of work.
Statement No3
Becomes effective €ram 1st July 1991. This statement deals with "evidence
requirement" which defines evidence as information used by the auditor to meet
audit objectives. The nature of information used as evidence should be relevant and
reliable; it should also be sufficient to form an opinion of support findings and
conclusions.
conclusion.
Evidence is relevant if it has a logical relationship to the findings and
supportable.
Evidence is reliable if in the auditor's opinion it is valid, objective and

There an various types of evidences which include physical evidena,
documentary cvidena, representations and analysis.
Evidence should be sufficient to support the auditor's findings and conclusions
in a computerised environment A mere programme listing is not sufficient evidence
to verify that it represents the actual programme used in a production-run. If
sufficient evidence is not obtainable the auditor should disclose this fact Procedures
used to collect evidence include enquiry, observation, inspection, confnmation and
re-performance. These procedures may be manually audited procedures or computerassisted
audit techniques (CAAT).
Evidence gathered should be properly documented and organised to support
audit findings.
Statement No.4
Due professional care: The statement is effective from 1st July 1991. 'Due
mre" is defined as that level of diligence which a prudent person would exercise in
a given set of circumstances. ''Duepm~bnoI are" applies to an individual who
professes to exercise a special skill such as information systems auditing.
"Due professional care" requires the individual to exercise that skill to a level
commonly possessed by practitioners of that speciality.
"Due professional care" does not imply that the professional is infallible. If in
spite of exercise of "due professional care" and integrity an incorrect conclusion is
drawn and subsequently it is discovered that the conclusion is incorrect, it does not

indicate inadequate professional judgment or lack of diligence on the pan of the
auditor.
Due professional care includes:
(i) Evaluation of audit risk;
(ii) Formulation of audit objectives;
(iii) Establishment of audit scope;
(iv) Selection of audit tests;
(v) Evaluation of test results;
The auditor should not accept an assignment unless adequate skills, knowledge
and other resources are available to complete the assignment in a manner expected
of a professional.
The fact that the auditor has not complied with professional standards, the
auditor should disclose the circumstances under which it was done.
The use of risk assessment in auditing:
The statement is effective from 1st November 1992. The statement defines the
terms, risk exposure and risk assessment as follows:
"Risk.. The possibility of an act or event occuring that would have an adverse
effect on the organisation and its information systems"

Exposure: The potential loss to an area due to the occurence of an adverse
event ... Exposure can be reduced by implementation of properly designed controls.
Risk assessment
A process used to identify and evaluate risks and their potential impact The
statement lays down that the auditor should use risk assessment techniques in
developing overall audit plan and in planning specific audits. The auditor should
document risk assessment methodology used for specific audit. As no single risk
assessment methodology is appropriate for all situations the auditor should
reevaluate the appropriateness of the particular methodology periodically.
Statement No.6
Audit documentation - The statement is effective from 1st November 1992.
Documentation is a record of audit work performed and the evidence gathered.
Documentation should include details of record of planning and preparation, audit
programme, audit steps, audit findings, report and auditee's responses. The extent of
auditor's documentation would include :
i. Auditor's understanding of the area to be audited and its environment.
ii.
Auditor's understanding of the information processing systems and the
internal control environment.
...
111. Documentation should include information that is required by law or
by any other statutory agency any applicable standards.
Documentation regarding audit findings and conclusions should be organised
and stored and secured in a manner that is appropriate for the media on which it is
retained.

Statement Na8
Deals with audit considerations for irregularities. The statement is effective
from 1st September, 1993. The statement defines irregularities "as intentional
violations of established management policy or wilful mis-statements or omissions of
information of the area under audit or the organisatiom ..... Irregularities include but
are not limited to, deliberate circumvention of controls with the intent to conceal the
purported commission of irregularities, fraud, unauthorised use of assets or services
and abetting or helping to conceal these type of activities.
The statement lays down that it is the responsibility of the management to
have an effective system of internal controls to provide a reasonable assurance of
preventing or detecting irregularities.
The auditor should assess the risk of occurences of irregularities connected
with the area under audit. While preparing an assessment the auditor should
consider:
i. Organisational characteristics
ii. The types of assets held
iii. The system of internal controls
iv. Applicable legal requirements
v. Basis of risk assessment
The auditor has the responsibility to such audit tests which would reasonably
help to detect irregularities that could have a significant impact on the area under
audit.

Audit cannot guarantee that irregularities will be detected. The detection of
irregularities should be communicated to persons at the appropriate knl in the
organisation. Further, if the auditor discovers fraudulent activities, he is required to
report to appropriate Government agencies.
Reporting: Statement No.7
Deals with Audit Reports and is effective from 1st September 1993. The
statement defines the report as a formal means of communicating the objectives of
the audit, audit scope and the findings and conclusions.
If any audit objective set out in the report was not met the auditor is expected
to disclose this in the report. The report should identify specific professional
standards used in performing the audit and also report any professional standard
which should have been used, was not used.
The report should include all significant audit findings.
IS0 STANDARDS
Standards issued by "International Organisation lor Standards" (ISO):.
IS0 has come out with standards for products. There are specific guidelines
given for the procedures to be adopted for obtaining a certificate under ISO. To get
international recognition for the products, it has been a prestige issue for various
organisations whether it be for products or for senices to obtain a certificate under
IS0 9000.

It is of interest to note that IS0 9000 in part 111 provides guidelines for the
application of IS0 9001 to the deoelopment. supply and maintenance of
software. It has been rcmgniscd that "process of development and maintenance of
software is different from that of most other types of industrial products. In such a
rapidly evolving technology field, it has been found necessary to provide additional
guidance for quality systems where software products are involved taking into account
the present state of the technology". IS0 9000-3 deals with situations where specific
software is developed as part of a contract according to the purchaser's specifications.
IS0 9000-3 is intended to provide demonstration of a software supplier's
capability to develop, supply and maintain software products. In this connection,
definitions provided in the guidelines are important and they are reproduced below:
Software item
Development
Phase
Verification
Validation
Para 4.1.1.1 defines quality policy. 'The supplier's management shall define
and document its policy and objectives for, and commitment to quality. The supplier
shall ensure that this policy is understood, implemented and maintained at all levels
in the organisation".
Paragraph 4.1.1.21 describes the responsibility and authority of the personnel,
who manage, perform and verify work affecting quality.

Paragraph 4.1.2 lays down the purchaser's management responsibility
paragraph 4.1.2 is of particular importance. It mentions that the purchaser should
co-oprate with the supplier to provide all necessary information in a timely manner
and resolve pending items.
The purchaser should assign a representative with the responsibility for dealing
with the supplier on contractual matters. This representative should have the
authority commensurate with the need to deal with contractual matters which include,
but are not limited to the following:
a) Defining the purchaser's requirements to supplier
b) Answering questions from the supplier
c) Approving the supplier's proposals
d) Concluding agreements with the supplier
e) Ensuring the purchaser's organisation observes the agreements made
with the supplier;
f) Defining acceptance criteria and procedures
g) Dealing with the purchascr-supplied software items that are found
unsuitable for use.
Paragraph 4.21 generally gives the description of the quality system. The
supplier should establish and maintoin a documenled qwlity system. The
quality system should be an integrated process throughout the entire life c~cI~, thus
ensuring that quality is being built in as development progresses rather than being
distributed at the end of the process. Problem prevention should be emphasised

ather than depending on correction after occurrence. The supplier should ensure the
effective implementation of the documented quality system.
Paragraph 4.3 is ofparticular releoance to the research topic. It deals with
internal quality system audits. It is as follows:
'The supplier shall carry out a comprehensive system of planned and
documented internal quality (system) audits to verify whether quality activities comply
with planned arrangements and to determine the effectiveness of the quality system".
"Audits shall be scheduled on the basis of the status and importance of the activity".
'The audits and follow-up actions shall be carried out and brought to the attention
of the personnel having responsibility in the area audited. The management personnel
responsible for the area shall take timely corrective action on the deficiencies found
by the audit".
Paragraph 4.4 deals with corrective action:
'The supplier shall establish, document and maintain procedures for
a) Investigating the cause of non-conforming product and the corrective
action needed to prevent recurrence;
b) Analysing all processes, work operations, concessions, quality records,
senice reports and customer complaints to detect and eliminate
potential causes of non-conforming product
c) Initiating preventive actions to deal with problems to a level
corresponding to the risks encountered;

d) Applying controls to ensure that corrective actions an taken and that
they arc effective
e) Implementing and recording changes in proceduns resulting from
corrective action".
Paragraph deals with qualityof system-life-cycle activities The major points
and activities listed are:
1.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix
Contract review
Purchaser requirement specification
Development planning
Qual~ty planning
Design and implementation
Testing and validation
Acceptance
Replication, delivery and installation
Maintenance
The guidelines spec@ very clearly the various procedures to be strictly
adhered to under each of the above-mentioned items. Of particular importance to the
auditor are the paragraphs dealing with testing and validation.
paid:
Paragraph 5.7.3 deals with the aspects for which special attention should be
a) The test results should be recorded as defined in the relevant
specification

) Any discovered probkms and their possible impacts to any other parts
of the snfhvare should be noted and those responsible notified so the
probkms can be tracked until they are solved
c) Areas impacted by any modifications should be identified and retested.
d) Test adeqauacy and relevancy should be evaluated;
e) The hardware and software configuration should be considered and
documented.
It is specifically mentioned that the supplier should validate the operation of
the software as a complete product
Paragraph 6 deals with quality system-- supporting activities. It deals with the
following aspects and lay down the procedure to be adhered to under each head:
a) Configuration management
b) Change control
c) Document control
d) Quality records
e) Measurement of products
It further deals with rules, practices and conventions and tools and techniques
to be followed.
ANALYSIS OF OFFICIAL PRONOUNCEMENTS
Professional bodies like AlCPA, IAA and EDPAA disclose that auditors have
a special responsibility while auditing in a computerised environment.

SPECIFIC STANDARDS WHICH NEED TO BE ADHERED TO
The Institute of Chartered Accountants, we. reliably learn, are in the process
of providing guidelines which would eventually be formulated as standards. With
globalisation and liberalisation policies of our Government, import as also export of
software as also hardware, which is already on the increase, would bc reaching a peak
very soon
In view of IS0 9000-3 prescribed for software development organisations
would be expected to conform to the same and obtain certification. It is of great
importance to note that it is expected that there has to be an internal audit of the
software development.
It should not be mistaken that quality assurance for software is needed only
in cases of export. IS0 9000-3 lays down the concept that software is a produce and
like other products it is necessary to maintain quality. Therefore, it is of paramount
importance to take cognisance of the fact that awareness has been created that audit
should bc performed of the software before it becomes marketable product
In these circumstances, the auditors duty and responsibility is of great
importance for the implementation of the software in an organisation.
PROFESSIONAL PRONOUNCEMENTS IN INDIA
The Institute of Chartered Accountants of India (ICAI) issues different
statements from time to time on specific matters of importance to its members. This
has affected the working of the auditors in India. The statement of Audit Practices

issued by ICAI sets out practices which a n generally obtaining in other countries and
which the Council considers desirable in the light of prevailing circumstances of India
The provisions of the statement of Accounting Procedures issued in 1979 while
explaining the mpc and functions of the Accounting Standards Board has clarified
that in the initial years the Standards will be nwmmendatory in character. It is
accepted that once a general awareness for the need and utility of the standards has
been agreed, steps will be taken to enforce compliance with them. It states, "that
while discharging their functions, it will be the duty of the Members of the Institute
to ensure that the accounting standards are implemented in the presentation of
financial statements covered by their Audit Repor+.s. In the event of any deviation
from the standards it will also be their duty to make adequate disclosures in their
Reports so that the users of such statements may be aware of such deviation". The
Institute of Chartered Accountants of India has issued a statement of basic principles
which govern the audit. It lays down various principles which include:
L
ii
iii.
iv.
Integrity, objectivity and independence
Coniidentiality
Skills and competence;
Documentation;
v. Planning
vi.
Audit evidence
The statement on Audit Practices was issued in 1964, for which a third edition
was brought in 1977. In chapter I1 it deals with general considerations; the concept
of materiality is discussed. It is mentioned that "Materiality" is also a matter of

importance in relation to items in the balance sheer It is added that "it is difficult to
lay down anystandards by which materiality can be judged. It is a matter in which the
decision is arrived at on the basis of the auditor's professional experience and
judgment".
Para 210 deals with the objectives It lays down that the auditors objective
both in regard to assets has to satisfy that they exist and belong to the client that they
are recorded in the accounts. It is accepted that the audit procedure should be
devised accordingly".
Chapter 217 which deals with that of computers, lays down:
"While the principles and concepts of audit are applicable to computer-based
accounting systems to the same degree as to manual systems the auditing techniques
and procedures will need modification depending upon:
a) the extent to which electronic data processing (EDP) are used to
compile and analyse accounting records;
b) the system of internal control in existence in the company in regard to:
(i) flow of correct and complete data to the processing centre
(ii) processing, analysis and reporting tasks undertaken in the
installation and finally
(iii) the impact of computer-based accounting system on the audit
control that could othelwise be expccted to exist in an entirely
manual system.

The guideline proceeds to explain the fundamental concepts of a client who
may be using his own computer-system or a semce bureau for obtaining management
information. It will be of relevance to reproduce para "A".
"A Where a computer is used for compiling accounting records if the system
developed is such a 'print out' (L. a visible record) is available at every stage, as in
a manual system (e.g. Day books, statement of Journal entries, Ledger, Trial Balance
and so on) the audit trail remains complete and Free of the EDP influence. This gives
the auditor all the freedom he needs to determine the extent and manner of
verification of transactions, taking into account the internal check and control that
exists within the organisation but outside of the Data Processing Centre. Nevertheless
it would be necessary for the auditor to make enquiries and particularly satisfy
himself on the following points
a) Adeqauate procedures exist to ensure that the data transmitted is
correct and complete.
@) Cross verification of records, reconciliation statements and control
systems between primary and subsidiary ledgers do exist and are
operative and that accuracy of computer compiled records are not
assumed
Developments in Data Processing in India in so far as accounting records are
concerned, have not yet materially threatened the audit trail since extensive 'print
outs' are made available, but the future points to the inevitable need for the auditor
to acquire newer skills to deal with a computer environment when audit trails as are
now known and accepted, might become expensive and even anachronistic.

Where audit trails have been affected, thc auditor will find that 'kisibility" has
become poorer. This will force upon him the need to acquire skills to verify "invisible
records". Depending upon the degree of "visibiiity" he can adopt one or two courses.
(1) have the processing part of the computer applications, but verify the systems
and controls that exist:
(a) to ensure correct and complete data being made available for
processing;
(b) to provide for error detection and correction
(c) to restart compilation interrupted by power, mechanical or processing
failures without duplicating the entries and records;
(d) to ensure checks and controls on output or accuracy and completeness;
(e) to provide adequate data security against fire and other calamities,
wrong processing, fraud;
(q to prevent unauthorised amendments, corrections and processing
instructions (Programmes) operating instructions as sequences; and
(g) to keep custody of the data files.
Many more "peripheral" checks may be added but the above would be the
principalones. This approach is referred to as auditing around the computer.
(2) It is possible for the auditor to take the further logical steps to verify the
programmes themselves and technically satisfy himself that systems, checks,
controls, error detection and data security procedures are satisfactory. The
auditor could also use test-checks to test the system in operation and ask for
special print outs by making use of programming facilities available within the

installation or at his command to improve the quality of hi own audit and
reduce time spent on detailed verification of transactions. This approach is
referred to as auditing through the computer.
Given the necessary skills, an auditor could, on request, audit the computer
system itself'.' A study of the various standards pronounced by different authorities,
discloses that all of them uniformly deal with
1. Independence
2 Due professional care
3. Professional competence
4. Planning the audit
5. Understanding Internal control
6. Evidence collection
7. Reporting
' Page 284 - Contemporary Auditing. Third Edition, Kamal Gupta.

CHAF'TER
I11
END-USER COMPUTING (EUC)
The technological developments in the computer field have made computers
"User friendly". Users tend to use local computing power which has resulted in
tremendous growth of End - User Computing. The user instead of depending upon
a central computer department and its staff to render assistance in using computers
for its department depends upon itself. End-User Computing as "user created or
acquired sbstems that are maintained and operated outside of traditional information
systems (IS) controls.

Figure 3.1
END-USER COMPUTING RISK CONTROL LEVELS'
High
Controls
Requaed
'Svsfems AudiiabrMy and ~onfroi Module 7, ~nd-user and Departmental Computing, lnstltute of Internal
4udnors Research Foundation. Florida. 1991.

There are many masons for this rapid growth of this trend:-
(i)
(ii)
There is always backlog of projects and the priorities which the user
may have for its application may not be. the same for the centralised
computer department.
The user's desire to have direct control over their applications.
There are different types of end user computing activities:-
Single user
(i)
Multi-user
Stand-alone PC: This may be used by a single department for routine
preparation of some reports.
(ii)
(iii)
It may be used for preparing adhoc reports using software like spread
sheet etc.
Business applications may be developed which are of immediate use to
the department.
Different users may be utilising the services of the same PC.
The PC may be one of the nodes in a LAN environment when the node may
be used for not only developing routine reports but also to access commonly available
data on the network
Special reports useful for achieving the goals
and objectives of the
department

AUDIT RISKS AND CONTROLS TO BE EVALUATED'
Bar 1 EUC Risks and controls
Traditional IS Risks and Controls
Level of Trechnical Support Required by Users
Bar 2 Low Moderate High NI A
Level of Control Required Over System
Bar 3 Low Moderate High Very High
Level of Technical Auditing Expertise required
Bar 4 Low Moderate High Very High
The specific advantages of end user computing are that
(i) It helps in satisfying the increased need for analysed data and respond
to queries.
(ii) It meets one time requirements by developing temporary systems
(iii) It reduces the normal user and computer department conflicts by
providing users with more direct operational control over the system.
The development cycle is shortened, as the realisation of priorities by the user
is more than the DP department.
It is in keeping with the general corporate policy to decentralise activities.
As against the advantages, there are certain disadvantages. The following are
likely to occur:-
-
' "Systems Auditability and Control Module 7'. End-user and Departmental
Computing, Institute of Internal Auditors Research Foundation, Florida, 1991.

(i)
As there k no oentraliscd effort in pooling resources experience and
skills, the end-user may not have appropriate appreciation of the
associated risks. Users in their over enthusiasm tend to tackle tasks
which are beyond their capability. With the desire to keep up with the
latest technology, hardware and software may be acquired which does
not justify the business needs.
Delegation of decisions not in keeping with position of responsibility of
individuals may take place.
There are many control issues in the nature of
(a)
(b)
(c)
(d)
(e)
(f)
(g)
inconsistent data
Incomplete information trails
Poor system change controls
Poor documentation
Poor security
Inadequate back up and recovery procedures
Software security.
PROBLEM AREAS
In view of the declining costs and increasing importance of information on
timely basis, the awareness and the need for end-users themselves to have the
computer facility has been on the increase. Users have become self-reliant and feel
that they do not have to bear all the over-heads that are allocated to the department

for % services rendered by the antralised computer department The end-users
make e*tewire use of spread-sheets and word processing facilities.
The more enterprising of the staff in user departments have acquired working
Imowkdge of using the computer and the software. It cannot be claimed that the
Imowkdge of such users b of a high level. The situation as it exists in many
organisations b as follows:
(i)
Systems development
Many sptems which the users feel in their limited knowledge would be useful
are developed without adopting any of the standard prescribed procedures. The
application while they may be usable immediately, it cannot be assured that they
would be maintainable, auditable and securable. Applications like budget
preparation, consolidation of accounts, costing, pricing, product-mix decisions are
some of the more popular applications which the end-users have developed.
ii.
Change controls
As the end-users themselves are dewloping the programmes the programmes
are changed at will without cornforming to, again, any established procedures. The
fact that the programme with the change implemented has gone live by their own
efforts blinds them to the fact that established procedures have been given the go-by.

iii.
Data consbtency
As mentioned earlier then an data applications which an used in the
Finana department marketing department, manufacturing department as slso the
costing dcpartments. It is not uncommon to find that there an different versions of
the same data Wig used in the various functional departments. The standard costs
as originally developed might have been updated by the costing department but still
the old version may continue to be used in the marketing and finance departments
while the costing department uses the latest version This naturally leads to data
which is not synchronised and information which is neither reliable nor consistent
being provided.
iv.
Documentation
Documentation being a cumbersome process and a very limited number of
staff being conversant with the usage of computers, it is generally felt that there is no
requirement for documentation and the present practices are that there is total
absence of documentation regarding the systems and programmes, programme
changes and trouble shooting.
v. Software piracy
There b no overall control on the programs that are used at the end-usen
when the organisation being aware their own departments violate the Cow Rights
Acts and are utiliing pirated copies of the more popular software.

Back-up and wntintmy planning for raovery
In the absence of organisation's policies and proadwes there is no systematic
back-up and rewry procedures, End-users due to lack of technical training an not
completely unaware of the need to have adequate back up of data files and
programs In the absena of organisations not having a disaster recovery plan or
because end - usen are not planned end users do not have adequate contingency
planning. It is not uncommon to find end user computing getting interrupted for
unusual kngths of time, this necessarily has its own impact on the organisation's
operations.
Back-up, at the utmost consists of having copies of programs not necessarily..
at a remore place. Back-ups if any are generally located in the same area as main
storage facility. It is not uncommon to find another floppy box containing data and
programs being stored in another drawer of the computer table.
Exposwe to virus
Viruses get introduced into the system in any of the following situations.
i To avoid getting approval to purchase the software unauthorised copies
of the software are surreptiously used by the end user. This may result
in virus contamination of the entire system.
ii. In the absence of adequate back up and contingency planning attack
of a virus does run around program and wipe out tiles.
The problems were generally the same in all the organisations with End-User
computing. Five organisations were selected at random. All the organisations were

large public limited companies which were making use extensively of LOTUS I, I1
and III and certain simple programs in D-Base. In one organisation, the marketing
department was making extensive use of Wl'VS I, I1 and 111 for pricing decisions
It was found that in view of their being no control procedures there were certain
accidental changes to cell values In addition, in some cases, in view of the software
being a pirated copy, the software itself contributed to certain other problems of cell
values getting altered without reason. The department staff were programmers,
operatorsam-users, all rolled into one. It was a common feature to find alterations
being made "ON THE FLIGW i.e. even while the software was being used.
In one organisation, a mere crisis situation arose as the single staff in the user
department resigned for bctter prospects. In the absence of documentation and
separation of duties and no systematic back up of programs and files, the operations
came to a grinding halt
STANDARD ACCEPTED PROCEDURES
As on many organisations an EUC (End User Computing) represents
siwcant investment, it is essential that it should be properly managed and
administered.
The Standard Accepted Procedures could be considered under two heads:
* Control Procedures
Audit procedures

CONTROL PROCEDURES
Planning
End User Computing should be dealt with like any other business activity.
The planning for EUC should address the following areas:.
(a)
Training organisation should have plans for training personnel on any
IT which should wver use of software and hardware and systems
development
Hardwarr acquisition
Clear guideline should be given regarding the type of hardware to be acquired
and the procedure to be followed for such acquisition.
The typt of applications to be developed and the method to be adopted for
such development Eg. the language to be used -whether in house development or
purchase from vendors.
Utilisation of mourns
It is necessary to understand that end users form a part of a whok
organisation. Hencc there should be coordination and inter-action amongst end users
as also the data processing department.

Intcsption with ~ t i w ' busintss s plan
Then should be a central department at the corporate level which should
decide on the followin&-
(i)
(ii)
(iii)
What type of equipment to buy
Whether to buy the equipment or lease it
If a networking system is already in existence, whether end user could
be provided additional modes.
Designing of appropriate controls in EUC specially in areas where key
information is produced to ensure its integrity is essential.
The responsibility of the user with regard to EUC development and integrity
and security of data should form part of the overall long term plan of the
organisation for IT development The hardware and software acquisition at EUC
should fit into the overall blue print of the organisation.
Organisational supporl
Though end user may do its own computing the overall responsibility for its
control exists with the organisation. It cannot, under any circumstanws, be delegated
The organisation should provide the following:-
The organisation should have a small group of IT consultants and also an
auditor which should provide guidance regarding development of applications as

also clarify any technical doubts 'Ihe auditor component of the group should be abk
to evaluate the controls of applications in EUC as also its impact on the overall
organisation Thc EUC should be provided clear guidance on the following :
Operational system
Documentation of systems and programs
Programs changed procedure
Data integrity
Responsibility for controls
The ultimate responsibility for the controls in EUC lies with the Head of the
department. They should ensure
(i) Organisational policies and procedures are being adhered to
(ii) Discipline regarding systems development, program changes, operations
etc are being followed.
To a great extent, controls in EUC environment depend on the effectiveness
of the administrative controls. As the end user has taken on the responsibility of
adhering to the control procedures onus passes on to the end-user.
AUDIT
In view of the extensive growth of EUC specially in view of the significant
benefits that the end user would derive it is necessary for the auditors specially the
internal auditors and subsequently the external auditors to understand the
implications of EUC and its impact on internal controls. The auditors must pay
special attention to the following areas :

(i)
(ii)
(iii)
(iv)
(v)
(vi)
Organisational impact of user EUC
Reasons associated with EUC
The need for corporate policies and guidelines
The awareness of management to EUC risks and controls
The procedures being followed in department utilising EUC
Study of the applications in EUC to evaluate its impact specially on
management decision making.
Performing the audit
The auditor should devote his attention to
(i)
(ii)
Controls at organisational level and
controls at application level
(i)
Organisational level
Organisational level he should evaluate the following:
Administration
Policies and procedures
End-user support
Administration
He should study the responsibilities associated with
Data ownership
Hardware and software compatibility
Training
* Technical support

(ii)
Policies and procedures
The auditor should evaluate whether there are policies and procedures
regarding EUC
The policies and procedures should cover the following:
Documentation
Back up and recovery
Security
Hardware acquisition
Software acquisition
Development of applications
Changes to life running programs
End-user support
The End-users need support and the support if any provided should be
reviewed to find out whether the following are included :
Training
Availability of support
ANALYSIS AND FINDINGS
Controls
A sample of five organisations at random were chosen and a questionnaire
(Table 3.1) was utilised to obtain responses. The practices currently prevalent are
as follows :

(a)
Segregation of duties h totally absent as the user is a programmer,
systems analystand an operator.
@)
The documentation was totally inadequate if not absent In their
eagerness and enthusiasm to develop systems least importance was
given 10 documentation. The situation did in some cases lead to
confusion when the original developer left the department or the
organisation. The systems development life cycle procedure has been
very rarely followed. There was no feasibility study. No documentation.
No test results.
With an attempt at "keeping up with the Jonesses" expensive hardware not
justifying the usage of the user department was acquired and remained under utilixd.
The systems that are developed did not bear in mind the possible integration
with other existing systems or future systems.
"Change control procedures" i.e. the procedures that are needed to be strictly
adhered to whenever an existing program is modified or being replaced. Change
control procedures were of an inadequate standard. Again, the system was entirely
dependent upon the present individual who was using it
Back up and contingency procedures were not
adequate. The back up
procedure consisted of a copy of the program being maintained separately in the
same room. The usage of unauthorised software was very common. While the
organisations might have purchased a licenced software, the end users were having
different pirated copies.

The vulnerability for virus was very common. The viruses generally get spread
either through the usage of unauthorised copies of software or the floppies which the
Maintenance Engineers will be. bringing.
AUDIT
Infonnation was gathered from a sample of 30 auditors regarding the
procedures they adopt in organisations where End-User computing was in existence
and utilised for important areas of operation.
The auditors, either internal or external, were aware of the risks associated
with End-User computing environment There was no audit being performed. The
auditors in spite of being aware that Personal Computers were installed in all the
functional departments, they were ignorant of the type of applications. The audit in
that area was totally absent. Counter-checking of this fact was made with the
End-Users who confirmed the same.

TABLE 3.1
Yes l No
Are end-usen aware of organisational and
departmental information security policies
and guidelines?
Are they adequqatc and upto date?
Are computer systems passwords kept
confidential by user-employees?
2. General control
Are then policies and guidelines available
regarding the following:-
Access security
Systems Development
Change Controls
Date consistency
Documentation
Back-up
Recovery
Contingency Planning
Copyright violation
Virus vulnerabilit

116
Yes I No
3. Access security
Is there a security management function?
Are visitors or unauthoriscd users having
easy access to areas where EUC is
performed?
Are files containing sensitive data
ennypted?
4. Systems development
Are there procedures and controls for
systems development?
5. Change control
Are there adequate documentation
regarding any changes to the programs?
6. Documentation
Are there adequate documentation for
programs, hardware, system configuration
and procedures?
7. Beck-up recovery and contingency
Planning :
Are there procedures and standards for
programing and data back-up?
Is there any training provided to End-usen
regarding dangers of magnetic files static
electricity, equipment failure etc.?
If back-up and storage facilities are
available, are they in the same area or at a
different location?

117
Yes I No
8. Copy-right violation
Are them written policies informing
End-users to the legal consequences of
using un-authorised copies of software?
Are there policies and guidelines issued on
preventing an attack of virus, debugging it if
it is attacked and consequential actions to
be taken to nullify the attack of virus?
Are there specific guidelines given regarding
usage of spread-sheet, specially when used
for decision-making?

The Institute of Internal Auditors Research Foundation in their "Systems,
Auditability and Control" report in Module 7 dealt with End-User and departmental
computing. They have conducted a swey and the key survey findings and
observations are as follows :
* Forty-one percent of the 249 respondents indicated that one of the highest
related risks is poor data accuracy or integrity. Of this 41% (101
respondents), 63% felt the risk would increase in the future, 25% felt there
would be no change, and 12% said it would decrease.
The most effective control mitigate this risk was thought to be policies,
standards, and procedures (27%), followed by inputloutput controls (19%)
and systems testing (9%). The respondents citing policies, standards and
procedures as the best control indicated that the control is not used in 26%
of the organizations, partially used in 70%, and fully used in 4%.
* Other significant risks mentioned included development of incompatible
systems and unauthorized access or changes to data or systems. Related
controls included policies, standards, and procedures, and access controls and
security, respectively.
Internal audit organizations of all sizes plan to increase audit coverage of
EUC' over the next three yeqars. Actual coverage in the past three years and
planned audit coverage in the next three yean are presented in Figure 1.2 for
small (one to ten auditors), medium (eleven to sixty auditors) and large (over
sixty auditors) internal audit organisations.

Percent of Respondents peffonning full or limited scope of EUC Audits
Actual - Past
Three Years
Planned - Nut 91 %
Three Years
It is advisable to encourage development of End-User Computing in view of
the following benefits:-
i. Users become self-reliant and hence are more responsive to information
needs and requirements.
ii. Application development and maintenance costs are minimal as departmental
present needs and future requirements are properly understood.
iii. Back-log of computer applications ate considerably reduced as there is clear
prioritisation of the department's needs.
It is advisable and hence recommended to take full advantage of the benefits
of EUC Adequate steps need to be. taken to avoid associated risks in EUC The
recommended steps would be. as follows:
i. Set up a dedicated consulting group within the organisation It would be
advisable to have a small planning cell of competent personnel who would
provide the guidance for the end-users. The type of services they would
provide include trained end-users generally of traditional systems
development as also providing knowledge of general controls and application
controls.

LOCAL AREA NETWORK (LAN)
Local Area Network (LAN) is defined as a data communication system that
allows a number of independent devices to communicate directly with each other
within a moderately sized geographic area and offer a physical communications
channel providing moderate transfer rates.
Network computing provides the capability for users who are working on
different personal computers, micro-computers or work stations to communicate with
each other via network It is also possible for users to share network resources and
also use any of the services that the network provides. Network consists of a complex
of hardware, software and communications with a number of components located
over a large area. Major components in a network are
i. Network filesemr and netware
ii.
iii.
Network workstations
Transmission media.
Network file server and netware
A file server is a micro computer. This runs on an operating system to control
the network resources associated with the file server. Network operating system coordinates
LAN activities. This decides as to who can access which files, as to who can
make changes to data and who can use the network printers.

To network, files an stored on a hard disc drive located on the server.
Naturally the hard disc drive capacity is very high.
Network workstations
Work stations are personal computers. Network users do their work on these
computers. These work stations can process their own files and run their own
operating systems. However, the network workstations are capable of accessing files
not only from the local drives but h m fles elsewhere in the network.
They are:
Workstations use two pieces of software to communicate with the file server.
(a)
@)
The shell
The protocol
The shell redirects the requests from work stations across the network as
necessary. The protocol lays down the rules and procedures and provides a common
communication mechanism between the workstation and the fileserver.
Transmission media
The transmission media can be any of the following:
* Twisted pair and co-axial cable made of copper
* Fibre optics or fibre plastics
Wireless

Information flows between work stations and the servers File server which is
a micro computer operates as a "host computer" with which other entities like printer,
other terminals etc interact. Hardware and software components are put together to
operate as a whole by the operating system of the network. Workstation in a network
can be and may be W~ected to one or more file semrs.
It is possible for one network to be connected to several other networks.
Distributed or decentralised computing facilities can be set up in different
geographical areas. However, in a distributed environment data is exposed to more
threats. However, the risks can be minimised by building "trusted network computing
facility".
PROBLEM AREAS
Communication systems have become a vital strategic asset for many
organisations. In the commercial organisations management has realised that
networking, marketing, production and finance and other vital functional areas gives
them information power.
With the dynamic marketing effort put in by vendor of network systems,
coupled with "image creation", amongst others in the field has resulted in
proliferation, more and more organisations have started "networking" their computer
environment. An effective management of the organisations' telecommunication
resources can no doubt offer substantial benefits, but sound control procedures are
needed to enhance the network's ability to adapt and grow with the organisation. The
internal auditor in the normal circumstances should examine the policies and

procedures and the tekcommunication function iwlf to evaluate the effectiveness of
the networking function However, the present practices are not as expected There
an no policies and procedures which are very essential for managing network
operations. There an no procedures regarding compatibility of hardware and
software, protection of confidential information, procedures regarding procurement
There is no detailed definition of requirements, detailed evaluation, contract terms
and conditions.
Communication network is an area where it is essential to have hardware and
software compatibility. The introduction of new technology very often changes the
definition of compatibility and hence it is necessary to constantly review the policies
to ensure its currency.
In the present day practices, there are no policies and procedures in most of
the organisations with the result the question of its being current does not arise. It
is not uncommon to find elaborate complicated arrangements which are quite
unsatisfactory, being made to have the latest version of the software to work on an
outdated hardware. Amongst the other, more important present practices are:
i. Lack of systems development life cycle methodology.
ii.
In most organisations, the concept of SDLC is absent and when a network is
implemented, the same culture is continued, with the result there is total
absence of established objectives, cost estimates, acceptance criteria, etc.
Change management
There are no welldocumented procedures regarding alterations or
modifications to hardware and software.

Security authorisation
Then is no well-established corporate security policies in most of the cases
In a few cases where it does exist, though vaguely, procedures for accessing network
facilities, maintenance of audit trails, using diagnostic hardware are not clear and
well-laid down
Problem reporting and anrveillann
There are no well-laid down procedures regarding preparation of reports
connected with security violations or hardware problems. The organisations when an
individual may be held responsible for follow-up iction on such reports, is also given
other responsibilities. In the circumstances, performing the duty of system
administrator becomes incidental. There is no supervision of the systems
administrator's work There has been a reported case of the system administrator
himself having been a party to security violation.
Contingency and disaster recovery plan
It is absolutely imperative to have well- documented standards and guidelines
regarding the contingency planning generally and more so when networking is
introduced. A study of the present practices reveals that there is no such welldocumented
standards or guidelines. It is only a case of crisis management While
segregation of duties is an important element of system of internal control, in not so
big organisations, it becomes difficult to implement this principle. In the
circumstances, it becomes more important to have an effective contingency plan. In
most of the organisations it is absent.

Five users were selected at random for study in a large public limited company
with a turnover of several cram of rupees and a widely dispersed ofice where the
concept of IAN was introduad Discussions with the senior executive of the
company incharge of computer operations revealed that users were permitted to
make "sunple changes" to programs which were relevant to their departments in
violation of the generally accepted discipline that users should use the program only
in the ''Execution Node". The programs were accessed from the file server and
modifications made at the user end The print out at the file server node provided
this information. It was informed that there is a systems administrator who
periodically files the printsuts. Further discussions revealed that most of the security
considerations are being violated on the basis of the trust on the 'loyal staff'. In
another organisation which was also a public limited company, access control
procedures were inadequate. A member of the staff made an unauthorised access
to a confidential file and obtained the information to use against the organisation.
This instance was discovered after the incident by a casual viewing of the print-out
at node which had an important file. Subsequently, steps were taken to review
"Access Procedures".
In a nationalid bank, the manager was provided with a Node to facilitate his
giving the passward at appropriate situations, like "permitting overdraft to certain
customers". It was found that using manager's password had been converted into part
of operating instructions. Discussion with the manager revealed that these
procedures were violated again in view of the trust they have on the staff. A
programmer in a foreign country who opened an Account in the Bank and took
advantage of the vulnerabilities in the procedures had absconded with a large sum

of money befoxc the same was discovered. In all the fivc cases, the auditors were
blissfully ignorant of the risks and exposures
STANDARD ACCEPTJD PROCEDURES
The main purpose of having controls is to minimise the exposures. The
additional controls that arc needed in an online system are:
k Security control
Access
Authentication
Authorisation
* Privacy
* Process environment
Program changes
Authorising execution of program
Operating systems
B. New components control
Data communication
Terminals
C Controls to provide adequate trails
Audit trail
Documentation of magnetic medium
Audit trails from transactional loss to create recovery controls
Figure given below highlights the. new controls that are needed.'
' Adopted from Javier EKuong, "Controls for Advanced On-line Data Bue
Systemsn, Management Advisory Publications.

ON-LINE SYSTEM CONTROLS AND AUDIT PROBLEMS
lnpS Phase
Process Phase
Wu( Ph8e.e
Online
User Repom
;zl
ONLINE
Consde
/"
SYSTEM
DB Dumps
BACK UP 6 RECOVERY
I Integrtty
A Accuracy
C Conbnuw
Adopted from W s b On-L,ne WbSase Sjdmns by Jawr F Kuonp,
MaruOemsnl Adnsoly Wbons. Mass

Prwiding on-line qstcrns controls
Generally systems are designed to provide built in controls to enswe the
following:
Accuracy
Security
Continuity
In order to design appropriate internal controls an oveniew of the designing
of the controls needs to be made. The control points could be considered under the
following heads:
i. Data entry
ii. Data communication
At the point of data ently control mechanisms are built in to minimise
consequences of the following threats :
Entering wrong transactions
Entering unauthorised practices
Improper adjustments by misusing error matior, practices
Absence of audit trails
Loss of transactions
To maintain Access control, security and privacy, standard practices to be
followed are as follows :

Then should be automatic sign off of all operaton when a major system
failure is detected
There should be restricted menu display for each user.
Then should k specific passwords for users.
There should be supervisory passwords for special functions.
Automatic disabling of terminals after trials.
Logging of unsuccessful trials and keeping count of the same.
Disabling of terminals after working houn.
Then should be logging after oftlour use of terminals and importance should
be attahced to accountability of entries.
There should be effective security surveillance procedures.
Password control
Password display on terminals should be suppressed.
There should be separate password for identification and authentication
Establish an effective administrative procedures for password change and
maintenance as follows :
All password changes should be reviewed and there should be a security
surveillance.
For sensitive positions there should be tightly accounted procedures for
changes in passwords when there is change in the personnel.

Pawords should be invalidated automatically after the lapse of a certain
pn-determined time.
Paword tabks should be inaccessible other than to the super user.
objectives:
Control procedures should be adequate to specify the following contml
The terminal should always be capable of being identified.
* The user should be identified and authenticated.
The user should be capable of only operating within limits that he is
authorised to do.
The terminal should be capable of logging all deviations from normal
operations.
The operation at any terminal should be so designed to provide
continuity of operations in case of breakdown or interruption
Standard prnctica - Audit procedures
On line computer systems have an impact on the audit procedures. The matter
is of particular importance to auditors in an online system which are:
Authorisation
Completeness
* Accuracy of online transactions

Integrity of records and processing specially in view of the fact that in
a networked system, the system is accessible to many users and
programmers.
Chnpr in the performance of audit procedures due to the following:
Transaction trails becoming invisible
The necessity for the auditon who have proper skills in an online
system.
Adequate knowledge of procedures during
(i)
(ii)
(iii)
Audit planning stage
Concurrently with online processing
After processing has taken place.
Generally in a well designed online computer system, the auditor would rely
more on internal controls. It is accepted that the auditor would have adequate
knowledge of internal controls in an online system so that he will follow the
appropriate audit procedures.
Audit procedures performed concurrently with online processing would require
testing of controls on the line applications.
include:
Procedures associated with audit after processing has been completed would
Compliance testing of controls for transactions already logged in for
(a)
(b)
Authorisation
Completeness and

(c) Accuracy
* Substantive testing of transactions and processing results
Reprocessing of certain transactions where necessary.
It is generally recommended and found more effective for an auditor to
perform a pre- implementation review of new online applications.
Audit
Information was gathered from a sample of 30 auditors regarding the
procedures they would adopt in organisations where computers were net-worked
using LAN utilised for important areas of operations.
The auditors neither internal nor external were aware of the risks associated
with LAN environment. There was no audit being performed. The auditors in spite
of being aware that computers were installed in all the functional departments and
networked, they were ignorant of the type of applications. The audit in that area was
totally absenr Counter-checking of this fact was made with organisations having LAN
who confirmed the fact that no audit was performed.
Controls
A random sample of 5 organisations which had installed LAN was taken to
study the control aspects.

ANALYSIS AND FINDINGS
Role of the auditor
In the sample number of organisations chosen for sutvey of control and audit
procedures, it was found neither the internal auditor nor the external auditor was
performing an audit of the LAN environment As a matter of fact, the audit
operations did not include evaluation of internal controls in a wmputerised
environment generally. The auditors are totally unaware of the risks associated with
a LAN environment and the accepted well established controls which needs to be
implemented to minimise those risks. This fact of the auditors in evaluating the
controls in a LAN environment was independently confirmed by the organisations
which had a LAN environment.
CONTROLS
In none of the organisations, there were any documented procedures and
guidelines regarding implementation of LAN. While in some of the organisations,
there was a network diagram in other organisations, there was no network diagram.
Even in the organisations which had the network diagram it was not updated and
hence inconed There was no specific terminal designated to monitor activity within
the online system. In one of the organisations, a user department was permitted to
have access of program from his node make a change in the program and executed
at its terminal. Though this situation was reflected in the print out at the network
administrator's terminal, apart from the fact that the print out was filed no further
action was taken.

In most of the cases, no review of controls or procedures are undertaken. In
one other organisation, it was discovered later that important management
information which should be available only at one terminal was accessed at another
terminal during luch time. Much after the event, it was discwered and corrective
action taken.
The discipline associated with the password is not generally being adhered to.
Passwords in many instances have become part of operating instructions and
passwords in some cases are known to more than one person.
In all the cases, there have been instances of violation of security, lack of
integrity, loss of data. Corrective action has been taken subsequent to its occurence.
Even in organisations with LAN environment like other organisations, the
Disaster Recovery Planning is totally inadequate. Othcr than having a copy of the
program and copy of important data stored in the same installation, there was no
other evidence of an effective DRP. Diasten have occured and recovery had been
made with much difficulty.
SUGGESTIONS
In view of the operations of an organisation being distributed, it becomes
necessary to have computer operations located at the place of the operation.
However, to have an overall control of the organisation, information and at the same

timc dowing each of the usen to haw a m for such information as may be
neceuary it bewms imperative to have networbk
Local Area Networks (LANS) have designed a new domain of networks that
can be installed and managed by user groups The dynamic nature of the
tekmmmunication envimnrncnt along with the strategic importance of networks
ghs tekmmmunications high visibility. This necessitates the need for an effective
control.
In view of the importance of mntrols in LANS in ensuring integrity, security,
coddentiality and continuity of informations effective auditing of such system is very
irnpottanL
A study of standard accepted procedures for mntrols and audit in comparison
to the actual practice as revealed by the survey conducted showed up a big gap.
Taking into consideration the environment in India the following suggestions
need to be considered in the areas of control and audit in a LAN.
Contml of completeness and accuracy
There should be clear guidelines and procedures laid down by the
Management regarding usage of network additions of nodes, job responsibilities,
security etc
There should be corporate policy laiddown regarding procedures to be
followed in the communication systems to ensue data inkpity and completeness.

The procedure at its least should include controls regarding
* Time and date stamp
Sequence number checking
* Transaction terminal
Periodic message reconciliation
* Back up equipments and facilities
Recovery procedures
Network recurily
Clear guidelines should be provided regarding classification of critical
information.
There should be well documented security policies standards and procedures.
Audit and legal department should be associated in security planning.
Acquisition of equipment sonware and semces
There should be a central department who should have the knowledge of
organisational interesq who would be able to establish product specification and
bench marks.
Auditors and users should have an important role in product acquisition.
Change management
There should be an authorised procedure for any tele communication change.
The prwdure should include documentation requirements and approval. There
should be a post implementation review of telecommunication changes.

Suggestions for audit procedum
Analysis of the procedures in a sample of sumy of organisations having a
LAN environment revealed that there is no role performed by either the internal
auditor or an external auditor. While an external auditor as of now aay claim that
EDP Audit is not part of the statutory audit, internal auditor would be fa~:.ng in his
duty if he does not evaluate the internal controls in the LAN environment of his
organisation. Broadly the audit program should include the following at its minimum
* Check the existence of policies and procedures from the management
regarding implementation and maintenance of LAN.
* Check an inventory of data communication equipment
Verify whether there lr a network diagram which will clearly denote the
physical and logical action between various communication equipment.
Verilying integrity
Is any particular terminal designated specifically to monltor activity within the
Online system?
Is there any documentation of hardware failures and software failures?
Are there any procedures to ensure that all transactions are received?
What is the procedure regarding transactions messages that may be deplicated
unaccounted or lost? Thus, the software log of errors and re- transmission.
Is there any review of such error logs?
Physical security
Is physical security for communication equipment adequate?

Access to test equipment restricted only to authorised personnel?
Are cables adequately scheduled to prevent physical tampering?
hgical security
Are password systems in use?
Are only authorised persons permitted to access communication software?
Are the users prevented from making unlimited number of unsuccessful
attempts?

QUESTIONNAIRE - AUDIT
CHECKLIST FOR AUDIT OF TELECOMhlUNICATION SYSTEM
Yes i No
GENERAL
Have you checked whether there is any inventory
of audit communication equipmenf terminals,
modems, etc?
Have you checked network diagram in connection
with physical and logical connections of
communication equipment?
Are there any written authorisations regarding
connected physical and logical connections, the
terminals?
Is supenisor approval needed to use
terminals outside authorised usage hours?
Are there written guidelines to determine any
errors in the communication equipment?
Are there established procedures that all
transactions are recorded?
Is there a review procedure for transaction which
may not be accounted or corrupted?
Is there accountability for reviewing error logs?
Is there a journal of messages and does the
message have the following?

139
Yes I No
Terminal, User, Data, Message No. end of
message, end of Transmission
Have you satisfied yourself with back-up facilities
for the online system is adequate?
Have you verified the restart recovery procedure in
case of hardware, software failure?
PHYSICAL SECURITY
Are there policies and guidelines regarding
providing physical security for terminals?
Are the cables electrically shielded to protect from
physical tampering of other damage?
Is test equipment and diagnostic software used only
by authorised people?
LOGICAL SECURITY
Are only authorised personnel permitted to access
communication software?
Are users prevented from making unlimited
number of unsuccessful attempts?
If sensntive information is being processed, are
there adequate controls that they can be accessed
only by authorised personnel?
When was the last audit conducted?
Within one year? Within two years?

QUESTIONNAIRE - GENERAL
Yes I
No
Does your department have any policies and
guidelines regarding installation of network, adding
nodes, job responsibility, reporting structures etc?
Has an audit been ever conducted of the
networking configuration and the applications?
COMPLETENESS AND ACCURACY
Do you employ built-in controls in your
communication systems to ensure completeness
and accuracy?
NGIWORK SECURITY
Do you have any well-laid out policies and
procedures regarding the network security?
Is the information classified according to its
criticality and sensitiveness?
Has the auditor or the legal advisor been
associated in security planning?
In the last two years have there been any security
lapses?
ACCESS CONTROL
Are all your terminals physically protected from
unauthorised access?
Do you have logging facilities?
Do you have surveillance facilities?
Is there a review of violation reports?

141
Yes 1 No
Have there been any violation in the
years regarding acocu?
last two
ACQUISITION OF EQUIPMENT
Are there any established Benchmarks?
Does the user have any role?
Does the auditor have a role?
CHANGES IN NEIWORK
Are there any written procedures and guidelines
regarding change management?
Are there any check lists, documentation request in
the change management procedure?
Are there any post-implementation renew of the
changes?

CHAPTER V
DATA BASE MANAGEMENT SYSTEM
Overview
Objectives of data basc management: The professional approach to
application system development had a strong focus on application programmes and
processes. When the primary focus is on process naturally application systems
develop separately and operate independently. Data files are established as a by
product of application development. As a consequence, if two applications require
same items of data they are duplicated resulting in redundancy.
To retrieve data that is stored urgently, the user has to decide as to which
application to use to obtain the necessary data. This necessitates the coordination of
data updating as regards the application systems. This is necessary to ensure that the
same data is updated in the same way at the same time irrespective of the fact in
which file the data exists. To be able to obtain at all times information based on the
latest version of data would involve using additional programming which would
periodically be similar data in different files so that all the files have the latest
version of the data. This would delay obtaining information at request as a great deal
of processing is necessary before correct and latest information could be given. In the
1960s, usage of a magnetic tape as a computer medium was prevalent which
imposed a sequential structure of the file. In the early 1970s in countries like USA
and Australia, the concept of data basc management systems emerged. In our own
country only in the hst two or three years, that is from the 1990s the concept of data

ase management system has been catching on. Till recently, that is bcfon 1990s
the high cost of equipment and the non-availability of skilled personnel necessitated
centralised execution and control of system denloprnent This resulted in end-users
maintaining privately data manually so that at any point of time they would have
upto date information.
The emergence of micro computers has made end-users maintaining this
information on the computers instead of manually.
Having micro-computers at the users end did not solve the problems but only
ended up in the information problems being transferred also to the end-users.
The need for getting over these problems motivated organisations to seek for
new solutions.
MOTIVATION TOWARDS DATA BASE MANAGEMENT SYSTEM
The major problems which motivate data base management are:
(i)
Quick answers were not available for 'simple' adhoc questions
(ii)
High development costs as the efforts were duplicated both at the
central processing department as also the user department
iii)
Low responsiveness to change
Once an application is developed and handed over to the user many things
happen. Application system may require change either due to the changes
in

statutory requirements or users own views for a different approach -after the system
has been in use for some time. Making changes to the system after the application
has been developed requires great deal of costs and time by way of additional
programming effon and computer time.
It is reported that maintenance of existing programmes consumes 75% of the
time of Systems Analysts and Programmers. This leads naturally to the management
to study ways of reducing people - intensive activities. Such reduction can be
achieved only if a special effon is put in to develop a ... disciplined system.
LOW DATA INTEGRITY AND QUALITY
Incomplete and inaccurate data leads to lack of confidence in such data.
However, should such data be used for making important decisions, it would be
detrimental to the interests of the organisation. This leads to a situation when
managers are constrained to maintain their own files and of good quality information
and unquestionable integrity.
INADEQUATE DATA MODEL
Complex data and inter-file relationship make it difficult provide a formal
definition to the system. There are limited tools
for defining data structures
importance being given to the programming in data structure being modified to suit
the language. This necessitates a richer and better data structure writing capabilities.

While the problems discussed motivate a data base approach one should not
lose sight of the fact that then an certain anas to be borne in mind which would
restrain the introduction of a data base management system.
OBJEClWES OF DATA BASE MANAGEMENT
The main objeaives of the data base management are:
a) Sharability
b) Availability
c) Evolvability and integrity
a) Sharability
The concept of sharability means that the same data would be used at the
same time not only by different people but also in different processes. Data belongs
to the whole organisation and not to any single individual. When data base is shared
by several people it is necessary to have a central body to control the collection and
use of all data. When this is achieved the following would result:
a) Consistency of data
b) Reduce redundancy of data
c) Reduction in the effort needed
d) Capture and maintenance of data
Sharing of data has its own ramifications and it would become necessary to
arrive at a compromise between conflicting needs of different users.

By the concept of availability we mean that data should be made available
when and where it is needed and also in a form and manner in which it is needed.
Then are two dimensions to the concept of availability objective and they an:
i) Function and ii) Form
i. Function
The function of data base is to define and create a data base and getting the
relevant data in and out of the data base as per the requirements of users.
ii.
Form
The DBMS system should be in a position to economically and effectively.
a) Store diverse data
b) In an environment of diverse users
c) Operating in diverse modes
d) Using diverse language
e) Satisfying diverse patterns of usage.
If DBMS were to handle only a very narrow range of diversity users could feel
disillusioned as it has fallen short of expectations or has not become as responsive
as was anticipated.

c) Evolvability and integrity
The characteristic of evolvability of DBMS is its ability to change in response
to the usen needs as also the advancing technology. Evolvability is distinct from
expandability or extensibility. Evolvability increases the possibility of the future
availability of data resources.
PROBLEM AREAS
The technological developments in the Information Technology field have
been growing very fast. The software and the hardware have been ying with each
other in their growth. There has been the realisation that information is power. As
the organisations grow larger the need to have an effective information system has
been greatly appreciated.
The concepts of data base has been spoken of in many seminars and
workshops. Hence it has become an "in thing" in larger organisations to try and
implement a data base management system. There have been products like
ORACLE, SYBASE, INGRESS etc. There have been tremendous marketing efforts
with each vendor claiming that theirs is the product Organisations have had to make
a study of their user needs and the appropriate DBMS package. However, in view
of the concept not being very old there has not been enough experience, the
organisations have had to depend upon their senior data processing staff and outside
consultants. In the present context, executive turnover is very high generally and more
so in the information
technology field. This has resulted in the organisations
depending more on outside help from consultants. In most organisations there is no

individual specifically designated as a data base administrator or data administrator.
It is absolutely necessary that one individual should be responsible for data base
design, defmition and maintenance. However, this aspect is not present in most of
the organisations as a group of two or three people have to play this role of DBA
In the circumstances, determining proper access permissions for application
programs and users and resulting in conflict among users oi the data does create
contradictions.
Creation of data dictionary in many instances is not comprehensive. Most
importantly back-up and recovery procedures are not satisfactory. There are no
well-settled policies and procedures. Each of the data base products like ORACLE,
SYBASE and INGRESS have their own functions and security aspects. Unless the
security aspects of each of the data base packages are completely understood and
implemented, the possibility of the system being exposed to security violations is
immense. Lack of knowledge to implement the concept without the associated
administrative and organisational support is leading to a situation in many
organisations spending the whole time in unravelling the mysteries of the data base
management system package which they have implemented. The benefits that were
expected to be reaped have not yet been completely achieved. In most of the cases,
the cost benefit analysis after the project has been implemented would never have
justified the implementation of the DBMS in the first place. The situation is not due
to the fact that the concept is not implementable. The DBMS is an extremely useful
and effective tool. Special efforts necd to be put in, for the creation of a perfect data
dictionary allocating specific responsibility for data base administration. In the
absence of such a foundation, the data base system gets rocked. Users access needs

to be controlled which is achieved by granting them the privilege or by selecting
commands that they can use. As these procedures are not streamlined the increased
and important advantages of DBMS is not achieved.
Three large public limited companies were selected at random. A popular
DBMS package was introduced. While the package was ~ntroduced no precautions
have been taken about ensuring that a specific individual was designated as the data
base administrator who would take total responsibility for creating a data dictionary
and ensure that discipline associated with the implementation of D.B.M.S. package
is followed. The organisations concurred with me that they are not violating the
required disciplines associated with implementing security considerations in a
D.B.M.S. environment. The organ~sations were still struggling with problems of
deadlock and relational integrity which was of grcater concern. The data was not
getting updated in all the files which is a basic principle in a D.B.M.S. environment.
PRESENT PRACTICES
AUDIT
As in all other areas of auditing in a computerised environment, the present
day presence of the audit function is totally absent. Verifying the informati011
technology control in a data base environment does not figure in the internal
auditors audit programme of the organisation. Procedures associated with data access,
passwords system and terminal security are never audited for the senior management
of the organisation to know whether the controls are in place and effective.

SMNDARD ACCEPTED PROCEDURES
Controls
There an three main data base structures, viz hierarchical network and
relationat The figures given below represent the pictorial representation of the
structure of the different data bases. The more popular and useful data base
structure is the relational data base. Relational data base are in the structure of a
table. As mentioned earlier, relational data bases are more popular because they are
easier to set up and maintain. The data base concept seperates the data requirements
from the application requirements. Both the requirements of data and application are
a constantly evolving process. But these requirements need not necessarily be
compatible. In a data base approach integration is provided by sharing of common
data among different programs. The data elements are stored with very litt'c
redundancy. The physical file structure may not have resemblance to logical records
and files. Data base system helps in gaining flexibility by creating independent data
and application programs. A data base management system satisfies the needs of an
organisation by a shared collection of information. The data base management system
executes functions on behalf of application programs. Standard accepted procedures
in a data base management system include the following:
* Creation of a data dictionary
* Creation of a post of data base administrator
* Laying down procedures
File consistency
Avoiding deadlock
* Enor recovery and reliability

Data dictionary describes the various attniutes of data ekment. In many data
base packages, information regarding physical location of the data is also included
The other details included would be the data name, the segment on which it occurs,
the programs using the file. The main advantage of having a data dictionary is that
data is defined uniformly. Information as to what data is available and in which data
base it is located is also furnished by the data dictionary. In an active data base, data
dictionaries are updated automatically when there is a change. In a passive data
dictionary it does not happen automatically.
Data base administrator as its very name indicates is the manager of the data
base. The main responsibilities of the data base administrator are data base design,
definition and maintenance. He is also responsible for setting up policies and
procedures for back up and recovery. He determines appropriate access permissions
for users as also applications programs. Whenever any conflict arises among the
users of the data, the responsibility for resolving the conflict devolves on the data
base administrator.
Laying down procedures
It is possible that an application may be updating at more than one node.
Also it is possible that a file at one Node may be updated by more than one
application. In the absence of procedures it is very likely that data consistency will
be lost. There should be procedures to void inconsistencies. This could be done to
locate a record when it is being updated. However, if the file action is to "read only",
there is no possibility of an update and hence the record need not be located for

such purpose% Yet another method is to allow files to be updated only by
processors located at the Node where the file rests.
Deadlock
A deadlock situation arises if two or more processes bid for the same
resources in a mutually exclusive manner. In such a situation, the file may not be
released as none of the processes would be completed. This would naturally cause
an indefinite impasse. This situation is called deadlock It is necessary to ensure that
DBMS packages provided for such a situation be identified and controlled. There
should be a wellestablished machanism for the recovery of lost files and for
continuation of operations even though certain nodes are unavailable. It is necessary
to ensure that there is continuous availability of files. This can be achieved by
duplicating such of the files that are critical to system operation.
AUDITINCPROCEDURES
The auditor is to have a clear understanding of the situation, identify controls
and design proper tests.
The auditor should review existing procedures and policy manuals. He should
identify data elements which are significant from the auditing angle and determine
their relationship within the data structure.
The auditor should refer to the audit dictionary and with support from data
base administrator understand logically relationship between important data elements,

programs and transaction types. The auditor should understand the internal control
system of the DBMS package with special reference to the following :
Who can access data elements?
Who can add, change or delete?
The auditor should establish as to who are identified as authorised usen and
as to what are their capabilities.
The auditor should have a detailed discussion with the data base administrator
to gain the following information :
As to how the data base is used and what controls are employed for different
purposes?
In a data base envirorlnent absence of an individual by whatever name he is
called who performs the duties of a DBA would amount to a serious control
weakness?
The auditor's concern for access control should be under the following heads:
* Data element access
* Pass word systems
Terminal security
The auditor should ensure that programs access only such data elements which
they are authorised to access while executing their processing tasks. Unnecessary or
uncontrolled access would expose sensitive data to exposure. He should ensure that
there is a distinction between test data base and production data base.

While developing applications access may not be restricted to, but then should
be built-in mntrols to amid unauthorised access to production data base.
Password systems
Auditors should study the password system to evaluate its adequacy. Tk pass
word system should be effective and should be monitored on an on-going basis. This
involves maintenance of accurate and secure records \~f users and their associated
problems. Deletion of pass words allocated to employees who have since left service
is an important audit concern.
Terminal security
The terminal should not only be physically secure but also logically secure.
Effective terminal security standards will ensure that only authorised trans~ctions can
be entered only through authorised terminals.
Testing
An audit should test the integrity of security aspects of data bases by verifying
and how concurrent update references are handled, how the DBMS is maintained,
how the DBA functions and what are the disaster recovery and contingency
procedures thought of.
ANALYSIS AND FINDINGS
The specimen audit program questionnaire which is enclosed was utilised for
gathering information regarding audit procedures followed in a DBMS environment.

Neither the internal auditors nor the external auditors had a positive answer for any
of the questions in the specimen audit programme. The auditors were not even aware
of the name of the DBMS package being utiliscd in the organisation. The auditors
in the organisation in the sample survey were blissfully ignorant of the audit concern
in a DBMS environment, viz security and integrity.
There were no well laid out policies and procedures regarding the file
consistency, deadlock, error recovery or reliability. The documentation was
unsatisfactory. The systems are functioning in the organisation, though not
satisfactorily, only due to the dedication and integrity of a couple of members of the
staff of the data processing team. Accidental and intentional access to unauthorised
data, usage of commands associated with logical terminals were not
in order.
However, by a process of development and by trial and error procedures are being
developed.
Audit
Information was gathered from a sample of 30 auditors regarding the
procedures they adopt in organisations where End-User computing was in existence
and utilised for important areas of operation.
The auditors either internal or external were aware of the risks associated with
End-User computing environment. There was no audit being performed. The auditors
in spite of being aware that Personal Computers were installed in all the functional
departments, they were ignorant of the type of applications. The audit in that area

was totally absent Counter-checking of this fact was made with the End-users who
confirmed the same.
SUGGESTIONS
CONTROLS
Even though a data base management system package might have already
been introduced in an organiso:ion, 11 would be necessary to issue policies and
guidelines for the following aspects:
Creation of data dictionary
Duties and responsibilities of data base administrator with a specific
individual or individuals being held responsible.
File consistency
Deadlock
Enor recovery
Control over access
Password systems
Tenninal security.
AUDIT
Even though the internal auditor might not have been associated in the
earlier stages, it would be advisable to have the internal auditorlaudit depanment
review the controls to satisfy themselves that they are adequate. The present state
of knowledge of the auditors is not adequate to discharge his duty. However, lack
of knowledge would not be an excuse for not performing a duty and discharging

their responsibilities. In the circumstances, it would be necessary for the auditor to
set out the control objectives and have an independent authority (not part of the
computer department) to help them. The auditors have to satisfy themselves
regarding the data base, security and integrity. He should be able to assure himself:
Tile users can only access data that they are authorised to access on a need
to know basis.
Log on IDS and password procedures should be evaluated.
Are the concurrent updates handled properly?
Are there proper procedures for the maintenance of DBMS?

QUESTIONNAIRE FOR AUDIT PROCEDURE
Yes 1 No
Do you identify data elements that are of
particular significance to the data?
Do you find out whether there is a DBA?
Do )ou discuss with the DBA the following :
To satisfy yourself about adequacy of security -
security integrity, Have you verified ?
The segments where data of financial significance
is located.
The users who have access to identified
transactions
The specific terminals from which these
transactions can be executed
The users who have direct access to the
segments and the type of access they have
11. Have you tested the controls for its
effectiveness?
Have you reviewed the maintenance
controls for DBMS?
Have you examined the procedures to
ensure that any changes to DBMS are
appropriate and functioning as expected?
Have you checked whether logging facilities
are in place to facilitate to DBA to recover
lost or corrupted data?
Do you analyse the results of testing and
form your opinion regarding adequacy of
controls?
Have you ever presented a report to the
Management regarding audit and controls?

CONTROLS IN UNIX ENVIRONMENT
Overview
Unix operating system has developed over the last twenty years. It was
developed at BELL laboratories in Ne jersy by Ken Thomson and others. .l'homson
had just left a research project on operating systems design which implemented an
operating system called Multics-(Multiplex Information and Computing System).
After a certain time, Bell laboratories pulled out of Multics project Thomson and
D:nis Richie vaguely sketched the operating system Multics. Thomson actually
formed the system, PDP-VII Computer. He realised that the operating system did
not follow any design but seemed to just grow. It permitted the users to work in an
interactive utilisation manner which resulted in a more effective utilisation of the
resources. This operating system was called UNIX by Brian Kernigham as a pun on
the Multics name. The expansion for UNIX is UNIPLEX INFORMATION AND
COMPUTING SYSTEM-UNICS. It is reported that due to a typographical enor
it was further shortened to UNIX
Unix Operating system when originally designed had no security as it was felt
it would be an impediment to efficient production.
Thereafter there have been various editions of UNIX with many people
making modifications as it was very easy to do so. Finally in the market place, there
are many many versions, editions and variations of UNIX.

The objectives to be achieved in the further development and modification
of Unix have been :
(1) Real time operation;
(2) Parallel CPU operation and
(3) Secure operating system.
There were many major computer security violations and quite a few of them
were published This led to the Department of Defence of USA to create a set of
guidelines and categories to evaluate the systems for computer security. The criteria
for evaluation was published in "department of Defence Trusted Computer System
Evaluation Criteria". This was originally called Orange Book because of the colour
of the cover of the Publication and subsequently there have been many other capital
Department or Defence publications each with a different colour. These are known
as the Rainbow books. The categories of security are based on both hardware and
software. They have been classified as A, B, C, D -A is the highest ranking with D
being the lowest.
Orange Book defines D-rating as "that resources for these systems that have
been evaluated but have failed to meet the requirements for a higher evaluation
clause". It is reported that general manufacturers do not submit their products for
this classification which is the lowest. It is always presumed that no rating is D.
rating.

Division-C
, Discretionary protection to quote the Orange book "clauses in this Division
provide for discretionary (need to know) protection and, therefore the inclusion of
added capabilities for accountability of subjects and action they initiated.
Orange Book states as follows: "systems in this division must carry sensitivity
labels that measure data structures in the system. The system developer also
provides the security policy model on which the TCB (Trusted Computer Base) is
based and furnishes a specification of the TCB. Evidence must be provided to
demonstrate that the reference monitor concept has been implemented
Certain criteria in addition to those required for rating C and B are added.
The Orange Book states
'This division is characterised by the use of formal security vtrification
methods to assure that the mandatory and discretionary security controls employed
in the system can effectively protect the classified or other sensitive information
stored are processed by the system", extensive documentation is required to
demonstrate that the 'TCB" meets the security requirements in all aspects of design
development and implementation.

Hardly one or two computer systems have earned the A-l security
classification.
Some developers haw released certain versions of UNIX that do not have
a super user; their contention has been that all of the powen of the super-user
should not be put into one basket and it would be some hir. ,~rchical group authority
has been developed, as Mr.Derek N. Arnold has mentioned. Their powers will still
be powerful, 'abuseable and mis'useable'. Attempts have been made to have the
password file hidden and not be available to all the users.
Proprietary versions of UNIX are being marketed by different hardware
manufacturers, each one making thelr own claim. It is necessary to understand one's
system and design proper security controls. It is necessary that after such controls
are developed they should be meticulously enforced.
PROBLEM AREAS
It is a well known fact that most security violations are not from outside
sources. It is generally from users of the system who exceed their authorisation.
Security has many distinct pans. There has to be security for :
a) Hardware
b) Software
c) Data
Hardware requires to be protected from destruction, unauthorised changes
and unauthorised use. Software needs to be protected so that valuable programmes
are not destroyed. Software also needs to be protected from unauthorised changes

and use. Data - specially valuable data should be protected from destruction,
unauthorised changes and un-use.
UNIX operating system has three "Domains Security". They are:
i) Owner of the file or i'\er (U)
ii) The group that owns the fil- (G)
iii) The general public or others (0)
Each of these domains has a Unix permission set associated with it. UNIX
permits three functions of all file operations as :
i) Read permission
ii)
iii)
Write permission
Execute or search permission
The permissions and the file type are the stored "Mode" word of the initial
record. This initial record holds the attributes of the file. The permissions can be
"altered using the command called "CH MOD"--Change-MOD.
Each of the permissions has an octol value as follows:
Read permission 4
Write permission 2
Execute 1
The command Is--1 would display the permissions of a file. The first set of
"w" permission is for the owner of the file. The second set of "M" permission is
for the group that owns the file. The final set is for all other users.

Each of these domans is exclusive of the others. 'The fact that a user is part
of a group would not permit him to have all permissions that the group has got
though he may be a pan of the group. Only if as a user or owner he is permitted
he would be able to exercise his right.
It should be noted that the permissions are tested in a hierarchy. To prevent
accidental erasure of files, it is necessary to remove owner - write permission.
The implications of domain permissions
It is necessary to examine all types of operations and command and
understand the associated problems which would enable or display them. It is
necessary to protect the system against any mis- user, yet permit the legitimate user
of authorised access. It is necessary to put a great deal of effort to achieve this.
DEFAULT PERMISSIONS
Normally LJNIX creates a test with default permissions of 66-6 (I-nv-nv-nv)
and executable programmes with default permission of 7-7-7 (rwx, % rwx).
Directories are created with a default permission of 7-7-7 (drwx, rwx, rwx)
"UNMASK is a command which could alter the default permissions already used
in the creation of files. The system administrator normally sets up the "UNMASK
command in the Start up shell script.
It should be noted that the "UNMASK affects only new files and not existing
one. Thus, however, UNMASK command is specified before a copy command is

executed. The original permissions of the file will not change. Hence, it is necessary
to use CH MOD command to change the permissions of an existing file.
Under UNIX then an three special permission bits. They are:
Set User ID (SU ID)
Set Group ID (SG ID).
STICKY BIT.
There are different versions of UNIX. In some cases, the permissions are
coupled with executable programmes. This could lead to
violations.
vulnerable security
SET-USER ID (SU ID)
This permission bit is used to allow one user to temporarily take on the use1
identify of another person. This enables another user to utilise file and directory
permissions in the same manner as the original owner of the command.
This permission bit allows the user to temporarily take on the group identify
of another group. It is reported that there is a common UNIX bug which allows an
individual to become pan of any group. Hence care should be taken that the current
operating system does not have this bug.

STICKY BIT (COMPUED PROGRAMS)
The sticky bit causes a compiled program to stick in the swap area of the disc
It has the advantage of loading the program faster while there is the disadvantage
of permanently using up space in the swap area. In System V UNIX sticky bit has
been given an additional facility by which files in a public directory cannot be
removed except by the owner himself or the super user.
Audit
Information was gathered from a sample of 30 auditors regarding the
procedures they adopt in organisations where End-User computing was in L,xistence
and utilised for important areas of operation.
The auditors either internal or external were aware of the risks associated
with End-User computing environment. There was no audit being performed. The
auditors in spite of being aware that Personal Computers were installed in all the
functional departments, they were ignorant of the type of applications. The audit in
that area was totally absent. Counter-checking of this fact was made with the
End-Users who confirmed the same.
STANDARD ACCEPTED PRACTICES
System administrators should provide users with security information which will
assist them in securing their directories and files. The earlier versions of UNIX have
been having a number of security holes. Hence it is necessary to have latest versions
from vendors The management should issue policies and guidelines regarding the

procedures to be followed in a UNIX environment It should make the system
administrator responsible for assigning such guidelines with their approval. The
system administrator's functions should be considered under the following heads:
Access
Log ins
Passwords
* Loy in environment from the access
* File protection
* System monitoring
* Firmware keys
Backup and recovery
* Physical security
Access
A shell should be designed such that it will control the user access to specific
directories and commands. All shells should be. checked to identify exits.
Every log in must necessarily have a password. All log ins should be verified
at reasonably periodic intervals. Users such as consultants etc. should be identified
by a unique log in assignment. Unattended terminals should be logged off soon after
a pre-determined period of inactivity.

All log ins should have a password. All system based passwords should either
be removed or changed. System administrators should use different passwords on
systems which are ~ttached to their controls.
Super user passwords should be known only on a "need-to-know basis" and
only by the system administrator. Super user passwords should be changed frequently.
Log in environment
Home directory of a user should not be readable by others. User profile
should not be readable, writeable or executable by others.
The minimum un-mask setting for general purpose users should be set at 022.
The use of read, login should be limited to the console only.
Remote access
A default should be such to allow least privilege. UUCP system should be
defined to restrict access to remote users.
File protection
Important system directories and files should be provided with highest level
of protection. A directory should not have insecure read permissions.
Privilege commands such as Mount, FSCK, should have only restricted use.

System monitoring
System should be monitored for unauthorised LOGINS or LOGINS with no
passwords. System like files which contain information about system activity need to
he reviewed periodically. Other than the owner of LOGFILE nobody else should
have ,;ad and write capabilities.
The "Find" "S.FindU or "N.CheckU command
should be executed daily to
ensure that all 'UTD' and 'GID' programs are protected adequately.
A system log should be recording of sensitive commands for review and
monitoring of unusual activity. There should be documentation of all system updates
and such updates should be compared with authorisations.
Firmwear keys - (3-B-2 Computer family)
Many 3-B-
2 computers, it is reported, were given the same firmwear
password at the factory as acceu to the computer is through the computer firmwear.
The firmwear should be changed soon after installation. The firmwear password
facilities change of Roots password.
Back-up and recovery
Like all other systems, but more particularly in an organisation with UNIX
operating system back up and recovery procedures are very important. They should
be well- documented; applications should be prioritised and offsite storage should
be adequate.

ANALYSIS AND FINDINGS
AUDIT
Auditors both external and internal of the organisations which had the
operating system UNIX were blissfully ignorant of the special features of the
operating SYSTEM. They were not aware in most cases of the concept of operating
system, let alone the UNIX operating system. Hence there was no awareness of the
controls and weaknesses associated with the operating system UNIX
Controls from the organisations' point of view
There were no security policies or guidelines issued either by the
Management or the Data Processing Department. There was no identifi~ation of
any individual specifically as the Security Administrator.
The US Department of Defence had issued through the National Computer
Security Centre six key regulations for security as follows :
i. The system must enforce a precise and explicit security policy
ii.
iii.
iv.
Every object associated with that policy must be marked with an Access
Control Label.
Individual users must be identified.
The system must maintain a protected audit control of action relating to
security.
v. The system must be open to independent security evaluation.
vi.
The system must be permanently protected against re-configuration from any
other method of alteration.

In practice atleast four out of the six factors were absent in all the cases. In
many organisations the logging in "USR/ADM/LOG IN LOG is not turned on with
the result the facility for monitoring unauthorised logging attempts is disabled
In a UNIX system the "root" is most important and all powerful. Only the
super user should normally have this privilege as the facility will enable bypassing of
all security controls. No special efforts have been put in for deciding on the access
privileges of read, write and execute for the owner group or other users. Only in a
few cases, the facility of "UNMASK' has been used.
The commands of SET UID and SET GID in a UNIX operating system
allows normal users to access restricted files. This is done on a temporary basis for
a specific purpose. These commands are not strictly controlled. Absence or violation
of security having taken place is primarily due to lack of knowledge on the part of
dishonest staff. The Security has been maintained due to the loyalty of the concerned
staff. There was a reported case of a member of staff accessing unauthorised
information for use by union members. A casual examination of the console log
revealed this incident Corrective and preventive action was taken thereafter.
"UNIX SECURITr"' as has been said several times is a contradiction in terms,
unless special efforts are taken to build security shell. Great deal of efforts are being
put in on a "crisis management basis" by the more responsible staff of the data
processing department. Neither the senior management nor the auditors are aware
of the implications of having a UNIX operating system with appropriate controls.

Though subsequent versions of UNIX have been made available,
organisations which had implemented UNIX with earlier versions with great diEticulty
have not been able to implement the latest version in view of having to make fast
changes in the running programs with the already a great detail of backlog for
taking up new applications. In many of the organisations masking has not been
properly implemented. The users were totally unaware of the exposure that their
sensitive files were facing. There have been reported instances when unauthorised
access has been easily available to files to which there should have been no access
specially in a multi user environment the situation has been very volatile with no
controls to access on a "need to know basis".
SUGGESTIONS
It is often said that UNIX security is a contradiction in terms. From the
organisation's point of view
- All other passwords should be changed periodically without fail
- Access to file should not be permitted without owner's permission
- Depending upon the particular version of UNIX, the following should
be included:
Unmask 007
to the file.
This will ensure only the file owner will have read, write and execute access
A network file system (NFS): In most cases it is installed without any security
features being enabled. As NFS enables several UNIX hosts to share files on the

network and if NFS is installed without adequate security features in any UNIX host
can access the network and through the network any of the files. The best method
to avoid such a situation would be that for each file listed in/etc.lexperts, it is
necessary to use the option access-keyword. The keyword should contain the list of
hosts that may access the particular file. It is necessary that all files should have a
pre-determined list of hosts that may access it. The organisation should issue policy
and guidelines for protection of information.
From the auditing point of view
For an auditor to perform an effective audit in a UNIX operating system, it
is necessaly for him to be UNIX literate. A few basic steps that the auditor should
perform while auditing in a UNIX environment would be :
- Find out which version of the UNIX operating system is in use
- Make out a list of the known loopholes in the particular version
- Check whether the procedures to plug loopholes have been followed
and implemented.
- Check whether the default setting of the UNIX which permits Read
and Execute access by all users has been changed to facilitate access
to the file by the owner only.
- Test whether controls and procedures which are supposed to be in use
are really in existence.
- Report to management on the state of the controls as existing, the
loopholes if any and the possible impact of the weaknesses on the
organisation and suggest remedial measures for implementation.

CHAPTER VII
DISASTER RECOVERY PLANNING
Most organisations who have computerised their operations are no longer
mere users of computers. They have become dependent on it and the failure of the
computer operation would result in business interruption. It is always generally
believed that catastrophies and disasters will affect other enterprises and not us!
There are any number of instances where unanticipated crmtingencies have
occurred and businesses have got interrupted. The importance of disaster recovery
plan and contingency plannin~ can never be over-emphasised. To take the example
nearer home, in February 1994, the Reserve Bank of India's National Clearing Centre
at Nariman Point had a breakdown of the computer system. The press report stated
that "according to sources, the breakdm in IBM's micm-processing-stated to be
major in nature, was reported on Wednesday afternoon and necessitated a total
shutdown of the sophisticated system. Since the system cannot be said to be set right
tiIl Thursday, Banks all over Bombay were advkd against sending more cheques for
Clearing of cheques of more than Rs.1500 crores came to a standstill following
a two-day old breakdown in the computer system. Oral requests were made to
representatives of various banks in the city arriving with bundles of more than
10,00000 of cheques to take them back but without setting any reason for the same,

mystifying the banking circk in the city. It was reported that a team of engineers
were being flown from Calcutta. Till Friday evening, no progress was made other
than detecting thc fault While other matters of detail are of no relevance, it is of
significance to note that even an institution like Reserve Bank of India had no
disaster recovery planning!
Whether a disaster is natural such as earth- quake or a humcane or unnatural
event such as an electrical overloading sparking a fire or normally anticipated
situations of failure of hardware or failure of environmental support services.
Management of those who have the responsibility for processing information on
computers should have a well-tested plan for meeting such emergencies.
PROBLEM AREAS
The information technology at tremendous pace and the awareness of the
advantages of utilising information technology for decision making purpose, apart
from obtaining information from vast volume of data, all organisations have gone in
for computerisation of different types. This has made organisations dependent on
computers with the result, that such organisations would be handicapped in some way
or the other, should a disaster occur.
In our country also the job opportunities and career possibilities in the
information technology is occuring so rapidly with the result, turnover of personnel
has become more a rule than an exception.
A study of the present scenario in general rebeak that white oqpukhm ltad
realised that disasters can occur, there is a certain sense of complacency, arising out

of the illusion that calamities will strike only their neighbours. The documentation
standards for systems and programmes an generally incomplete if not outdated. With
the documentation standards, being unsatisfactory and the peronnel turnover factor
being high, organisations do face problems. It is due to a few dedicated old hands
that the systems are running. Added to this common problem, there is no attempt
made to plan for a contingency. There are no studies made as to how long an
crganisation can continue without a computer before business interruption occurs.
Should the problem persist longer than organisations can withstand, what are the
arrangements to be made. There have been no attempts made to prioritise critical
applications. The utmost recovery plan that is in existence is copies of most of the
programmes are made and that too stored in a separate cupboard. The cupboard is
mostly in the same computer room and sometimes with the manager of the
department in his cabin which is located in the same building, if not in the same
floor.
Uninterrupted power supply systems (UPS) are in existence. Fire extinguishers
are fixed in different locations of the computer room. Pitifully there is no continuous
training given to personnel in fire-f%hting. Internal auditors do not even consider it
as part of their duty to see whether the fire eximpishen have been refilled.
The basic precautian of ensuring that inflammable material is not stored mar
or around the computer room is not observed Thermacole boxes or thermocole
material which arrive as packing material for the hardware and $oftware is stored in
the computer room itself if not in the computer library. Computer rooms in many
instances do not have amiakrised air-conditioning. The same airemditioning ducts
run through the building as also the computer room in many instances. While open

fire may not exist in the computer room, burning of camphor on Friday evenings in
different parts of the offices is not an uncommon situation.
For convenience the computer division in many instances is situated in the
ground floor. While precautions are taken that water does not flow through the drain
pipes and water culverts, the possibility of water inundating the computer room from
clogged culverts of neighbouring organisations during rainy season is not taken care
of.
The necessity for having a documented plan for disaster recovery is not
appreciated, as spending effort and time "on an unlikely event" seems in their opinion
futile.
The concept of insurance cover in a computerised environment as it exists now
is to pmvide an insurance cover to the extent of the cost of the hardware purchased.
In some instances, if expensive software has been purchased that cost also is included.
However, the total cover for insurance in the eventuality of
i) Program being lost
ii) Program data being corrupted
iii) Fraud occuring due to failure of software
iv) Connected costs of restructuring data files
v) Loss of bllsiness due to nnn-functioning of the computer whether due to
hardware or software fault
Amongst other disaster due importance should be given also to the impact of an
attack from virus, specially in a PC environment or a net-worked environment. There
is a great vulnerability to attacks from virus. While there is knowledge about the

existence of virus, steps necessary to prevent attacks from viruses is not adequate.
Instances are many when some steps are taken after an attack of virus. While the
systems department does take some steps though not adequate to prevent viruses
auditors are totally ignorant in their knowledge of viruses, its impact of attack of virus
on computer information and programmes and steps to be taken as a precautionary
measure.
In the data collected, on the assurance that anonimity will be obtained. The
following information was available.
In one of the large public limited organisations which had offices all over
India, the computer room was flooded with water due to overflowing of the drainage
in the neighbouring building due to rain. The water level under the false flooring was
namely 5 to 6 inches. The organisation bailed out the water with mugs and buckets.
As already the computer installation was down for three days soon after the bailing
out of the water was completed, the current was switched on wanting to use the
computer henceforth. There was a short circuit due to the dampness and there was
damage to the hardware and of the programs which was on the hard disk The
organisation struggled for a week to ten days recreating software and negotiating with
hardware suppliers for repfacement.
In one of the leading foreign banks in Mount Road, Madras certain modems
and about 40 terminals were burnt out due to lightning striking one of the cables
running through the open yard of the bank It is needless to mention the crisis that
the bank had to manage.
In another organisation data used to be entered into the floppy at the flock
free and sent for processing to the head office 25 kms away. Several days data was

lost as the data was being transported without adequate protection in ordinary card
board boxes in an auto rickshaw which had the motor on the reverse. The magnetic
field created by the motor erased all the data which was realised only much later.
In yet another organisation which prided over the fact that it has got back up
for all its programs and files, the entire operation was paralised for more than two
months. This was due to the fact the sudden rains inundated the computer room
which also used the duplicate copies of the programs and files!
In another organisation due to uncontrolled and unexpected power supply
problems the disk was scratched. The organisation immediately unloaded the disk
opening the duplicate copy of the programs and files. The source of the problem not
having been set right the disk which contained the duplicate copy was also scratched
Loss of files due to attack of virus were very many. In most of the cases where
disaster strike, there was no recovery plan. The problems and crisis were only
discussed in private as organisations felt that there will be loss of image. It was
officially reported.
STANDARD ACCEFED PROCEDURES
When a disaster occurs, an organisation which is well equipped to face it is
able to resume normal operations by following a pre-determined recovery strategy.
It is interesting to recall the California Federal when a disastrous earthquake struck
California. Internal Auditor, Mr. John G. Burch, in his article Disaster Recovery Plan
on moral and professional responsibility describes the experience "CALFEDERAL".
Therewas no time for installation to have a graceful degradation, the system is

eported to have gonedown inelegantly; they were taken totally by surprise. It is
reported that CAL FEDERAL employees under the direction of Senior Vice
President of Computing & Communications of CAL FEDERAL were able to activate
the Contingency Plan within one hour after 29 hour non-stop recovely work;
everything was back to normal. Soon thereafter there was a second earthquake; the
contingency plan had included a "HOT SITE". Hot site is a back facility which is a
computer installation which is fully equipped and is more or less a duplicate of the
existing installation. CAL FEDERAL after its second disaster recovery plan
recovered in nine hours. It is reported that the Vice-President stated that a lot of
data processing Managers, thought it won't happen to them, but I was not singled out
by God; It is a moral responsibility to have a plan.
Yet another reported case is of a Computer Centre which survived in 1992
Los Angles riots due to the existence of an effective disastcr recovery plan. Riots had
started in Los Angles; there was extensive looting and fires were widespread. It is
reported that.. the data processing centre survived the emergency unscathed".
(a)
(b)
Analysing the reasons for a successful SUMV~~
of the Datacentre:
Data Processing M re bad plan for emergencies
Had a comprehensive and well documented contingency plan to be used in the
course of a major earthquake, as after all earthquake war another hlpe of
emergency. This contingency plan worked out even in this type of emergency.
The plan even included stockingUearthquake bags" which contained food and
ohr essentials for the employees".
(c) The computer site had effective security. The fust two fbBl% !m and
it had no public lobby. No casual visitors were allowed entry into the building.

Linda Larsens concludes that the Los Angles Data Processing Centre survived
a major urban riot because they were well prepared for an emergency.
As against the above two instances, an example nearer home highlights a
situation within our country. The Reserve Bank of India's National Clearing Centre
at Nariman Point, Bombay had a breakdown of their computer for four to five days.
The system could not be set right and several la!& cheques worth several crores
remained stagnant. Instructions were given to bankers to prepare themselves for
manual clearing as the "Clearing system was malfunctioning". It is not always that a
disaster occurs but one should be prepared for the same with an effective disaster
recovery and contingency plan. There should be standard policies and procedures
issued by the Management covering the following aspects:
i. Contingency Planning Process
ii. Risk analysis
iii. Strategy for contingency planning
iv. Documentation
v. Testing
vi Risks and controls
vii Audit consideratioas
Tbe need for Management's awarw for a contingency plan should and is
arising out of the follawing factors:
i) Information is a valuable asset of the organisation
ii) Unlike previously computers are spread all over the organisation.
iii) Organisations arc depending upon amputen and not men usen.
(iv) Computers capability to contribute to decision-making process

CONTINGENCY PLANNING PROCESS
As the adage "Prevention is better than cure" goes, it is better to have
preventive measures to avoid a disaster rather than struglling after a disaster to bring
normalcy. The preventive steps may be classified under the fcllowing three heads.
(a)
@)
(c)
Organisation
User involvement
Administrative procedures
(a)
Organisation
The most important step is to have a team which has:
(a)
@)
(c)
Centralised responsibility
Adequate visibility
Appropriate authority
It is necessary that there should be one leader who is the primary responsible
authority for coordinating and maintaining the contingency plan. It is essential that
all the departments in the organisation are made aware of the fact that the
organisation is intending to develop a contingency plan. As the users and
thedepartments are made awarefor the need to have a contingency plan, awareness
for potential risks is spread. As the project leader has to liaise with the different
departments, senior management should vest the project leader with appropriate
authority and communicate the same to others in the organisation.

(b)
User involvement
Users should be closely associated with the development of contingency plan.
They should be involved in assessing the risk resulting from a disruption as users arc
the best judges and they would be able to assess the associated risks better. The
useful functions that the users wuld perfom would be
(i)
Make analysis
The users should evaluate the impact of the failure of computer systems on
their business function. They should make a fair assessment of their time when they
can manage without computer processing. Users must be closely associated in the
process of identifying and prioritising critical applications.
Users and the system staff need to work very closely to decide on procedures
in the case of a computer breakdown and also the procedures which need to be
adopted to get back to the computer systems.
Administration
As already mentioned one penon should be selected as the leader; his
responsibility should include developing a planning methodology, develop plans to
implement the policy especially an organisational structure, training the staff,
reviewing the process and reporting to the management, maintain the plan,
CO-ordinate the others involved in deciding the plan. A planning methodolog should
be used to ensure quality, security, consistency, comprehensiveness and
maintainability".

Risk Analysis
It is extremely important to identify and prioritise critical applications. The
applications which need to be restored and the order in which they need to be
restored should be settled.
The factors which contribute to the criticality of the applications a n need to
be studied carefull).
facility.
The next step would be to evaluate the threat of disaster to the computer
ANALYSIS AND FINDINGS
A sample survey of 30 organisations was conducted. The questionnaire utilised
for this purpose is enclosed. (Table 8.1) The response irom all the 30 organisations
was analysed. The information was personally gathered by me from the organisations.
In addition, had a discussion with the five leading firms of auditors to ascertain the
audit procedures followed in connection with the Disaster Recovery Plan of their
clients' organisations which were extensively using computers for preparation of
management information as also financial statements for audit certification (Table
8.2) The hdqs as gathered from the sample of organisations surveyed are as
follows:-
(i)
(ii)
There were no standard policies or guidelines for the organisation regarding
contingency plan or DRP.
None of the organisations hadanyremote safe backgronnd storage vault for
storing the programs systems, documentation or important data.

(iii)
None of the organisations had an insurancy policy whichcoveredanything
other than the cost of the hardware.
(iv) None of the organisations had applied their mind regarding the legal
responsibility that may arise for non-performance should a disaster strike the
organisation. In the absence of any DRP or policies or procedures provided
by the management, there was no documentation for DRP.
(v) All the organisations had copies of the programs backed up. However, these
programs were not stored in most of the cases in a remote place away from
the computer installation.
(vi) In most of the cases, the computer programs and critical data were copied
and stored in the systems manager'scabin which was part of the computer
department.
(vii) In most cases it was also found that thermocole packings and card board
boxes which were arrived with peripherals or computer stationary were
stacked near or around the computer installation without the least awareness
that these being combustible material should never be stacked near the
computer installation.
(viii) There were no documented evidence regarding key personnelto be contacted
in case of a disaster.
Informal discussions provided the information that the organisations did have
situations when disasters did strike them in the following areas:-
* Disk crash
* Virus attack
* Water leakage
* Hardware failure

Software getting conupted.
In all the above situations, the organisations did have problems and they
resorted to a "Crisis Management". Strangely this had not resulted in any permanent
action being taken by way of formalising the DRP and contingency plan.
Apan from these findings, survey results of Messrs Coopers Lybrand are enclosed.
(Table ) These findings are no reported cases in our country. There are no reported
cases as yet of loss incurred due to disasters striking the organisations. However, it
should be noted that there were blasts in Delhi, big fire in multi- storeyed building
which affected amongst other organisations Bharat Heavy Electricals Limited,
earthquake in Bombay and bomb blast in Bombay which affected any number of
organisations and the11 computer operations. In Madras, lightning struck a multi
national company which affected more than forty terminals. More recently hardware
problems in the Reserve Bank of India clearing House operations is a case in point.
AUDIT
The discussions with the auditors revealed that their areas of operation and
activity did not include evaluating the adequacy of a DRP.. This has been confirmed
also by an the 30 organisations which were included in the survey. The auditors have
been ignorant of the need to review the adequacy of a DRP. The auditors while they
are aware that they need to value aU the assets and certify their existence, somehow
as yet have not realised the value of information and computer support for their
organisations.

SUGGESTIONS FROM TEE POINT OF VIEW OF TEE ORGANISATIONS
The organisation should realise that contingency planning for information
systems is an important element of internal control to ensure computer data and
resources would be available in case there is dismption of any nature to computer
operations. Contingency planning is an important management planning. The
contingency planning process should include the following :
Contingency planning
* The plan should ensure the continuity of the organisation's operations.
* Should minimise recovery times
Must support the Business Recovery Plan
* Fulfill legal obligations
Risk analysis
This involves identification of exposures and threats that the organisations may
be exposed. Hurricanes, earthquakes, bomb blasts in our own country are no longer
an unlikely probability. These aspects need to be provided for.
Critical applications need to be identified by evaluating its impact on the
organisations from the point of view of
(a)
(b)
(c)
Legal obligations
Interruption to senice to customers
Potential loss of revenue

Assess insurance cover
Insurance cover should not just be only for the cost of hardware. The
exposures that the computer organisations is likely to have needs to be studied and
covered.
Documenting the plan
It is unanimously accepted that the success of a contingency plan depends to
a great extent on the quality of documentation. The documentation should clearly
have the following:-
(i)
(ii)
The names and contact addresses of the main members of the recovery team
The details of recovery plan.
These plans should include the specific activities that need to be met~culously
performed to minimise recovery time loss from disruption. List of important files that
need to be restored to continue processing and procedures for recovering those files
from back up tapes and disks.
It is not uncommon to have problems on pay rol or dividend warrant runs at
the most critical period It would be advisable for such critical applications to have
even hard copies nf impartant data
The details of all equipment that would be needed to fully rebuild and
reprocess needs to be inventories.

Forms and supplies
The contingency plans should have full details regarding specific forms that
would be needed to continue critical applications.
Ewemple : Pay slips, dividend warrants, invoice forms, contract forms etc The
importance of contingency plan lies in its periodic testing. It is necessary that the plan
should be tested. However, it should be realised that unless the plan 1s fool-proof,
testing of the plan may result in the disaster itself. Maintaining a contingency plan is
an on-going process. It should be continually maintained, tested, evaluated and
updated.
Review of insurance coverage
The insurance coverage should be adequate and upto date. The more
important aspects for which the insurance should have cover would be
(i)
(ii)
(iii)
(iv)
Cost of equipment whether purchased or leased
Coverage for mechanical and electrical breakdowns which may result in loss
of data or programs
Coverage for fraudulent or dishonest acts of employees
Cawrage for loss of data and software
The policy should preferably cover the equipment at its replacement cost. It
would be advisable also to provide for coverage for the following :
(i)
(ii)
(iii)
Loss of documents
Cost of reproducing data
Injuries of personnel

AUDIT
The auditor should necessarily verify whether there is contingency or a DRP.
If there is a DRP, he should bring with the contents to ensure that the standard
accepted contents as discussed under documentation are all included. The auditor
should pay special attention to the following aspects :
(i) Accuracy
While the plan may be in existence as to how accurate it is needs to be
verified.
(ii) Currency
It is extremely important that the contingency plan is current as an out dated
plan is no plan.
(iii)
Testing
It would be advisable for an auditor to test a plan. It would be more effective
if it is combined with a scheduled testing of the organisations. This would give him
an opportunity to personally evaluate the effectiveness of the plan. In the absence of
testing a thorough walk- through of the important aspects of the test plan would be
adequate.
AUDIT OF DISASTER RECOVERY PLAN
More organisations have ceased to be mere users of audit processing facilities.
The appreciation of changes of Information Technology has been so great that most

organisations are dependent upon computerised information. They are no longer
mere users.
In view of dependence and reliance on computers and computer information
it is not unlikely that should disaster strike the computer, the organisations may run
around. Information is an asset and it requires to be safeguarded. Computer
installations may be struck by disaster - human or by an act of God. The human
element may be by way of intentional or un-intentional corruption of data and
programs, fraud, sabotage etc. Fire, fraud, earthquake, lightning are other situations
which affect the computer operations and disable it totally or partly. It is the
responsibility of the auditor to verify the adequacy of the disaster recovey plan. He
should ensure that there is a written documented plan which lays down the various
procedures which would enable the organisation to recover from the disaster within
a critical time-frame.
Eg. Reserve Bank of India incident, earthquake at California.
It is necessary for the auditor to be aware of what are the ingredients of DRP
or a contingency plan with specific reference to the particular environment he is
auditing. Being aware, he is expected to evaluate the adequacy or otherwise and give
a report on the same.

TABLE 73
DISASI'ER RECOVERY PLAN
1. Are standards, policies and guidelines regarding the contingency plan or DRP
available? If so, are they adequate?
( ) Yes - adequate and upto date
( ) Yes - Reasonably adequate and upto date but need improvement
( ) No - Not available.
2. Have you checked whether the organisation has a remote, safe documents
storage vault and valuable documents stored in the same?
( ) Yes - verified and found to be in order
( ) Yes - the vault does not have a latest and important documents.
( ) No - No such check made.
3. Have you checked whether there is an insurance policy to cover the computer
hardware and software?
( ) Yes - checked the policy. It covers both
( ) Yes - only the hardware
( )No
4. Have you checked from the angle of legal responsibility to ensure that the
vital documents are handled satisfactorily and retained for sufficient time?
( ) Yes - checked with the legal department
( ) Yes - from my judgment
( )No
5. Have you checked the existence of any contingency plan? Is it
well-documented?
( ) Yes - well documented
( ) Yes - discussed with EDP staff
( )No

CHArnR VIII
AUDIT APPROACH
Ovemew
Approach to audit in a computerised environment, as already mentioned, is
different from the approach in a manual system. While specific controls and audit
concerns are associated with each computerised environment, there is a general
approach recommended for a computerised environment. In this chapter, that aspect
is discussed.
The examination upon which the report of attestation is based is known as
Audit. The individual doing such work is usually referred to as auditor. An auditor
may be an internal auditor or an external auditor. The internal auditor is appointed
by the Management and he reports to them. External auditor or a statutory auditor
in companies is appointed by the shareholders, at the annual general meeting and
under the Campany Law. The auditor gives his report under the statute to the
shareholders.
'The Statement of responsibilities of the Internal Auditors" was issued by the
Institute of Internal Auditors originally in 1947. Subsequently in 1978, "Standards for
the professional practice of internal auditing" was issued.
The main points covered were:
' Independence
* Professional proficiency

* Scope of work
* Performance of audit work
* Management of the Internal Audit Departments.
The more important aspects under this head are as follows :
Independence
Internal auditors should be independent of the activities they audit.
Objectivity
Internal auditors should be objective in performing audits.
The internal auditing department's Knowledge, skills and disciplines -The
internal auditing department should possess or should obtain the knowledge, skills
and disciplines needed to cany out its audit responsibilities.
The internal auditing department should provide assurance that internal audits
are properly supenised.

The Internal auditor
Continuing Education
Internal auditors should maintain their technical competence through
continuing education.
Due professional cart
audits.
Internal auditors should exercise due professional care in performing internal
Reliability and integrity of information
Internal auditors shoulu review the reliability and integrity of financial and
operating information and the means used to identify measure classify and repon
such information.
Compliance with policies, plans, procedures, laws and regulations: Internal
auditors should review the systems established to ensure compliance with those
policies, plans, procedures, laws and regulations which could haw a significant impact
on operations and reports and should determine whether the organisation is in
compliance.
Safeguarding of assets
Internal auditors should review tht means of safeguarding assets and as
appropriate verify the existence of such assets.

Examining and evaluating information
Internal auditors should collect, analyse, interpret and document inionnation
to support audit results.
Quality assurance
The director of internal auditing should establish and maintain a quality
assurance program to evaluate the operations of the internal auditing department.
The internal audit department provides assistance to Management by analysing
and reporting on the activities reviewed by them. Internal auditors can be concerned
with any phase of the business activity oi the organisation. Information systems is an
important activity of the organisation which also forms the basis for accounting and
financial statement. So to attain the objective of rendering assistance to management
in the effective discharge of the responsibilities, auditors activities will include the
following :
- Reviewing and evaluating the soundness, adequacy of controls
associated with accounting, finance and
other activities satismg
himself regarding the extent of compliance with established policies and
procedures.
- Evaluating reliability of management data and information developed,
reviewing information systems, record and process financial data.
The auditing standards pronounced by the professional bodies are discussed
in greater detail in the Chapter on Auditing Standards. SAS No.47 addresses audit
risk. Audit risk is defined at the financial statement level as "the risk that the auditor

may unknowingly fail to appropriately modify his opinion on financial statements that
are materially rnis-stated".
The risk that material error exists is divided into:
(i)
(ii)
Inherent risk and
Control risk
The components of audit risk could be described as follows :
OVERALL AUDIT RISK
+,
Risk that balance of account
About Detection
The inherent risk could be identified with a knowledge of the business and an
understanding of its transactions.
Internal control risk
The internal control risk is assessed when the internal auditor by establishing
the effectiveness of the control system. The basic objective of any internal accounting
control system is to provide assurance that all transactions are complete and accurate.

In a computerised environment, the auditor needs to review and evaluate the
associated internal control systems to determine whether adequate controls exist to
assure the auditor that all transactions are processed correctly and completeiy.
It is in this background when an auditor is performing his duty in a
computerised environment, unless he is aware of acceptable standards for controls
associated with a particular computerised environment, he would not be able to
evaluate its adequacy. Consequently his assuring himself that all transactions are
processed correctly and completely does not arise.
In large organisations auditors are permitted to rely on the internal auditors
opinion under certain circumstances. In addition they have their own responsibility
as they are certifying the correctness of financial statements which themselves are
prepared on the computer. It will thus be observed that an auditor, whether he be
internal or external, he should be knowledgeable about specific controls. Specific
controls would be different depending upon the specific computerised environment.
The objectives of the audit in a computerised environment are only the same.
However, in a computerised environment in new of the internal controls being
different, the audit mechanism for evaluating such controls has to be different too.
PROBLEM AREAS
All organisations - small and big - have computerised their accounting system.
Larger organisations are having sophisticated management information systems. The
technological developments have been growing very fast. Auditing skills have
remained stagnant. The internal auditors do not have in their team any staff member

who possess the necessary skills and knowledge to audit in a computerised
environment The position regarding external auditors who are big firms of long
standing and who have amongst their clients large organisations with very high
turnover are also not having necessary skills and knowledge to perform an effective
audit
The present practices adopted by the auditors is limited to extensive checking
of hard copies of computer statements. While extensive checking of the contents of
the computer statements is undertaken, no attempts are being made to satisfy
themselves about the basic correctness and completeness of the Statements. In a
computerised environment auditing is generally divided into three categories:
i. Aud~ting around the computer
ii.
iii.
Auditing through the computer
Auditing with the computer
i. Auditing around the computer could be resorted to when the computer could
be dealt with like a Black Box and the print outs are exhaustive and
comprehensive so that every input transactions can be traced to an output
document.
ii.
iii.
Auditing through the computer is a situation when computer cannot be
treated as a Black Box. Transactions are sometimes visible and sometimes
invisible. The audit trail itself becomes a bit more complex. In such situations,
the program logic should be tested.
In auditing with the computer, auditors' skills and knowledge are so high that
he takes advantage of the capabilities of a computer and uses his own
program or a software to evaluate the correctness and the completeness of

computer statements In the present day computer technology has developed
to such an extent that it would be most appropriate for an auditor to perform
an audit with the computer. However, the methodology adopted by all the
auditors without exception is to adopt the approach of auditing around the
computer while the situation demands an auditing with the computer. The
auditors are not performing any of the functions.
i. Understanding the computer system i.e. to know thetype of hardware and
softwareused andthe operating system used.
ii.
iii.
A list of applications
Studying the system flow-charts.
Verifying whether there is adequate documentation for programs, whether
there are any formal procedures documented for changes and programs,
understanding the built-in controls as also the compensating controls for each of the
applications, testing the programs and other procedures to evaluate the existence and
adequacy of controls, disaster recovery plan, reporting to the management regarding
their opinion on the audit performed.
In the absence of awareness of the management regarding the necessity to
have an audit of the computerised environment, they do not have the internal audit
to perform audit of the computerised environment
In the absence of official statements from the professional bodies, external
auditors are not performing the audit of the computerised environment.

There are reported and unreported cases of frauds occuring in a computerised
environment.
Due to lack of knowledge, competence and skills and also as so far neither the
Management nor the auditor has been sued by a third party for dereliction of duty
for not evaluating the controls in a computerised environment the present outdated
practices and methods of auditing are continuing in a sophisticated environment of
using the latest information technology.
Lack of awareness of the risks and vulnerablities associated with
computerisation generally and specifically with certain environments was apparent in
very many examples. Infalliability of the computer is confused with the notion that
all computer output will be error free and complete and correct and so no questions
need be asked.
There have been instances when the accountants within the company with the
cooperation of the computer staff have been able to produce computer pring outs to
suit the audit requirements and auditon of the particular concern certified the
accounts based on such statements in the finn belief that they have checked
"computer outputs".
In another organisation while there was supposedly a cnntrol on the total
entries to be passed undder each category there was no creation of a suspense file
for entries which were rejected. Letters were written to the concerned departments
with a copy to internal audit regarding the entries rejected. It was a shocking
revelation to note that the matter ended there. In the same organisation the

vulnerability was exploited by collusion between a staff member of the computer
department incharge of control totals and a clerk is one of the outstation depots. A
cash entry was passed, supposeedly, to support a deposit in the ban of the depot.
Bank reconciliations done six months later, did not help to reveal the intermediary
frauds. Even the internal auditors as also the external auditors were totally unaware
of the goings on. Neither of them had any knowledge of the approach to audit when
the accounts are computtrised.
In another organisation preparation of invoices were computerised with the
built in control to reject such records which did not comply with the control
supposedly built into the program regrdign type of product, sales tax classification,
excise duty classification etc. Surprisingly the computer system staff had built the logic
that once the record was rejected, the rejected records would be rectified by the user
department and fed into the comuter and hence it would be waste of computer
efficiency to check again ! This led to a situation when if a computer record had to
bypass the supposedly built in controls they must have it rejected initially. In a
discussion on controls, with Finance Controller this point was brought out when the
Financial Controller was surprised of the loophole in the control. He hastened to
have it corrected. Again, however, neight the internal auditors nor external auditors
were aware of this situation.
In yet another organisation while preparing stock valuation reports on the
computer, the wrong master file regarding the market value was loaded which was
compared with correct master file of costs. The logic of comparing the cost or market
value whichever is lower was no doubt correctly applied. But the stock valuation was
wrong as wrong market file was loaded.

STANDARD ACCEPTED PRACTICES
The objective of an audit is to evaluate the adequacy or othenvisc of the
internal controls and to report on the same. The objective of an audit does not
change irrespective whether the environment is manual or computerised. The method
of satisfying onself with controls that need to exist do exist and they are adequate,
however change when the environment changes from the manual.
In a computerised environment different situations may arise:
(a)
(b)
(c)
While the data originates from the user department, the recording and
processing of the same takes place in a separate department, normally called
the data procesting department.
The user departments may be provided with terminals, either intelligent or
dumb. AIl these terminals are net-worked and a file server or two is
maintained in a separate department under the control of a separate manager.
A Database Management System might have been introduced adding yet
another complexity to a local area network.
Whatever may be the method that is adopted, there are certain changes which
have taken place as distinct from the manual system:
i. Transactions are not always visible
ii.
iii.
The input for certain computer runs or the output of certain other computer
with the result intermediary results may not be always available in a hard
COPY.
With each type of computerisation, there are certaincontrols associated with
them to ensure accuracy, completeness, integrity and security of the system.

In view of the above the auditor necessarily will have to be knowledgeable
about the relevant controls that are applicable to a specific computeriscd
environment so that he is in a position to evaluate the adequacy or otherwise of the
same. He would thus be able to give a comprehensive report about his opinion of the
internal controls, in the information system which is being used by the
organisation.The auditor, either internal or external, is expected to report either to
the management or to the shareholders as the case may be, about he being satisfied
or otherwise about the adequacy of the controls. In the case of adequacy, he should
be in a position to quantify the consequences or the magnitude of such a weakness.
To achieve the above mentioned objectives, the auditor should adopt the proper
approach, as mentioned by William E.Perry.'
STEP 1
The initial step that the auditor should take would be to scope the
environment, primarily to understand the environment in which the computer
applications run and also to assess the audit scope and decide on the areas in which
the audit will bc conducted. Scoping helps the auditor to collect adequate background
information to perform an effective audit function. The various tasks that the auditor
would be required to perform are:
(a) Understand the audit objective
(b) Define the scopeofthe assignment to obtain necessary background
information.
I
William E.Perry Auditing Information Systems A step by step audit approach
EDP Auditors Foundation Audit Guide Series.

given blow:
The above tasks may be effectively performed by following the procedures
l%e audit objective should be very clearly stated giving no room for any
ambiguity. The scope of the assignment may be constrained as mentioned by William
EPerry, by four Ts-vk Time, Talent, Tools and Travel. As is obvious, if the time is
inadequate and the effort of travel is more than reasonable, the scope cannot
necessarily be extensive. In addition, if the concerned staff do not have the necessary
talent or though the staff may have the talent, if the necessary tools in the form of
the software packages or utilities are not available or usable at the computer
installation, the auditor would be constrained. This would be a contributoly factor for
deciding on the scope of the assignment.
The auditor should necessarily obtain the background information; this would
enable him to put the objective of the audit in the proper perspective. The auditor
should meet the concerned key personnel in the computer department as also the
user's department, he should acquire some knowledge if he does not already possess,
so as to enable him to assess the possibility of any potential problems. The auditor
should prepare suitable questionnaire which, when completed, would give him
necessary information about the auditee being evaluated as also the computerised
environment
STEP 2
Understand the Information System
An information system would generally have the following ingredients: (a)
Manual process; (b) Basic documenu; (c) Computer processing; (d) Computer files

held in either in the hard disdfloppies, various inputs and outputs; the auditor must
first obtain a overview of the information system by concentrating on the system
objectives and identify flow of audit evidence. The procedures he could usefully
follow to understand the information is stated below :
The information system would encompass both manual and automated
processing. Hence, it is necessary to study the systems in the basic manual
environment, the final computerised environment and the linkage between the two.
A method which has been generally found effective to understand an information
system is for the auditor to conduct a "systems walkthrough". This involves
identification of all input transactions by the auditor and following these transactions
through the various computer process. This information should generally be available
in the documentation that the computer department is expected to maintain. The
documentation would include a list of the various authorised applications with a
systems flow-chart for the different applictions like the payroll, inventory, financial
accounting etc. Each of the systems documentation should have (a)program
specifications (b) Listing of the source code, user manuals, operations procedure etc
The auditor may obtain an application flow- chart from the organisation or
develop one himself. A flow-chart is a pictorial representation of the computer
process. The flow-chart helps in simplifying and presenting in a concise form large
amounts of complex computer processing.
It is recommended that when the auditor prepares application flow-charts, they
should be reviewed with the organisation's data processing department to ensure its
accuracy and completeness.

m p 3
Identify the audit risks
A risk can be defined as a potential loss or damage to an organisation. This
is present in any environment and computerised environment is more vulnerable to
risk if adequate steps are not taken to implement effectively. The functions that the
auditor has to perform for identifying the audit risk would be by (a) identifying the
possible risk inherent in the information systems (b) evaluate the magnitude of the
risk and (c) prioritise the risk with reference to the importance from the auditor's
point of view.
Identifying the risks
It would be possible to identify the risks in a computerised environment only
if the auditor and his team are familiar with the information system as also the
computerised environment in which the particular information system operates. As
mentioned earlier, a computerised environment has additional risks as compared to
manual processing. It is necessary for the auditor to identify these risks. An
illustrative but not necessarily an exhaustive list of all the risks generally associated
with the computerised environment is as mentioned below:
Repetition of emrs
While in a manual process errors are made individually, in a computerised
environment if there is an error in a program, the error would be committed
consistently for any number of transactions with greater speed.

Cascading of emrs
An error in a particular part of a program may trigger an unrelated error in
another part of the programme or applications systems may in its turn trigger yet
another error; this type of error becomes more complicated when there is an
integrated system.
Unreasonable processing
In the absence of human judgment, certain unreasonable processing is likely
to take place. A junior individual on a very low salary may be given a computer job
the value of which is ten times or hundred his entitlement There may be an
inventory application in which a quantity for a particul,ir item may be- denoted with
a negative figure. Similarly due to wrong processing a cash account may also denote
a negative balance.
Incomt entiy of data
Though properly prepared, may be wrongly entered into the computer. Even
when data is generated and entered into the computer, at the same time, there is a
possibility of errors creeping in.
Concentration of data
Unlike in a manual system when voluminous data is stored in different places,
in a computeriscd environment the data is concentrated in a computer file. This gives
room for the possibility of data being copied without even the owners of the data

eing aware of the same. Sometimes this may result in the original data being
modified or deleted. When more and more data are stored in a centralised place, the
greater is the value for the data and greater is the vulnerability. The inability to
substantiate processing in the absence of proper audit it may be difficult to
substantiate the processing. It should be possible to trace the sources of transactions
and establish its integrity by means of control totals.
Concentration of responsibilities
Responsibilities which might have been separated for control purposes in a
nontomputerised environment may get merged and get concentrated in a single
application. This necessitates the substitution of new controls to make up for the
previous separation of duties.
Determine the magnitude of risk
While quantitative ranking of the risk like whether it is high, medium or low
is adequate, it may be useful to quantify the same to facilitate effective presentation
to the management.
Prioritising the risks
It is important that the risks should be prioritised so that the auditor would
be able to prioritise his risks and suitably divide the resources among the various
risks.

STEP 4
Identifying audit evidence
Electronic evidence as distinct from the paper evidence has had a significant
impact on the control process as also the audit process. As more and more evidence
is becoming electronic to substantiate the evidence, it is necessary that not only the
electronic evidence should be available, but it should be supported by adequate and
relevant controls concerning its origination, recording and storage. The following table
provides details regarding information systems audit evidence :
INFORMATION SYSTEM AUDIT EVIDENCE1
Types of Evidence
Authorization
Recording
Access to assets
Asset accountability
Operational Performance
Satisfy goals and
objectives
Examples of Evidence in Automated System
Supervisor key
* Automated authorization mles
* User signoff
Data filesldata bases
* Systemlprogram documentation
Communication logs
* Passwords
Security Systems
* Communication logs
Operator log
* DBMS log
* Program change control
* Job accouunting log
Softwarehardware monitors
Failurelcomplaint reports
Quality assurance reports
Metrics
Post-implementation review reports
-
William E.Perry, Auditing Information Systems a Step-by-step Audit Approach, p.46.
ZDP Auditors Foundation Audit Guide Series, 1983.

It is very important to note that it is not only the computer technology but also
the use to which the technology is put which decides the type of evidence that the
auditor will need to look into. The auditor would be better advised in this connection
to (i) make an exaustive list of all the evidence produced by the computerised
application system; most of the information should be available even at the stage
when the auditor spends time to understand the information system and (ii)
document the audit evidence. When documenting the evidence the major points that
the auditor should note would be (1) Medium: It may be stored on a floppy or a hard
disc or tape; (2) Location; the place where the computer media is stored. (3) Size
and format: the size of the file as also the format of the records are important (4)
Period: the time for which the evidence would be stored before being discarded is
very important. The auditor should ensure that the evidence is capable of being
retained till such time he requires. The auditor should collect adequate information
so that he would be able to develop his own software programme or use a computer
utility so that he can analyse and list the electronic evidence for audit purposes.
STEP5
Identify key control points
Key control points are points in a computer system where the risk is greatest
and naturally control is most important The generally accepted and easily usable
strategies which can be adopted by the auditors are as follows:
i. Checklist
ii.
iii.
Control flow charting
Matrices

The questionnaires have many disadvantages as they tend to be very long and
hence make it difficult to analyse. The Matrix is a good and effective stragety. This
matrix provides list of controls to protect information systems against possible
vulnerabilities. Control flow-charts are most effective. The tasks involved are: (1)
Locate the risks on the control flow chart; (2) Document the key controls on the
control charts, (3) Locating the controls on the control flow chart: The auditor who
would have already identified the possible risks must match these risks with that part
of the information systems in which the risk is the greatest. This matching would help
in identiFying the points where the risks need to be controlled or where the key
control points are incorporated in a computerised system.
Document key control on the application flow chart
It would be necessary for the auditor to document the computer systems
controls by concentrating on the key controls.
STEP 6
IDENTIFYING CONTROL WEAlCNESSES
A weakness is a condition which in the auditor's opinion could result in a loss;
once it is identified, it can be tested to determine the magnitude of the potential
control weaknesses.

Documenting for control weakness identification
Unlike manual systems which are inconsistent, computerised information
systems are pre-determined and consistent. The three methods which could be used
for documenting of control weaknesses are (a) control flow charting; @) conflict
matrix and (c) transactions-control matrices.
Preparation of a conflict matrix
This is an easy method for identifying when a single individual is vested with
too much responsibility. The process involved in preparing the conflict matrix consists
of identifying the people who have interest in information system and secondly
identifying conflicting connections by means of the ability they have to manipulate.
Processing the matrix is prepared by listing of the connections of one access of the
people involved in the information systems in the other access.
Preparation of transactions control matrix
Transactions which involve economic events like cash, bank, receipts and
payments should be considered for this matrix. The economic events are recorded on
one access of the matrix while the information systems are recorded in the other
access. Controls codifying each of these transactions are listed at the matrix intersection.
This type of the matrix has the advantage of documenting the compensating
controls.

Analysis and document potential control weeknesses
The control assessment consists of four ingredients.
First, identify the risk; control flow chart could help in identifying the risk.
Second, determine the magnitude of the risk;
Third, determine the strength of the controls; each of the controls should be
assessed individually to enable the auditor to assess how strong it is.
Fourth, identify control weakness and document the same. The auditor should
make cost-benefit analysis to ensure that cost of the control is not more than thc
magnitude of the loss due to the weakness.
Verifying the integrity of the computer files
The various steps in verifying the integrity of the computer files are:
i. Identifying the files for examination; this could be done by studying the
systems flow chart. The files generally selected are those that would be needed
to test control weaknesses.
ii.
File documents.

File documents
Save the needed computer files. It is necessary for the auditor after having
decided which file is needed to ensure that the file will be available at the time he
plans to take or conduct the test.
iii.
Verify the integrity of the file
This is done to ensure that the data on file is reconcilable to an independent
control - the total or equivalent. Examples - control figures of subsidiary ledgers,
overstatement of assets, understatements of liabilities. The file integrity may be
performed independently or in conjunction with other audit tests. It is very important
to note that the file integrity test should be personally performed by the auditors.
Auditor's independence would be lost if the tests were developed and performed
bythe data processing people or by the user department. However, where the auditor
does not have the necessary skills, he could rely on a third party.
iv.
Verify the integrit: of the data on the file
The auditor may use the software or utility and have the data on the file and
have the same classified according to their requirements. Example: Accounts
receivable file, classified as more than six months, less than six months; the balances
which are beyond credit limits authorised etc; inventories as items which have not
moved for more than a year or as A, B, C analysis.

STEP 8
CONDUCT Ah' AUDIT TEST
In countries where computerisation has been in existence for more than 50
years, as in the case of United States, Canada, Japan, Australia, etc. there are
software in the category of generalised computer audit software. However, in our
country we do not have the availability of such a software and also the necessary
knowledge and skills to use such software is absent. However, the auditors are not
handicapped by the absence of such a software. The controls used by the
programmers and systems analysts to build in controls could be used by the auditors
to conduct such tests.
STEP 9
CONCLUDING THE AUDIT
The objective of the audit is to evaluate the controls and give information on
the adequacy or otherwise of the same. Hence, while concluding audit the auditor
should determine the findings, develop recommendations and working out the details
for the acceptance of those recommendations. The steps involved are :
(1) Develop audit findings; a finding is a comparison of existing situation with an
ideal situation. A finding should contain the following information:
(i) factual situation observed by the auditor

(2) criteria for judgment. The criteria in a computerised environment are the
standards and guidelines and well-defined implementable controls specific to
each environmenq
(3) Effect of the condition
The auditor should compare the condition as it exists with the condition as it
should exist and give an opinion on the effect it would have. (4) Develop audit
recommendations: It is advisable that the auditor should discuss his recommendations
with the auditee. It is well said that the best recommendation is the one that has been
accepted prior to its being presented.
Writing the Audit Report
The audit report should be short, be bereft of terminology and jargcn; it
should contain a summary with explanatory material attached. The report should be
positive and effective, giving suggestions about corrective actions to be taken in areas
which have been prioritised.
ANALYSIS AND FINDINGS
A questionnaire based on standard literature of audit approach was prepared.
Leading firms of Chartered Accountants were also selected with sample. All the firms
and individual auditors have a wide variety of clients which include public limited
companies, nationalised banks etc. Almost all their clients have computers in their

organisation. All the financial statements which are certified by these firms are
prepared on the computer. A total sample of 30 auditors was selected.
The response to the questionnaire was personally collected. A summary of the
response received on the questionnaire is enclosed.
An analysis discloses that none of the auditors are at present having
confidence or the skills to perform an audit in a computerised environment. Further,
they certified that the financial statements which are outputs from computers
represent a true and fair view of the affairs of the company. A detailed discussion
with them reveal that they are ignorant of specific controls in each types of the
computerised environment; they rely on the management personnel of their clients'
organisation for the integrity of the information.
A further sample of 30 companies who are clients of one particular auditor's
firm was chosen. These firms are dealt with by different partners who have their own
assistants who are qualified chartered accountants. A more detailed study based on
the questionnaire was performed. It was revealing to note that neither the juniors of
the firm nor the seniors have made any attempt to study the controls in the
computerised environment of their clients. In all the cases the auditors were not even
aware of the type of computer that was in their client's organisation.
Information is an important asset of the organisation and the organisations are
entirely dependent on the information produced by the computer. In all the
organisations computerisation has been in existence for more than I5 years. The

auditors were not aware of the possible risks involved. They claim that the integrity
of the people associated with computers in their client's organisation was
unquestionable and hence they have no reason to feel concerned. It was also claimed
that they had not come across any fraud situation. I conducted an independent study
of a sample of 30 organisations and had personal discussions with the senior members
of the staff, both in the computer division as also the finance departments. A
statement is enclosed giving the risk factor involved. The computer-risk assessment
procedure and the questionnaire have been adopted, as suggested in the book "Audit
computer Security - A manual with case studies" by S. Rao Vallabhaneni, the data
was gathered by providing the questionnaire to them earlier and meeting them later.
The questionnaire wa, jointly compiled by me and the senior member of the
computer department who did it with the approval and knowledge of the Finance
Controller.
The risk value and the criterion weight are not based on any scientific
evidence; they are based on intuition and graded according to the intensity of the
risk. The risk ranking working sheet was prepared (Annexure H).
SUGGESTIONS FOR ORGANISATIONS
Knowledge of appropriate controls associated with specific computerised
environments should be acquired by the auditors, whether they be internal or
external. Managements who have the primary responsibility for controls should issue
policies and guidelines in consultation with competent people, from within and from

outside consultants. The policies and guidelines should clearly lay down the
procedures regarding
- Organisational and administrative controls
- Documentation standards
- Maintenance of security and integrity of files and data
- Procedures for disaster recovery planning
- Nominating a group for constantly monitoring the implementation of
policies and procedures and ensuring that they are updated in keeping
with the changed circumstances.
SUGGESTIONS FOR AUDITORS
It is long overdue for the auditors to become computer-literate. It is essential
for them to have a thorough knowledge of control and security aspects associated
with each computerised environment. This need for knowledge is immediate and long
overdue. It would be desirable to have a EDP cell in all large audit firms. The staff
of the EDP Cell needs to be trained and kept upto date on current techno lo^ in
computers.
Where it is not possible to have a separate cell it would be advisable to rope
in a consultant who has the necessary knowledge and experience. However, the
auditor's basic responsibility regarding the need for satisfying himself about the
adequacy of controls cannot be relegated or delegated due to non-availability of
competent staff. With knowledge adequate to meet the situation, it is recommended

outside assistance can be sought. In special circumstances, when evaluation of assets
needs to be done and certified, it is not uncommon to get a third party who is
competent to do so to give a certificate based upon which the auditors themselves
authenticate the financial statement. The same procedure needs to be adopted
immediately.
If auditors and organisations do not wake up to the situation, frauds of serious
consequence would take place. The chapter describing the "scenario" in other parts
of the world has a short description of the crimes and frauds that have been reported
in countries such as USA. UK and Australia.
Various charts depicting the average annual computer abuse, loss and
computer crime loss, relative seriousness of frauds have been enclosed. These charts
and reports should be eye-openers for managements of organisations and auditors to
implement post-haste audit of and in computerised environment.

CHAPTER IX
SUMMARY, CONCLUSION AND RECOMMENDATIONS
This Chapter presents a summary of conclusion and recommendations of the
study besides making useful recommendations in control standards and auditing
procedures in a wmputerised environment
AUDITING STANDARDS
International bodies like the American Institute of Certified Public
Accountanq Institute of Internal Auditors, USA, the Institute of Chartered
Accountants of England and Wales, United Kingdom, EDPAA Foundation, USA,
have issued official pronouncements regarding the auditing standards to be observed
in a computerised environment Though there may be no enforcing authority insisting
on the auditors obsemng certain procedures it is quite necessary for the auditors to
change their approach and adopt appropriate tools and techniques while auditing in
a wmputerised environment
The innumerable instances of frauds which have occured in a computerised
environment reported elsewhere in the world (as mentioned in Chapter I) proves
beyond doubt that it is absolutely imperative for the auditor to acquire adequate skills
and competence. In the absence of such skill and competence to certify that
adequate controls commensurate with size and nature of the organisation exist is
meaningless. In addition, in the absence of adequate knowledge of necessary internal

controls in different computerised environment, the auditor will not be able to satisfy
himself that they represent a uue and fair view.
CONTROLS IN END-USER COMPUTING
The practice of end-user computing has been proliferating due to the fact that
the cost of hardware and software has been falling significantly and they have been
becoming very user-friendly. In addition, more and more users have become more
computer-literate and hence usage of computers, specially PCs by functional
departments, has become very common. However, the study reveals that there are
no policies and procedures regarding the control and security in a computerised
environment Well-accepted control procedures are absent Neither the management
nor the user is in full realisation of the consequences of installing end-user
computing without implementing the necessary discipline which comes with it
Neither the internal auditors nor the external auditors are seized with the
responsibility of the accepted procedures if audit review have not been followed.
CONTROLS IN L9N
With the development of information technology and communication and with
the availability of communication software, many organisations have taken advantage
of this concept Needless to say there are additional control features which need to
be adhered to in a net-worked environment using advance communication facilities.
The net-working environment is a few further steps in technological development
The auditors have not acquired adequate skills and competence in our country even
for auditing in a basic computerised environmenr In view of this, they are not even

aware of the necessary controls in a net-worked environment. Hence the adequacy
of auditing practices does not ark. The auditing standards as practised now are
totally inadequate.
CONTROLS IN DATABASE MANAGEMENT SYSTEM
Database management sptem is an extremely useful technology and many
vendor packages like ORACLE, INGRESS and SYBASE are in the market vieing
with each other ; after real'iing the utility of DBMS certain large organisations have
implemented the same. However, a study of a sample number of organisations
reveals that the control procedures and practices are in line with the accepted norms
in toto. As regards the audit procedures apart from the organisations reporting that
neither the internal auditor nor the external auditor have ever reviewed their
controls, the auditors themselves ave conceded that they are not even aware of the
control objectives and audit concerns, thus proving again that control practices and
auditing standards in a computerised environment.
UNM ENVIRONMENT
This particular operating system can be chosen as when it was introduced it
had a number of loopholes. The organisations who introduced the system realised it
after introduction and even by a process of control trial and error, are trying to plug
the loopholes. A study of the practices in the organisations which have implemented
UNIX reveals that all of them have had an unpleasant experience or two when the
vulnerabilities in the operating systems have been exploited by a process of
evaluation, securities are being built into this environment, However, in most of the

organisations the system is not fool-proof. As regards the auditors they are totally
unaware of the concept of operating system vulnerabilities in general and UNIX
operating system in particular.
DISASTER RECOVERY PLAN (DRP)
It is extremely important that once the systems have been computerised there
should be a disaster recovery plan. There are well-established procedures and
guidelines for evolving a plan, implementing it, maintaining it and constantly
renewing it; It is an on-going process. However, in practice the organisations, mostly,
do not go beyond maintaining a copy of the programme and data, that too in the
same building in the same computer department, mostly in the cabin of the Systems
Manager. The organisation, specially the computer department is aware of the risks
involved. However, the study reveals that neither the management nor the data
personnel departments have seriously done any thinking of evolving an effective
disaster recovery plan. Auditors do not realise that information is an asset While
evaluating and verifying the existence of assets information is left out of count The
fact that there is no insurance coverage other than for the hardware is totally lost
sight of. In the absence of any knowledge of the contents of disaster recovery plan
and also the absence of any awareness for the necessity of disaster recovery plan,
auditing involvement in evaluating the existence of disaster recovely plan and its
adequacy is totally absent.
SUMMARY AND CONCLUSIONS
An analysis of the appropriate controls in specific computerised environment
reveals that it is far below acceptable norms. The concerned auditors, both internal
and external are totally ignorant The analysis of the financial statement and findings

substantiate the NULL hypothesis that control standards are inadequate and auditing
invisible and hence inefficient
Questionnaires for Physical security (Appendix A), for Personal Security
(Appendix B), Data security (Appendix C), Application software security (Appendix
D), Systems software security (Appendii E), Telecommunication security (Appendix
F), Computer operation security (Appendix G) were used to collect data and quantify
the risk assessment under each of the areas. The results as obtained are given in
table 10.1.'
The table as given below contains risk ranking worksheet was utilised.
Table - Risk-Ranking Worksheet
r
Computer Security Area
Physical Security
Personnel Security
Data Security
Applications Software Security
Systems Software Security
Telecommunications Security
Computer Operation Security
Lovv
0-26
0-34
0-44
0-64
0-42
0-39
0-33
Risk Level
Medium
27-52
35-68
45-88
65-128
43-84
40-78
34-66
High
53-96
53-129
89-172
129-263
85-152
79-138
67-124
The data obtained was anlalysed utilising the norms provided the above table. The
analysis of the sample survey if 30 organisations was as given in the following table:
Auditing Computer Secuirt - A Manual with Case Studies
by S.Rao Vallabhaneni, J O Wiley ~ & Sons, New York.

Type of Security
Physical Security
Personnel Security
Data Security
Application Software Security
System Sohware Security
Telecommunication Sobre Security
Computer Operations Security
It will be observed that out of the 30 organisations, 29 organisations were in the high
risk category in areas of systems software security, telecommunication software
security and computer operation security. 28 of the 30 organisations were in the high
risk category and two in the medium risk category in the areas of Personnel security,
data security and application saftware security. There was only one organisation in
the low risk category and 2 organisations in the medium risk category and the balance
of the 27 in the high risk category under the category of Physical security. It is of
significance to note that out of the 30 organisations one organisation which had low
risk in 2 areas and medium risk in 6 areas was a multi national company which had
auditors coming from abroad. The head office of the organisation in U.S. which had
offices al! over the world bad laid down standard procedures and guidelines for
security aspects and audit procedures.
Total Na
Of
'-''%ahation
30
30
30
30
30
30
30
' Low
Risk
1
1
Numben in
Medium
Risk
2
2
2
2
1
1
High
Risk
27
28
28
28
29
29
29

228
ANALYSIS FOR RISK ASSESSMENT (Table 10.1)
~1.
N~.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
Physical
Security
1
28
60
60
60
50
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
60
Computer
Operations
Security
7
43
86
%
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
Personnel
Security
2
58
103
103
93
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
Data
Security
3
49
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
96
Teleeommu
nication
System
Security
6
43
86
8h
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
86
Security
Application
Software
Security
4
68
172
172
172
182
182
182
182
182
182
182
182
182
182
182
172
172
172
172
172
172
172
172
172
172
172
172
172
172
172
Systems
Sohn
Security
5
42
100
90
100
100
100
100
100
100
1W
100
100
100
100
100
100
I0
100
100
100
100
100
100
100
100
100
100
100
100
100

AUDIT APPROACH
AND
RECOMMENDATION

AUDIT APPROACH
A study of the general approach in a computerised environment reveal that
auditors of large organisations which have complex computer environment have not
followed any of the accepted procedures. As a matter of fact, the controls of the
general questionnaire seemed incomprehensible responses to them. Questionnarie in
Appendix I was negative in all the cases. The general new expressed was that senior
executive in charge of computer operations in their client's offices were very
competent and reliable. Again apan from the supporting evidence collected from
well known auditors it was supported by their clients also. They had no hesitation in
stating that the controls in a computerised environment have never been evaluated
either by the internal auditors or the external auditors. A study of the controls and
the auditing standards supports the NULL hypothesis, controls are insufficient and
auditing standards are woefully inadequate.
RECOMMENDATIONS
It is more than overdue that the management and the auditors should realise
the impact of computerisation on auditing. While the objectives of auditing have not
changed the means of achieving those goals and objectives have definitely changed.
Hence, it is necessary for the management to ensure that controls in the
computerised environment introduced in their organisation are adequate. They should
also be seized with the necessity for a disaster recovery plan. With these objectives,
they should equip their internal audit depanment with staff competent to evaluate
the adequacy of controls. In case it is not possible for them to immediately train
the personnel of the internal
audit department to acquire adequate skills and

competence they should include in the audit team an information technologist, who
is competent and knowledgeable of the specific computerised environment in their
organisation. In the absence of such a staff, the possibility of frauds associated with
computerised environment cannot be ruled out. It is better to take preventive steps.
As the computers are sophisticated, knowledgeable computer personnel with
fraudulent intentions may hold the organisation to ransom. Apart from financial loss
the organisation would also suffer loss of image.
The statutory auditors cannot hope to protect themselves for improper
discharge of their duties as auditors in a computerised environment. Absence of
auditing standards which make it obligatory to observe certain procedures may not
preclude their being sued for negligence. The auditors should equip themselves to
meet the challenges of fast-changing technology. It is recommended that large
auditing firms should have an EDP Cell. The personnel should consist of people
knowledgeable about general and application controls in a computerised
environment, as also of controls specific to certain computerised environments.
Their skills with the experience of auditon would help to discharge the responsibility
to the management, the shareholders and the public. They should also consider
seeking the senices of specialists in the field and relying on the specialists' opinion
regarding adequacy of controls.
The technology is developing very fast. In the existing computer environment
itself controls are not satibfactory and auditing methods inappropriate. In the
following pages, a brief review of the Emerging Technologies is provided to highlight

the widening gap between development of technology and controls and auditing
standards.
EMERGING TECHh'0U)GIES
To remain competitive and be able to respond quickly to global markets
organisation need to change and they are changing. The concept of tele- commuting
from anywhere in the world to any other place in the world and to his olfice in the
home town has become a reality and a necessity. It is possible to have a personal
computer net-worked into the office systems. This in turn would have access to
electronic mail and support of fax facility. This gives enormous power to the user;
he is able to obtain information from the system. Along with the advantage there is
a disadvantage in that it provides the user with the capacity to destroy or modify any
information. This leads to a situation when data security becomes a major issue. The
Institute of Internal Auditors Research Foundation of United States of America in
its research project "Systems Auditability and Control Report" as reported in
Appendix A of Module II, has analysed the most frequently reported risk for
information technology components. One of the components that has been
considered is emerging technologies ; the given survey findings and observations
relating to emerging technologies are as follows:
Most frequently reported risks for Information Technology Components:
* Forty six per cent of the 254 respondents indicated that one of the
highest risks is unauthorised access or changes to data or systems. Of
this 46% (117 respondents), 30% felt the risk would decrease in the

future, 25% felt there would be no change, and 45% said it would
increase".
Emerging technologies has been classified under the following heads:
i. Development
ii. Storage
iii. Personnel
iv. Communications
v. Data base
vi. Interface
vii. Knowledge based systems
Development methodology
Examination has been made of the emerging technologies that support
applications system development; i.e. the technology which facilitates development
of systems and the corresponding programmes. The two main points which have been
considered are :
i. CASE (Computer Aided Software Engineering) and
ii. OOP (Object Oriented Programming)
i. CASE
It is a software technology which has been developed to increase productivity
and improve software quality. This has been achieved by introduction of product
standards and analysis. The usage of CASE technology is also expected to decrease
the cause of documentation and maintenance of application systems.

Generally the CASE products are classified under two heads:
i. Upper a e : This deals with a strategic planning to requirements definition,
proto-typing and systems module design
ii. h r esse : This deals with code designing and code generation, testing for
maintenance.
It is reported that the most widely used case tools are analysis, work benches,
auditors, debuggers, compilers and test tools It is reported further that the code
generators are very specified and may even produce upto 85% of the code for a
given application. It is reported that great saving will be realised in maintenance.
Automatic production of documentation is a much appreciated incentive where large
products of system development are involved. It is reported that this has been
greatly appreciated by the US department of Defence Programmers. Using of CASE
te~hnology has been found to be useful in re-engineering. Reengineering is a process
by which the existing software systems are modernised so that their functional lives
could be prolonged as also preserved. The value of the existing system of re-
engineering consists of three components, viz
i. Reverse engineering
ii.
iii.
Foryard engineering
Code generation
In the first phase, viz reverse engineering, the system as it exists is analysed
in detail and categorised into its component definitions. In the forward engineering,
the existing system is functionally enhanced to a new technology platform. In the final
phase, viz code generation the programmer generates the needed codes from the
component definitions.

While in America, it is reported that CASE tools are extensively used It
must be observed that even in our own country, leading software consultants are
making extensiw use of these tools while offering their senices to the various
organisations for software development The tool has certain risks, controls and audit
considerations associated with its usage. They are as follows:
i. Auditabiiity
ii.
iii.
Accuracy
Integrity
The CASE envimnment and maintenance
Certain tools for data integrity by including validation and authorised acwss.
If these tools are not properly managed, it would result in loss of data integrity.
CASE tools need to be consistently used. If it is inconsistently used to define
business tools, it would lead to development of improper systems which in turn would
lead to significant business risk.
SECURITY
It is very important to protect proprietary data from unauthorised access. If
such a protection is not there, it would lead to proprietary and strategic data being
disclosed to unauthorised people which may result in a business risk.

STANDARDS
There are no common standards for all CASE tools. This may lead to a
situation when different CASE tools with differing standards being used in the same
environment This may cause incompatibility and duplication of efforts.
ADMINISTRATION
Proper use of CASE information is absolutely necessary. To achieve this,
there has to be effective administration and control of user access. When CASE tools
are used for Reverse Engineering the main objective is to create new and important
versions of software. In the absence of adequate administrative procedures there is
a possibility of risk that multiple versions of the same software may be created which
may result in confusion.
Costs associated with implementation of CASE should bc justified from the
angle of the benefits arising therefrom.
CONTROLS
CASE tools themselves have facilities and features for control purposes.
These could be effectively utilised for implementing in a CASE environment Some
of the controls are as follows :
To obtain accurate and complete documentation the repository can be utilised
as an effective control tool. CASE tools have their own access control features. These

can be utilised to enforce only authorised access to the information in a CASE
environment.
The risk of inadvertent data corruption and improving productivity can be
achieved by using the functions of CASE tools which have their own mles for
maintaining data integrity, validation and access.
Risks associated with data accuracy and ~ntegrity could be mitigated by having
end-user involvement while the systems are being developed.
Use of change management procedures in the systems development process
is another important control in the CASE environment. Many CASE tools have
version control features as well as authorisation and sign off functions.
CASE tools for auditors
An auditor could perform specific audit tasks by utilising CASE features and
functions. Given below are some of the examples of situations in which the auditor
could use CASE tools.
i. System can be understood and the controls could be documented by making
use of the repository as an information source. When the question of '%re
use" arises the repository could be used as an audit trail. It is necessary for
the auditor to become familiar with CASE tools as these tools represent
possible increased risks. However, by understanding and masteringihese tools
the auditor could use them as control and auditing tools.

OBJECT ORIENTED SOFTWARE
In the conventional programming the object of problem solving was
procedural while in object oriented programming it is not so. Mr. Grady Booch, an
ADA expert sums up the difference between object oriented programming and
procedural programming as follows : "Write the specifications of the sofhvare you
want to build, underline the verbs if you are after procedural code; nouns if you aim
for an object oriented program.
RISKS AND CONTROLS
Object oriented software is a totally new technology; there are certain
inherent risks; some of the risks are: There is concern regarding accuracy and
integrity of the contents of the objectives as the implementation of OOPS stress that
the content of an object can be "hidden" from the program.
If careful management procedures are not applied, there is a risk that the
accuracy and integrity of the libraries associated with the OOPS may become
questionable. It is likely that the implementation of OOP then may be a degradation
of performance.
However, these new technologies provide possibility for applying innovative
approaches and implement new and more reliable controls.
The techniques for implementing controls in OOP environment are totally
different from those in traditional programming objects. The auditor must have
adequate knowledge to understand and evaluate controls in this new technology.

SM)RAGE TECHNOLOGY
Magnetic storage have been the traditional medium of storage. Recent
developments have provedthat optical storage is technically better and provide many
more attrative benefits like greater storage capacity, longer storage life and better
error detection and correction mechanism. However, there are certain reasons
associated with this technology like increased exposure to data loss or theft This is
due to the smaller size of the medium.
PROCESS TECHNOLOGY
Even in the area of processing technology there have been emerging trends
and the two main technologies are (i) Co-operative processing and fault tolerant
computers.
i. Co-operative pmcessing
In co-operative processing machines have separate portions of application.
However, they work together to accomplish common processing objective.
Data that resides on computers in different locations is accessed. In a
co-operative processing environment the processing power and data are distributed
across a computer network.

Risks, controls and audit considerations
Cooperative processing technology works in a multi-processor or multiple
machine environment which leads to the boundaries of the applications being less
discreet than those of traditional processing applications.
Audit accuracy and integrity: Because many and different hardware and
software environments are involved, there is a possibility of risk of incompatible
versions and unsatisfactory change management procedures.
In view of different locations being used there is a replication of data and
files. If there is a possibility of risk of these files not being properly synchronisedwith
the master copy.
In a cooperative processing data is
moved from the main frame to
microcomputers. These microcomputers may not have adequate CASE controls to
protect data from unauthorised use.
RECOVERYANDBACKUP
Recovery and back up procedures require more detailed planning.

ERROR HANDLING AM) ADMINISTRATION
Enor handling process would be compromised if there are not sufficient
controls. However, there are controls which could minimise, if not eliminate these
risks. Some of them are as follows :
When an information system spans multiple computing environments special
care should be taken to ensure adequate co-ordination of activity. The designers
and implementors should take adequate steps to minimise the risk of un-co-ordinated
processing to mitigate the risk of absence of synchronisation. Special software could
be designed. It should automatically modify all tables and files at periodical intervals.
Change management procedures should be controlled strictly.
As restart and recovery procedures are complicated the designers and
developers and usen should ensure that the co-operative processing sohare has
features and functions which will facilitate recoverability.
AUDITORS
Auditor should be aware of the inherent risks and assure himself that there
are adequate controls which would minimise the risks.
controls.
Co-operative processing will require new audit trail and system recoverability

APPENDIX - A
CompanyDivisionNnit
Risk Assessment Worksheet tor Physical Security1
Name of the Organisation
Date:
Criterion
Risk Criterion
x
Value Weight
-
Total risk
,core
1.
Are standards, policies and guidelines
about physical security distributed to
employees? If so, are they adequate
and up-to-date?
( ) Yes-Fully adequate and up-to-date
( ) Yes-Reasonably adequate and upto-date
but need improvement
( ) Not distributed-Inadequate and not
up-to-date
1.0 x 4.0
20 x 4.0
3.0 x 4.0
=
=
=
2.
Are physical access controls (e.g. locks
cards, badges, security guards,
television monitors) available? If so,
are the, adequate and effective?
( ) Yes-Fully adequate and effective
( ) Yes-Reasonably adequate and
effective but needs improvement
( ) YesNo-Totally inadequate and
ineffective
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
I
Adapted from Computer Security - A Manual with Case Studies by S.Rao
Vallabhaneni.

Criterion
Risk Criterion
x
Value Weight
=
Total risk
score
3.
Status of environmental Controls
(Airconditioning, heat, dust, humidity)
( ) Always in compliance with
suggested guidelines
( ) Not always in compliance with
suggested guidelines
( ) Not monitored most of the time
1.0 x 4.0
20 x 4.0
4.0 x 4.0
-
-
=
4.
Are good housekeeping and security
related procedures distributed to
employees? If so, are they up-to-date
and followed?
( ) Yes-up-to-date and followed
( ) Yes-Reasonably up-to-date
followed most of the time
( ) Not distributed not up-to-date and
not followed
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
=
=
=
5.
Time since last audit:
( ) Less than one year
( ) Less thari two years
( ) Two yean or more
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
=
=
=
6.
Last audit results:
( ) Good controls
( ) Adequate controls, but need
improvement
( ) Inadequate controls
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
Total score for physical security categoy

APPENDIX - B
Company/Division/Unit
Risk Assessment Worksheet for Personnel Security1
Name of the Organisation Date :
1.
2.
3.
4.
Criterion
Are standards, policies and guidelines
about personne: securlty distributed to
employees? If so, are they adequate
and up-to-date?
( ) Yes-Fully adequate and up-to-date
( ) Yes-Reasonably adequate and upto-date
but need improvement
( ) Not distributed-Inadequate and not
up-to-date
Are employment verifications
performed prior to hire?
1 { $~~:%~~~ective
basis
) Yes-No-only when time and
memory permit
Are legal, education, credit, and police
verifications performed prior to hire?
t 1 Yes-Always
Yes-On selective basis
( ) Yeslno-only when time and
memory permit
Are employees required to sign conflict
of-interest or code-of-conduct statement
at the time of hire?
( ) Yes-Always
( ) Yes-On selective basis
( ) YesMo-only when time and
memory permit
Risk
Value
Criterion
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
Weight
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 3.0
2.0 x 3.0
4.0 x 3.0
=
=
=
=
=
=
=
=
=
=
=
=
=
Total risk
'Ore
Adapted from Computer Security - A Manual with Case Studies by S.Rao
Vallabhaneni.

5.
6.
7.
8.
Criterion
Are employees required to sign nondisclosure
statements with respect to
passwords and other sysiem information
at the time of hire?
i j Yes-Always
Yes-On selective basis
( ) Yes/h'o-Only when time and
memory permit
Are all employees frequently reminded
of their responsibilities in the area of
computer security?
t ) Periodically
) Not regularly
( ) Only on an individual basis when
an improper action is taken by that
employee
Time since last audit:
( ) Less than one year
( ) Less than two years
( ) Two years or more
Last audit results:
( Good controls
ti Adequate controls, but need
improvement
( ) Inadequate controls
Risk Criterion
x
Value Weieht
1.0 x 6.0
2.0 x 6.0
4.0 x 6.0
1.0 x 3.0
2.0 x 3.0
3.0 x 3.0
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
=
=
=
=
=
=
=
=
=
=
Total risk
scan

APPENDIX. C
Risk Assessment Worksheet far Data Security1
CampanyDivisionAJ~t
Name of the Organisarion
Date
1.
2.
3.
Criterion
Are standards, policies and guidelines
about personnel security distributed to
employees? If so, are they adequate and
up-to-date?
( ) Yes-Fully adequate and up-to-date
( ) Yes-Reasonably adequate and up-todate
but need improvement
( ) Not distributed-Inadequate and not up.
to-udte
Is access control security systems software
in place, and is it used effectively to control
access to data files?
) Yes-Used effectively
I ) Yes-Not used effectively
( ) Not in place
Are the access rules or privileges
established in the security software for
accessing data files always in line with
employee job duties.
I1 Usually-Not Yes-Always
a major problem
( ) No-A major problem from an
operations viewpoint
Risk
Value
Criterion
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
1.0 x 6.0
20 x 6.0
4.0 x 6.0
1.0 x 6.0
20 x 6.0
4.0 x 6.0
Weight
=
=
=
=
=
=
=
=
=
=
Total risk
Adapted from Computer Security - A Afanual with Case Studies by S.Rao
Vallabhaneni.

4.
Criterion
Are datalsystem owners established for all
critical and sensitive data files?
Risk
Value
Criterion
x
Weieht
=
Total risk
score
7
5.
Yes-Always
Usually-Not a major problem
( ) No-A nlajor problem from an
operation viewpoint
Are datafsystem custodians established for
all critical and sensitive data files?
1.0 x 6.0
20 x 6.0
4.0 x 6.0
=
=
=
6.
( ) Yes-Always
a major problem
o-A major problem from an
operations vievoint
Are datalsystem users established for all
critical and sensitive data files?
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
7.
( ) Yes-Alwavs
( ) ~sually-~'>t a major proolem
( ) No-A major problem from an
operations view point
Do datalsystem users need permission from
datalsystem owners before making changes
to all critical and sensitive data files and
programs?
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
=
=
=
8.
( ) Yes-Always
( Yes-permission is delegated
( Permission is not obtained-A major
problem from an operations viewpoi~t.
Time since last audit:
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
=
=
=
( ) Less than one year
1.0 x 4.0
=
improvement 2.0 x 5.0
4.0 x 5.0
Total score for data security category

APPENDIX - D
Risk Assessment Worksheet for Application SoPhvare Security1
CompanylDirisionRTnit
vii
Name of the Organisation
Date
1.
2.
Criterion
Are standards, policies and guidelines
about personnel security distniuted to
employees? If so, are they adequate
and up-to-date?
) Yes-Fully adequate and up-to-date
I ) Yes-Reasonably adequate and upto-date
but need improvement
( ) Not distributed-Inadequate and not
up-to-date
Is access control security systems
software in place, and is it used
effectively to control access to program
files?
Risk
Criterion
Value 'Weight
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
"
=
=
=
Total risk
"Ore
3.
( ) Yes-Used effectively
( ) Yes-Not used effectively
( ) Not in place
Are the access mles or privilege
established in the security software for
accessing program files always in line
with employee job duties?
1.0 x 6.0
20 x 6.0
4.0 x 6.0
=
=
=
( ) Yes-Alwa)s
( ) Usual$-not a major problem
( ) No-A major problem from an
operations viewpoint
1.0 x 6.0
2.0 x 6.0
4.0x6.0
=
=
=
Adapted from Computer Security - A Manual with Case Studies by S.Rao
Vallabhaneni.

4.
5.
6.
7.
8.
Criterion
Are computer security requirements
made explicit during new system
development and maintenance work?
Yes-But not always
No-Only when time and memory
emit
Do functional users, auditors, EDP
quality assurance staff, and EDP
security staff participate in system
development and maintenance?
( ) Yes-Users, auditors, EDP quality
assurance staff, and EDP security
staff participate
( ) Usually only users participate-Not
others
( ) No user, auditor, or EDP quality
assurance staff, or EDP security
staff participation
Is a system development and
maintenance methodology used?
( ) Followed consistently
ot followed at all
Is purchased software used?
( Yes-With no major changes
( Yes-With minor changes
( ) yes-With major changes and
combined with in house
development
Are systems planned to be developed
and maintained by end-users using
fourth generation languages,application/
program generator, or other methods?
I { N Yes-With o the help of DP staff
Risk Criterion
x
Value Weieht
1.0 x 6.0
2.0 x 6.0
4.0 x 6.0
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 5.0
20xs.o
4.0 x 5.0
1.0 x 5.0
20xS.O
4.0~ 5.0
1
11.0x7.01=1
2.0x7.0 =
( ) Yes-Without the help of DP staff 5.0 x 7.0 =
=
=
=
=
=
=
=
=
=
=
=
=
=
Total risk
score

9.
10.
11.
12.
Criterion
Are
r;
the systems planned to bc
prototype?
Or later discarded
Yes-with fullscale implementation
of system development life cycle
(SDLC)
( ) Yes-Later moved to production
mthout following SDLC procedures
Are regulatory agency requirements for
the systems met?
I
( ) No reports sent to agency
) One agency gets reports
) More than one agency gets reports
Time since last audit:
( Less than one year
(1 Le ss than two years
( ) Two years or more
Last audit results:
( ) Good controls
( ) Adequate controls, but need
improvement
( ) Inadequate controls
Risk Criterion
x
Value Weinht
1.0 x 8.0
2.0 x 8.0
5.0 x 8.0
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
=
=
=
=
=
=
=
=
=
=
Total risk
SCOW
Total score for applications software security category

APPENDIX E
Risk Assessment Worksheet for Systems Software Security1
Company/Llivision/Unit
Name of the organisaiton assessed Date :
1.
2
3.
,
4.
I
Criterion
Are standards, policies and guidelines
about systems sohare security
distributed to employees? If so, are they
adequate and up-to-date
I
Yes - fully adequate and up-to-date
Yes - reasonably adequate and up-todate
but need improvement
( ) Not distributed-inadequate and not
up-to-date
Is access control security systems software
in place, and is it used effectively to
control access to operating system, data
base programs, and dadsystem files?
( Yes used effectively
ti Yes - not used effectively
( ) Not in place
Are appropriate system management
facility (SMF) records logged by the
operating system to support the security
software, and arc the logs renewed?
I
Logged and reviewed
Logged and not reviewed
( ) Not logged at all
Are the access rules or privileges
established in the security software for
accessing operating system and data base
programs and data files always in line
with employee job duties ?
Yes - Always
Usually - Not a major problem
IUsk Criterion
x
Value Weight
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
1.0 x 6.0
20 x 6.0
4.0 x 6.0
1 0 x 4.0
20 x 4.0
3.0 x 4.0
1.0 x 6.0
( ) No - A major problem from an
LO x 6.0
operations newpoint 4.0 x 6.0
-
-
-
-
-
-
-
-
-
Total
Risk
Score
Adapted from Computer Security - A Manual with Case Studies by S.Rao
Vallabhaneni.

5.
6.
7.
8.
9.
Criterion
Are user exits employed in the systems
software implementation and operation?
0 No
( Yes - in a few cases
( { Yes - in many cases
Are powerful utility pro rams protected
and controlled properly!
[ { E:ally yes
() No
Are options and parameters in systems
software products propertly selected,
used, and logged?
( ) yes
( ) Usually yes
0 No
Time since last audit:
( ) Less than one year
( ) Less than two years
( ) More than two years
Last audit results :
( ) Good controls
( ) Adequate controls, but need
improvement
( ) Inadequate controls
Risk Criterion
x
Value Weieht
1.0 x 5.0
20 x 5.0
4.0 x 5.0
1.0 x 4.0
20 x 4.0
3.0 x 4.0
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
-
-
-
-
-
Total
Risk
Score
Total score for systems sohare security category.

APPENDIX F
xii
Risk Assessment Worksheet for Telecommuoicstions Security1
CompanyDivisionlUnit
Name of the organisation assessed
1.
2.
3.
4.
-- -
Criterion
Are standards, policies and guidelines
about telecommunications security
distributed to employees? If so, are they
adequate and up-to-date?
I1
Yes - fully adequate and up-to-date
Yes - reasonably adequate and up-todate
but need improvement
( ) Not distributed - inadequate and not
up-to-date
Is access control security systems software
in place, and is it used effectively to
control access to telecommunications
programs and data files ?
( ) Yes - used effectively
( ) Yes - not used effectively
( ) Not in place
Are the access rules or privileges
established in the security software for
accessing telecommunications programs
and data files always in line with
employee job duties ?
l i yes ' a'"
Usually not a major problem
No - a major problem from an
operations viewpoint
Are terminal IDS part of the user
identification and authentication process?
( ) Yes - always
( ) Yes - not always
0 No
Date :
Risk Criterion
x
Value Weight
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
1.0 x 6.0
2.0 x 6.0
4.0 x 6.0
1.0 x 6.0
2.0 x 6.0
4.0 x 6.0
1
1.0 x 6.0
2.0 x 6.0
3.0 x 6.0
"
=
=
=
=
=
=
=
=
=
=
=
=
Total
Risk
Score
Adapted from Computer Security - A Manual with Cose Studies by S.Rao
Vallabhaneni.

5.
6.
7.
Criterion
Are security - related cotnrols over
program data, and message transmission
activities adequate and effective (e.g.,
encryption with key management,
message sequence numbers, bit counts,
call-back?)
( ) Yes - fuly adequate and effective
( ) Yes - reasonably adequate and
effective but need improvement
( ) Not at all adequate or effective
I I
Time since last audit :
Less than one year
Less than two years
( ) Two years or more
Last audit results :
( ) Good controls
( ) Adequate controls, but need
improvement
( ) Inadequate controls
Total score for telecommunications security category
Risk Criterion
x
Value Weight
1.0 x 8.0
20x 80
3.0 x 8.0
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
=
=
=
=
=
=
=
Total
Risk
Score

xiv
APPENDIX G
Risk Assessment Worksheet for Computer Operations Security'
CompanyDivisionNnit
Name of the organisation assessed Date :
1.
Criterion
Are standards, policies, and guidelines
about computer operations security
distributed to employees? If so, are they
adequate and up-to-date?
Risk
Value
Criterion
x
Weight
=
Total
Risk
Score
2.
3.
( ) Yes - fully adequate and up-to-date
( ) Yes - reasonably adequate and up-todate
but need improvement
( ) Not distributed - inadeuate and not
up-to-date
Is access control security systems software
in place, and is it used effectively to
control computer operations staffs access
to applications and systems software
program and data files?
( ) Yes - used effectively
( ) Yes - not used effectively
( ) Not in place
Are the access rules or privileges
established in the security software for
computer operations staff accessing
applications and systems software
programs and data files always in line
with employee job duties ?
( ) Yes - always
( ) Usually not a major problem
( ) No - a major problem from an
operations viewpoint
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
1.0 x 6.0
2.0 x 6.0
4.0 x 6.0
1.0 x 6.0
2.0 x 6.0
4.0 x 6.0
=
=
=
=
=
=
=
=
-
Adapted from Computer Security - A Manual wilh Case Studies by S.Rao
Vallabhaneni.

Criterion
Risk
Value
Criterion
x
Weight
=
Total
Risk
Score
4.
5.
What is the degree of sophistication of
computer hardware and peripheral
equipment?
( High
( ) Medium
0 L.Ow
Time since last fire drill and other
emergency tests conducted :
( ) Six months
( ) One year
( ) Two years
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 4.0
2.0 x 4.0
3.0 x 4.0
=
=
=
=
=
=
6.
7.
Time since last audit :
( ) Less than one year
( ) Less than two years
( ) Two years or more
Last audit results :
( ) Good controls
( ) Adequate controls, but need
improvement
( ) Inadequate controls
1.0 x 4.0
2.0 x 4.0
4.0 x 4.0
1.0 x 5.0
2.0 x 5.0
4.0 x 5.0
=
=
=
-
=
=
'otal score for computer operations security category.

APPENDIX H
QUESTIONNAIRE FOR EVALUATING THE PERFORMANCE OF
THE AUDIT APPROACH, GENERALLY IN A COMPUTERISED
ENVIRONMENT
Scoping the Environment
Yes / Nn
1. Is there a full understanding of the audit
objectives?
2. Is there an understanding as to where the
audit is to be conducted, the resources
needed. etc.?
3. Is an entrance conference conducted to
explain to the auditees the objective of
computer audit to establish working ground
rules?
4. Is background information obtained
regarding the ove~ew
of the auditee and
data processing function?
Understanding the information system
5. Do you interview the computer department
staff and gather documents about the
information system?
5. Do you prepare an application flowchart to
understand who is responsible for evidential
matters (both paper and electronic) and
also to know the storage location of the
evidence?

xvii
Yes / No
7. Do you review the application flowchart
with the data processing project team to
ensure proper understanding of the
information system?
Identifj the audit risks
8. Do you create a risk analysis team to help
in the risk assessment process?
9. Are risks associated with a specific
environment identified?
10. Is any attempt made to determine the
magnitude of risks (example high, medium,
low)?
11. Are the risks prioritised so as to determine
the sequence in which audit resources will
be expanded?
Identify audit evidence
12. Is all the evidence produced by the
Information systems listed out?
13. Is the audit evidence documented, specially
in view of the evidence being electronic?
Identify key cnntml points
14. Is the application flow-chart reviewed to
locate possible risk areas?
15. Is the application flow-chart examined
critically to document key controls?
'dentify the contml weaknesses
6. Is the associated manual operations and
computer processing reviewed to identify
instances when too much responsibility is
vested in a single individual?

xv~ii
Yes 1 No
17. Is there any review of preparation of
transactions/control matrix to evaluate
controls and weaknesses?
18. Is there any analysis and documentation of
potential control weaknesses?
VeriPy the integrity of computer files
19. With a view to decide on performing
substantive testing and compliance testing,
are computer files identified for
examination?
20. Are steps taken to save such of those files
which have been selected for performing an
audit?
21. Are steps taken to veriFy integrity of
computer file?
22. Are steps taken to verity the integrity of
data on the file?
Conduct the audit tests
23. Are steps taken to design the audit tests?
24. Is a proper test tool selected and prepared?
25. Is the audit tool so selected extensively
tested to ensure that it performs well?
26. Are the test results along with other
relevant material used to ensure accuracy of
computer processing?
Conclude the audit
27. Based on the tasks performed are the audit
findings developed?
28. Are suitable audit recommendations
developed?
29. Is an appropriate audit report prepared?
30. Are steps taken to ensure that proper
action is taken on the findings and
recommendations?

BIBLIOGRAPHY
BOOKS
1. Andrew S. Tanabaum -Operating System, Design &Implementation, Prentice
Hall of India Pvt Ltd., New Delhi, 990.
2 Brian Jenkins & Anthony Pinkney - An Audit Approach to Computers - A
New Practice Manual, Thc Institute of Chartered Accountants in
England & Wales, 1978.
3. Charlotte Eudy Mcconn, M.S.CDP - Business Computer Systems - Design,
Programming and Maintenance with case studies - Prentice Hall of
India Private Ltd. New Delhi, 1990.
4. Donn B. Parker - Managers Guide to Computer Security - Reston Publishing
Company Inc. A prentice - Hall Company, Reston, Virginia, 1981.
5. Donald k Watne & Peter B.B. Turney - Auditing EDP Systmes - Second
Edition - Prentice Hall lnternational INC. Parts 1 & 2, 1984
6. N. Derek Arnold - Unix Security - A Practical Tutorial - McGRAW HILL
Inc., 1992
7. Dimitris N. Chorafas - Designing & Implementing Local Area Networks -
McGRAW HILL Inc. 1984.
8. Elise G. Jancura Robert Boos - Establishing Controls and Auditing the
Computersied Accounting System - Van Nostrand Reinhold Company,
1981
9. Elise G. Jancura - Audit and Control of Computer Systems - 1974.
10. Graeme Ward & Denis Marshall - Internal Audit Hand Book -
Recommended Codes and Practices for the audit of Data Processing
Activities - The Institute of Internal Auditors UK, 1980.
11. Gordon B. Davis - Auditing & EDP - American Institute of Certified Public
Accountants, New York, 1968.

Gordon C Everst - Database Management Objectives, Systems Function and
Administration, MGRAW Hill, New York, USA, 1986.
Javier F. Kuong, Gerald LIsaacson, Chester M.Winters - Microcomputer
Security, Auditability and Controls - Management Advisory
Publications? P.O.Box 151, Wellesley Hills MASS. 02181, 1985.
Javier F. Kuong - Controls for Advanced on-IineData Base System -
Management Advisory Publications, MASS. 02181, 1983.
James Arlin Cooper - Computer & Communications Security - Strategies for
1990s - McGRAW HALL Company, 1989.
Jason Lamb, Stanley (STOSH) R. Jarocki & Anna M.Seijas - Netware
Security: Configuring and Auditing a Trusted Environment - A Novell
Cooperative Research Report, 1991.
John Muster, Peter Birn and Lumix - Unk Power utilities for power users,
BPB Publications, New Delhi, 1989.
T, Perry, Joseph G. Lateer - Understanding Oracle BPB Publications, Delhi,
India. 1989.
R.V. Jacobson - PC Vim Contorl Handbook, Miller Freeman Publications,
San Francisco, U.S.A, 1990.
Keith Heamden - A hand book of Computer Security - Kogan Page.
Kamal Gupta - Contemporary Auditing - Third Edition - Tata McGRAW HIll
publishing Company Ltd., New Delhi, 1986.
Kishor Shah S. Tandon A Bane ji & Pinki Shah - Guide to Computer Data
Processing for Accountants and Auditors. Wadhwa and Company,
Nagpur, India, 1987.
V.P. Lane - Security of Computer Based Information Systems - Macmillan
Education Ltd., 1985.

Michael A. Murphy, Xenia Ley Parker - Hand Book of EDP Auditing -
Second Edition Coopers & Lybrand, Warren Gorham & Lamond,
Boston, New York, 1989.
Michael G. Grottola - The Unix Audit - Using Unix to Audit Unix, 1993.
Per Brinch Hansen - Operating System Principles -Eastern Economy Edition,
1990.
Paul J. Rutternan & Arthur Young McClell ind - Flowcharting for Auditors
(Moors & Co), 1976.
S. Rao Vallabhaneni - Auditing the Maintenance of Software - Prentice Hall,
Inc. Englewood Clifts, NJ 07632, 1987.
S. Rao Vallabhaneni - Auditing Operational Application Systems on Large
Computers - A Step-By-Step Audit Approach - The EDP Auditors
Foundation A'idit Guide Series, 1985.
S. Rao Vallabhaneni - Auditing Computer Security - A manual with case
studies - John wiley & Sons, New York, 1990.
S. Rao Vallabhaneni - Auditing Computer Security - A manual with case
studies - John Wiley & Sons, New York, 1989.
Roben T. Mwller, - Computer Audit, Control and Security - John Wiley &
Sons, New York, 1989.
Ron Webber - EDP Auditing - Conceptual Foundations and Practice - I1
Edition - MCGRAH HALL International Editions, 1980.
Ruth Ashley - Judi N.Fernandez - Teaching Yourself Unix - BPB Publications,
1990.
Sybil P. Parker - McGRAW HILL Dictionary of Computers - McGRAW
HILL Book Company, 1989.
AJ. Thomas & LJ. Douglas - Audit of Computer Systems - Ncc Publications,
Manchester, England, 1983.

W. Thomas Porter, William E Perry - EDP Contmls and Auditing - Third
Edition - Touche Ross & Co., William E Peny Enterprises Inc Kent
Publishing Company, Boston, MASS, 1981.
Ulless Black - Computer Networks - Protocols, Standards and Interfaces -
Prentice Hall International Inc. New Jersey, U.S.A., 1987.
kK Vanwasi - A Dicitionary of Computers - Khanna Publishers, Delhi - 6.
William C Mair : Donald Wood; Keagle W. Davis -Computer Control Audit
- Minnesota - Partners : Touche Ross & Co., 1978.
William E Peny - Auditing Information Systems - A step by step audit
approach - EDP Auditors Foundation Audit Guide Series, 1983.
William E. Perry - Report writing for EDP Auditors, Quality Assurance
Institute, Florida, U.S.A., 1982.
Advanced Computer Assisted Audit Techniques - Monograph Seies - The
EDP Auditors Foundation Inc. The Information Systems Control
Foundation. 1987.
Disaster Recovery : Contingency Planning & Program Evaluation - The
Chantico Series - Information Sciences Inc. MASS, 1985.
Advanced Netware - Theory of Operations - Version 2.1, Novell Inc. Provo,
UTAH, U.S.A., 1987.
A critical Review of the Certified Information Systems Auditor's Job Domain-
First Edition Cisa - Examination Review Book - Vo1.2 Practice. 1994.
Illustrated Novell Netware - BPM Publishing Inc., Delhi, India, 1989.
ED1 Control Guide - ED1 Council of Australia and EDP Auditors Association.
Guidelines to controls for Data Processing Environment - The Institute of
Internal Auditors, 1983.
Computer Security Published by Computer Society of India, 1980.
Establishing the Internal Audit Function in EDP by the Institute of Internal
Auditors Inc.

RESEARCH PUBLICATIONS
1. Institute of Internal Auditors - Systems Auditability and Control Module 8
Audit and Control Environment.
2. Institute of Intenal Auditors - Systems Auditability and Control Module 3
using Information Technology in Auditing.
3. Institute of Internal Auditors - Systems Auditability and Control Module 4
Managing Computer Resources.
4. Institute of Internal Auditors - Systems Auditability and Control Module 5
Managing Information and Developing Systems.
5. Institute of Internal Auditors - Systems Auditability and Control Module 6
Business Systems.
6. Institute of Internal Auditors - Systems Auditability and Control Module 7
End-User and Departmental Computing.
7. Institute of Internal Auditors - Systems Auditability and Control Module 8
Telecommunications.
8. Institute of Internal Auditors - Systems Adifability and Control Module 9
Security.
9. Institute of Internal Auditors -Systems Auditdility and Control Module 10
Contingency Planning.
10. Institute of Internal Auditors -Systems Auditdility and Control Module 11
Emerging Technologies.

ARTICLES
* Tommie Singleton, Dale Litisher and Judith Cassidy "Pioneers of EDP Auditing
in North America" EDP Auditor Journal, Vol. Ill, 1993.
* Howard N. Glassman "LANS are nor JS secure as you think" EDP Auditor
Journal, Vol. IV, 1993.
Zabi Rezaee 'The Possible Impact of the Coso Report on an Entity's Internal
audit function" EDP Auditor Journal, Vol. IV, 1993.
* Owen D. West and Christopher Zoladz "Microcomputer Security - Is your
organisation at Risk?" EDP Auditors Journal, Vol. IV, 1993.
* Peggy D. Dwyer anu two other "It can Happer Here : The Importance of
Continuity Planning" EDP Auditors Journal, Vol I, 1994.
* Linda Lee Larson "Data Centre Survives the 1992 Los Angeles Riots" EDP
Auditor Journal, Vol. I, 1994.
Sherrie Stickland and Norma C Powell "Microcomputers and the Internal Audit
Function : Rhetoric Vs Action" EDP Auditors Journal, Vol. I, 1989.
David A Crowell and Andrew Sundene "Data Communications Audit Concerns"
EDP Auditors Journal, Vol. ILI, 1989.
* Christopher J Calabrese "A Brief Introduction to the Unix Operation System,
EDP Auditors, Journal Vol 111. 1991.
Miklos A Vasarhelvi, Fern B. Halper and Kazuo J. Ezawa 'The continuous
Process Audit System : A Unix-Based Auditing tool" EDPA Auditors Journal,
Vol 111, 1991.

Michael J. Cerullo and M. Virginia Cerullo "Controlling Stand-Alone
Microcomputer Systems", EDP Auditors Journal Vol. IV, 1991.
Hal McDonald "ED1 Implementation Consideratons EDPA Auditors Journal,
Vol. I. 1990.
Benjamin Wright "Auditor shold be Aware of EDI's legal issues" EDPAAuditors
Journal, Vo. I, 1990.
William H. Murray "Computer - Related Crime and Auditing in the Nineties",
EDP Auditors Journal, VoLII, 1990.
J.1. "Buck" Bloom Becker "Computer Crime and Abuse (U.S.A)" EDP Auditors
Journal Vol. 11, 1990.
Robert Bigelow "Legal dimensions of Computer Crime" the EDP Auditors
Journal, Vol.11, 1990.
Jarlath O'Neil-Dunne "Computer Aided Software Engineering (Case)" EDP
Auditors Journal, Vol. 111, 1990.
Peter Sfoglia "Sybase Security" The EDP Auditors Journal, Vol.111, 1993.
James Norwal "Auditing Adabas Version 5 The EDP Auditor Journal, Vol.11,
1993.