controls and auditing standards in a computerised environment
controls and auditing standards in a computerised environment
controls and auditing standards in a computerised environment
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CONTROLS AND AUDITING STANDARDS IN A<br />
COMPUTERISED ENVIRONMENT<br />
- A STUDY<br />
Thesis submitted lo<br />
Pondicherry University<br />
for the award of the degree of<br />
DOCTOR OF PHILOSOPHY IN COMMERCE<br />
I~Y<br />
M. REVATHY SRIRAM<br />
Guide und Supervisor<br />
Pr0f.D. RAJAGOPALAN, P~.D.<br />
PONDICHERRY UNIVERSITY<br />
PONDICHERRY - 605 014
Dr.D.RAJAGOPAL4N<br />
Professor <strong>and</strong> Head<br />
Department of Commerce,<br />
PonJicherry University,<br />
Pondicherry - 605 014.<br />
CERTIFICATE<br />
This is to certify that the Ph.D.thesis entitled "Controls <strong>and</strong> Audit<strong>in</strong>g St<strong>and</strong>ards<br />
<strong>in</strong> a Computerised Environment - A Study" is based on the orig<strong>in</strong>al work done by<br />
M. Revathy Srirnm <strong>in</strong> the Department of Commerce, Pondicherry Un~versity,<br />
Pondicherry. The research work has not previously formed the basi\ for the award<br />
of any degree, diploma, associateship, fellowship or any other similar title. The entire<br />
work has been planned <strong>and</strong> carried out by the c<strong>and</strong>idate under my supervision <strong>and</strong><br />
guidance.<br />
D. Rajagopalan<br />
Place : Pondicheny<br />
Date: ,<br />
. 5
hi. Revathy Sriram<br />
Management Consultan1<br />
19, Second Ma<strong>in</strong> Road,<br />
CLT. Colony,<br />
Mylapore,<br />
Madr;'~ - 600 004.<br />
Research Scholar<br />
Department of Commerce<br />
Pondicherry University<br />
Pondicherry - 605 014<br />
DECLARATION<br />
1 hereby declare that the thesis entitled "Controls <strong>and</strong> Audit<strong>in</strong>g St<strong>and</strong>ards <strong>in</strong> a<br />
Cnmputerised Envimnment - A Study" for the award of the degree of Ph.D., is my<br />
orig<strong>in</strong>al work <strong>and</strong> it has not previously formed the basis for the award of any degree,<br />
diploma, associateship, fellowship or any other similar title.<br />
M. Revathy Sriram<br />
Place : Pondicherry<br />
Date :
ACKNOWLEDGEMENT<br />
I ow a deep debt of gratitude to my supervisor <strong>and</strong> guide, Dr.D.Rllja&!opalan<br />
whose <strong>in</strong>valuable guidance <strong>and</strong> encouragement enabled the completion of the<br />
present study. His constant support has always been a source of <strong>in</strong>spiration.<br />
I am grateful to Dr. Amarch<strong>and</strong> of the University of Madras who has always<br />
been kjnd enough to spare his <strong>in</strong>valuable time to provide me helpful comments <strong>and</strong><br />
advice.<br />
I wish to express my s<strong>in</strong>cere thanks to Dr.T.V.Subramaniam, permanent<br />
Faculty of Bharathidasan University for his critical review. 1 am <strong>in</strong>debted to the<br />
<strong>audit<strong>in</strong>g</strong> firms <strong>and</strong> the organisations for voluntarily co-operat<strong>in</strong>g <strong>and</strong> provid<strong>in</strong>g me the<br />
<strong>in</strong>formation which forms the basis of my thesis. I wish to thank Flr.V.S.Ch<strong>and</strong>raseksr<br />
<strong>and</strong> Miss L. Chenchu Lakshmi for the secretarial assistance. My special thanks to<br />
Mr. K.Ramji for the special efforts <strong>in</strong> provid<strong>in</strong>g me support <strong>in</strong> extensive usage of<br />
word process<strong>in</strong>g. My thanks are also due to my nephew Mr.R. Venkatakrishna, who<br />
helped me to prepare the charts us<strong>in</strong>g the hanvard graphics.<br />
I wish to express my special thanks to Mr.D.Samb<strong>and</strong>am, Pondicherry <strong>and</strong><br />
all the members of his family for their constant support <strong>and</strong> encouragement.<br />
I wish to thank the members of my family <strong>and</strong> close family friends who were<br />
constant source of <strong>in</strong>spiration without which this work would not have been<br />
completed.<br />
, . I<br />
< .<br />
hl. Revathy Sriram
CONTENTS<br />
Page Nu.<br />
Certificate<br />
Declaration<br />
Acknowledgemenl<br />
Tahle of Charts <strong>and</strong> Diag~ams<br />
Chapter 1<br />
Chapter I1<br />
Chapter 111<br />
Chapter IV<br />
Chapter V<br />
Chapter V1<br />
Chapter VII<br />
Chapter VIll<br />
Chapter IX<br />
Introduction<br />
Audit<strong>in</strong>g St<strong>and</strong>ards<br />
End-User Comput<strong>in</strong>g<br />
Local Area Network (LAN)<br />
Data Base Management Sysreni<br />
Controls <strong>in</strong> UNlX Environment<br />
Disaster Recovery Plann~ng<br />
Audit Approach<br />
Summary, Conclusions <strong>and</strong><br />
Recclmmendations<br />
Appendix A to 1.i<br />
Bibliography<br />
222<br />
I<br />
XIX
TABLE OF CHARTS AND DIAGRAMS<br />
Figure 1.1 -<br />
Figure 1.2 -<br />
Response to Serious Security Incidents<br />
Average Annual Computer Ahuse Losses<br />
Figure 1.3 -<br />
Figure 1.4 -<br />
Figure 1.5 -<br />
Types of Computer Crime<br />
Relative Seriousness of Threats<br />
Computer Crime Losses<br />
Figure 1.6 -<br />
Results of California Arrests<br />
Figure 1.7 - Use of Technology / Products <strong>in</strong> 1985, 1988 <strong>and</strong> 1991<br />
(Chart 1)<br />
Figure 1.7 - Use of Technology / Products <strong>in</strong> 1985, 1988 <strong>and</strong> 1991<br />
(Chart 2)<br />
Figure 3.1 -<br />
End-User Comput<strong>in</strong>g Risk / Control Levels<br />
10. Figure 4.1 - On-L<strong>in</strong>e System Controls <strong>and</strong> Audit Problems
Computers were orig<strong>in</strong>ally used by organisations that could afford them. The<br />
<strong>in</strong>itial costs <strong>and</strong> the subsequent runn<strong>in</strong>g cmts were affordable only by a few. The<br />
reason of affordability of the computer only by a few is someth<strong>in</strong>g of the past<br />
The present scenerio is totally different Every organisation is own<strong>in</strong>g a<br />
computer of some type or the other. The other very few organisations usually are also<br />
utilis<strong>in</strong>g computers even if it be not theirs.<br />
The imm<strong>in</strong>ent need to ma<strong>in</strong>ta<strong>in</strong> the <strong>in</strong>tegrity of data processed by the<br />
computers needs to be overemphasised. While controlled use of computers by<br />
management is an aid uncontrolled use of cornputrrs will <strong>and</strong> does have adverse<br />
impact on the organisations. This would result <strong>in</strong> <strong>in</strong>accurate <strong>and</strong> <strong>in</strong>complete<br />
<strong>in</strong>formation form<strong>in</strong>g the basis for decision mak<strong>in</strong>g.<br />
It is <strong>in</strong> this background that one has to become aware of the need to have<br />
<strong>controls</strong> <strong>in</strong> the usage of computers. With the extensive technological developments<br />
<strong>in</strong> the hardware <strong>and</strong> the sophisticated techniques <strong>in</strong> the development of software, the<br />
nonns of <strong>controls</strong> necessarily keep chang<strong>in</strong>g.<br />
As it is the primary responsibility of senior management to ensure that<br />
necessary <strong>controls</strong> are <strong>in</strong> place, they look up to auditors. Auditors have a<br />
responsibility to discharge their duty <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong> professional st<strong>and</strong>ards. With
vary~lg types of computer <strong>environment</strong>s, then are appropriate control procedures<br />
to ensun that the data is processed correctly <strong>and</strong> completely.<br />
Nature of the problem<br />
Fit of the generally accepted <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards issued by the American<br />
Institute of Certified Public Accountants states that exam<strong>in</strong>ation of books of an<br />
organisation is to be performed by persons hav<strong>in</strong>g adequate technical tra<strong>in</strong><strong>in</strong>g <strong>and</strong><br />
proficiency as an auditor. The second st<strong>and</strong>ard of a CPA field work specifies as<br />
follows: "A sufficient underst<strong>and</strong><strong>in</strong>g of the <strong>in</strong>ternal control structure is to be obta<strong>in</strong>ed<br />
to plan the audit <strong>and</strong> to dekrm<strong>in</strong>e the nature, tim<strong>in</strong>g <strong>and</strong> extent of tests to be<br />
verified".<br />
The Statement of Audit St<strong>and</strong>ards (SAS) further expects the auditor 'To<br />
consider ... complexity <strong>and</strong> sophistication of the entities operations <strong>and</strong> systems<br />
<strong>in</strong>clud<strong>in</strong>g whether the method of controll<strong>in</strong>g data process<strong>in</strong>g is based on manual<br />
procedures. As the entities operations <strong>and</strong> systems become more complex <strong>and</strong><br />
sophisticated, it may be necessary to devote more attention to <strong>in</strong>ternal control<br />
structure <strong>and</strong> elements to obta<strong>in</strong> the proper underst<strong>and</strong><strong>in</strong>g so as to facilitate<br />
design<strong>in</strong>g effective subtantive tests.<br />
It further specifies that the auditor should obta<strong>in</strong> sufficient knowledge of the<br />
account<strong>in</strong>g system to underst<strong>and</strong>.. the Account<strong>in</strong>g process <strong>in</strong>volved from the <strong>in</strong>itiation<br />
of transaction to its <strong>in</strong>clusion <strong>in</strong> the f<strong>in</strong>ancial statement <strong>in</strong>clud<strong>in</strong>g how the computer<br />
is used to process data.
The need for technical uprtire on the part of the auditor is due to the<br />
impact of ekctronic data p A g (wmputerisation of data)<br />
The objectives of audit have not changed It is only the means of achiev<strong>in</strong>g<br />
these objectives that have changed<br />
With the technological developments, them haw been changes <strong>in</strong> hardware<br />
<strong>and</strong> software. Consequently control concepts have necessarily changed. Hence audit<br />
approaches also need to change.<br />
HARDWARE<br />
Hardware have come a long way from unit record equipments. The first<br />
generation computers characterised by vaccum tubes gave place to second <strong>and</strong> third<br />
generation computers which utilised transistors <strong>and</strong> <strong>in</strong>tegrated circuits. Subsequently,<br />
the fourth <strong>and</strong> fifth generation computers with more complex <strong>and</strong> sophisticated<br />
pheripcrals have appeared on the same.<br />
lhese changes <strong>in</strong> hardware brought, <strong>in</strong> their wake, the disappearance of<br />
"Audit trails". It is the audit trail which enables the auditor to trace a transaction<br />
from a source document to a report or a total produced by the computer. The same<br />
audit trail also enables the auditor to reverse the process <strong>and</strong> be able to f<strong>in</strong>d out the<br />
source background or other basic <strong>in</strong>formation which have figured <strong>in</strong> the f<strong>in</strong>al report<br />
or total. Computers with multi-programm<strong>in</strong>g or multi-process<strong>in</strong>g facilities have come<br />
<strong>in</strong>to the picture. With these concepts, it is possible to have a number of programs<br />
work<strong>in</strong>g simultaneously or a s<strong>in</strong>gle program to be process<strong>in</strong>g different files<br />
simultaneously.
On-l<strong>in</strong>e <strong>and</strong> real time systems have much used facilities These facilitate<br />
process<strong>in</strong>g of data by transmitt<strong>in</strong>g them ovcr communication l<strong>in</strong>es. It is possible now<br />
for data be<strong>in</strong>g entered at om term<strong>in</strong>al, processed at other term<strong>in</strong>al <strong>and</strong> the results<br />
be<strong>in</strong>g made available at a third term<strong>in</strong>al. Real time systems enable updation of data<br />
immediately <strong>in</strong> as much as querry<strong>in</strong>g <strong>and</strong> obta<strong>in</strong><strong>in</strong>g of such <strong>in</strong>formation<br />
<strong>in</strong>stantaneously is possible. Eg. Book<strong>in</strong>gs of air tickets from anyone office from any<br />
of the many flights on different routes also on different dates.<br />
Along with the advancement of technology <strong>in</strong> the field of ma<strong>in</strong> frame<br />
computers, there have been advanees <strong>in</strong> the development of small <strong>and</strong> smaller<br />
computers. The advent of small <strong>and</strong> smaller computers have been creat<strong>in</strong>g big <strong>and</strong><br />
bigger problems from the auditor's po<strong>in</strong>t of view. The auditor is not assured of<br />
certa<strong>in</strong> basic <strong>controls</strong> which he is assured of <strong>in</strong> a ma<strong>in</strong>-frame computer <strong>environment</strong>.<br />
SOFTWARE<br />
Software consists of progtams as dist<strong>in</strong>ct from hardware. These programs may<br />
be written by programmers with<strong>in</strong> the organisation or may be bought out from<br />
vendors of software packages. Rigorous discipl<strong>in</strong>e is needed <strong>in</strong> the development of<br />
software before it can be permitted to "Go live". Auditors need to firstly be aware of<br />
the associated discipl<strong>in</strong>e with regard to the development of software <strong>and</strong> secondly<br />
possess the knowledge to evaluate whether the discipl<strong>in</strong>e is be<strong>in</strong>g observed or not.<br />
Thirdly <strong>and</strong> most importantly he should be <strong>in</strong> a position to assess the possible risks<br />
<strong>and</strong> loss due to non-conformity of the discipl<strong>in</strong>e.
Operat<strong>in</strong>g sytems an also program but they an special type of program<br />
that are capabk of manag<strong>in</strong>g <strong>and</strong> supervis<strong>in</strong>g the activities associated with the<br />
computer system They h<strong>and</strong>le all <strong>in</strong>put, output operations, scheduk jobs, allocate<br />
memory space etc. Operat<strong>in</strong>g systems while conferr<strong>in</strong>g a gnat deal of bcne6~ are<br />
also a cause for concern. Many weaknesses <strong>in</strong> the operat<strong>in</strong>g system can cause havoc<br />
<strong>in</strong> the <strong>controls</strong> that are associated with computer applications.<br />
DATA BASE MANAGEMENT SYSTEMS<br />
DBMS reduces redundancy of data submission. It L<strong>in</strong>ks various files <strong>and</strong><br />
<strong>controls</strong> all of them. With the advantages of DBMS there are certa<strong>in</strong> audit concerns<br />
regard<strong>in</strong>g ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g reliability <strong>and</strong> <strong>in</strong>tegrity of the different files <strong>in</strong> the DBMS. In<br />
view of the difficulty of trac<strong>in</strong>g the transactions forwards <strong>and</strong> backwards, the auditor<br />
must have the capacity to test the <strong>in</strong>tegrity of the DBMS package.<br />
LOCATION OF THE COMPUTER CENTRE<br />
The practice of <strong>in</strong>stall<strong>in</strong>g computers for perform<strong>in</strong>g account<strong>in</strong>g applications<br />
pnmanly <strong>and</strong> subsequently develop<strong>in</strong>g other <strong>in</strong>cidental applications was the caw for<br />
the computer corn<strong>in</strong>g under the purview of the f<strong>in</strong>ancial department The F<strong>in</strong>ancial<br />
Controlkr generally was the adm<strong>in</strong>istrative head for the Data Process<strong>in</strong>g Department<br />
With the awareness created for computer usage <strong>and</strong> the eagerness of the user<br />
department to develop their own applications the concept of "End User Comput<strong>in</strong>g"<br />
has come <strong>in</strong>to existence. The <strong>controls</strong> that go with multiple term<strong>in</strong>als, multiple users,<br />
multiple system groups have a multi dimensional aspect <strong>and</strong> impact
AUDIT<br />
ignor<strong>in</strong>g the computer <strong>and</strong> treat<strong>in</strong>g it as a black box is no longer valid An<br />
auditor cannot effectively function by <strong>audit<strong>in</strong>g</strong> around the computer <strong>and</strong> <strong>audit<strong>in</strong>g</strong> has<br />
come of age Auditor has to audit thro' the computer "if not with the computer".<br />
Whik <strong>audit<strong>in</strong>g</strong>, th:ough the computer, auditor tests the client's computer programs<br />
by provid<strong>in</strong>g his own data <strong>and</strong> analys<strong>in</strong>g the results.<br />
While perform<strong>in</strong>g <strong>audit<strong>in</strong>g</strong> with the computer, the auditor has his own<br />
generalised audit software which performs the audit functions on the computer<br />
system. Computerisation is tak<strong>in</strong>g place utilis<strong>in</strong>g to full advantage the latest<br />
technological developments. It is presumed that the <strong>controls</strong> that are necessarily<br />
associated with each type of <strong>environment</strong> are built <strong>in</strong>to the system. An auditor, who<br />
has professional responsibility of giv<strong>in</strong>g his op<strong>in</strong>ion on the statements audited by him,<br />
should possess adequate skills <strong>and</strong> capabilities to do so irrespective of statements <strong>and</strong><br />
st<strong>and</strong>ards be<strong>in</strong>g pronounced by professional bodies or not.<br />
DISASTER RECOVER PLANNING OR CONTINGENCY PLANNING<br />
A fire accident which would char the edge of a leather-bound ledger is<br />
adequate to br<strong>in</strong>g down an entire computer <strong>in</strong>stallation. Organisations are no longer<br />
mere users of computers They are depend<strong>in</strong>g on them for their present existence<br />
<strong>and</strong> their survival <strong>in</strong> the future. Natural calamities like fire, floods, <strong>and</strong> other<br />
catostrophies, magnetic fields, viruses <strong>and</strong> <strong>in</strong>tentional sabotages from <strong>in</strong>siden <strong>and</strong><br />
outsiders of the organisation are dangers to be safeguarded aga<strong>in</strong>st. Specific<br />
procedures need to be followed by organisations.
It is necessary to have an elaborate workabk disaster recwery plan so that<br />
whik all preventive steps would be taken to prevent a disaster, there should be a<br />
plan to recover from the disaster, well with<strong>in</strong> the critical period, should it occur.<br />
Whik furnitures <strong>and</strong> futures would be <strong>in</strong>sured <strong>and</strong> the auditor checks the<br />
validity of the <strong>in</strong>surance pcJicy, there is generally no such procedure be<strong>in</strong>g adopted<br />
with regard to computers. Computers are at the most <strong>in</strong>sured for their actual cost.<br />
There has been no policy cowi-dered to cover the cost of develop<strong>in</strong>g the programs,<br />
cost of re-creat<strong>in</strong>g the data as also consequential loss to the bus<strong>in</strong>ess.<br />
The literature <strong>in</strong> the field of EDP audit <strong>and</strong> control is very extensive.<br />
Computerisation hav<strong>in</strong>g been <strong>in</strong>troduced <strong>in</strong> the developed countries like USA, UK,<br />
Australia for more than five decades, the awareness for <strong>controls</strong> <strong>and</strong> the need for<br />
specific audit evaluat<strong>in</strong>g the adequacy or otherwise of <strong>controls</strong> <strong>in</strong> particular<br />
<strong>environment</strong> has been <strong>in</strong> existence. Along with development of technology the<br />
<strong>controls</strong> have changed <strong>and</strong> necessarily the auditors have to keep pace with the same.<br />
SURVEY OF LITERATURE<br />
Over 50 publications, ma<strong>in</strong>ly from U.S.,U.K, Australia have been studied <strong>and</strong><br />
about 25 have been reviewed From the extent of survey conducted, surpris<strong>in</strong>gly, it<br />
is found that there has been no publication yet <strong>in</strong> India. This may be due to the fact<br />
that computerisation <strong>in</strong> our country has not been as long as <strong>in</strong> other countries to have<br />
reported cases of fraud!
None of the professional bodies <strong>in</strong> India seem to have even issued any<br />
St<strong>and</strong>ards or statemenls as nveakd by a review of the st<strong>and</strong>ards issued by the<br />
professional bodies <strong>in</strong> India.<br />
A practice manual by Brian Jenk<strong>in</strong>s <strong>and</strong> Anthony] P<strong>in</strong>kney provides a<br />
practical approach to an auditor for express<strong>in</strong>g an audit op<strong>in</strong>ion on the f<strong>in</strong>ancial<br />
statement of companies where preparation of account<strong>in</strong>g <strong>in</strong>formation has been<br />
computerired Be<strong>in</strong>g a publication of a professional body, it is of particular nlevana<br />
to practis<strong>in</strong>g accountants who an perform<strong>in</strong>g audits <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong><br />
The pr<strong>in</strong>cipal objective of an audit is to ascerta<strong>in</strong> whether <strong>in</strong> his op<strong>in</strong>ion the f<strong>in</strong>ancial<br />
statements on which he is report<strong>in</strong>g show a true <strong>and</strong> fair view of the state of affairs.<br />
It is of importance to note the pr<strong>in</strong>cipal features of the audit approach as mentioned<br />
by the auditors. The features mentioned are:<br />
i) Each task undertaken by an auditor is a necessary part of the total work<br />
lead<strong>in</strong>g upto his report on the f<strong>in</strong>ancial statement. Thus, the auditor has to<br />
concentrate his efforts <strong>in</strong> identify<strong>in</strong>g these activities which would impact the<br />
truth <strong>and</strong> fairness of the f<strong>in</strong>ancial statements.<br />
ii) All stages <strong>in</strong> the audit an related to each other. Thus, the audit work <strong>and</strong><br />
evaluation on <strong>controls</strong> is very closely related to the validation or verification<br />
of the f<strong>in</strong>ancial statements.<br />
iii) The approach is designed to provide alternative audit procedures so as to<br />
enable most efficient audit <strong>in</strong> particular circumstances.<br />
Brian Jenk<strong>in</strong>s <strong>and</strong> Anthony P<strong>in</strong>kney '%I audit approach to computers" Engl<strong>and</strong>,<br />
The Institute of Chartered Accountants Engl<strong>and</strong> <strong>and</strong> Wales, 1978.
(iv)<br />
The approach <strong>and</strong> documentation are developed <strong>in</strong>ternationally. Howcnr, the<br />
statury requirements <strong>and</strong> policies a n based on U.K law.<br />
The kgal procedures <strong>and</strong> other statutory requirements an not nkvant to Our<br />
country. However, the fan that the auditor should underst<strong>and</strong> the account<strong>in</strong>g system<br />
<strong>and</strong> evaluate the systcrn of <strong>in</strong>ternal control <strong>and</strong> carry out functional test to satisfy<br />
himself with the <strong>controls</strong> arc <strong>in</strong> place <strong>and</strong> work<strong>in</strong>g the way they should. This<br />
approach is the same whether it is a computer system or a non-computer system.<br />
Great emphasis is laid on underst<strong>and</strong><strong>in</strong>g <strong>and</strong> neard<strong>in</strong>g the systemThu book also<br />
recognises the usage of flow charts <strong>and</strong>/or narrative notes.<br />
While discuss<strong>in</strong>g Audit approach for evaluation of <strong>in</strong>ternal <strong>controls</strong> the audhor<br />
emphasises the fact that for an effective evaluation it is first necessary to underst<strong>and</strong><br />
the nature of <strong>controls</strong> <strong>in</strong> a computer system. The auditor is expected to be conversant<br />
with "user <strong>controls</strong>, programmed procedures <strong>and</strong> <strong>in</strong>tegrity control". Programmed<br />
prwdures <strong>in</strong>clude process <strong>controls</strong>, while <strong>in</strong>tegrity <strong>controls</strong> are <strong>controls</strong> over<br />
programs <strong>and</strong> filer They deal with implementation procedures, program security,<br />
computer ciperations <strong>and</strong> data file security <strong>controls</strong>. As a means to evaluate <strong>controls</strong>,<br />
it is suggested that an <strong>in</strong>ternal control questionnaire based on control objectives be<br />
prepared <strong>and</strong> necessary <strong>in</strong>formation gathered It is emphasised control objectives do<br />
not change <strong>in</strong> any <strong>environment</strong>The means of achiev<strong>in</strong>g these objectives differ<br />
depend<strong>in</strong>g upon the <strong>environment</strong><br />
Chapter 1V has a detailed discussion on control program procedure. These<br />
procedures ensure that only valid transactions are processed <strong>and</strong> recorded completely<br />
<strong>and</strong> hccumtcly.
(hapter V <strong>and</strong> VI deal with <strong>in</strong>tegrity <strong>controls</strong> <strong>and</strong> their evaluation The<br />
<strong>in</strong>tegrity contmls are divided <strong>in</strong>to<br />
(a)<br />
@)<br />
(c)<br />
(d)<br />
(e)<br />
Impkmcntation <strong>controls</strong><br />
Program security <strong>controls</strong><br />
Computer operation <strong>controls</strong><br />
Data fik security <strong>controls</strong> <strong>and</strong><br />
System software<br />
Implementation <strong>controls</strong> deal with adequacy of prwdures for the programs<br />
expected to be implemented. This may consist of new programs <strong>and</strong> <strong>in</strong>clude systems<br />
be<strong>in</strong>g developed or exist<strong>in</strong>g systems <strong>and</strong> programs be<strong>in</strong>g changed. The more<br />
important of the procedures while implement<strong>in</strong>g a new system are<br />
(a)<br />
(b)<br />
(c)<br />
System design <strong>and</strong> program preparation<br />
Program <strong>and</strong> system test<strong>in</strong>g<br />
Catalogu<strong>in</strong>g<br />
Catalogu<strong>in</strong>g is def<strong>in</strong>ed as procedures associated with mak<strong>in</strong>g the "test<br />
programs" <strong>in</strong>to live programs". Catalogu<strong>in</strong>g wil <strong>in</strong>clude both manual <strong>and</strong> software<br />
procedures. The concept of programmed security <strong>controls</strong> is discussed. These <strong>controls</strong><br />
ensure that unauthorised changes are not made to the production programs. This is<br />
of particular importance to the auditor, as an unauthorised change may be made by<br />
an <strong>in</strong>dividual so that he would benefit from the same. Example - receipt of <strong>in</strong>creased<br />
wages, excess drawal from his account balance.
Whik deal<strong>in</strong>g with mmpliana test which is refemd to 8s functional test - an<br />
exhaustive tabular statement illustrat<strong>in</strong>g a specimen test correspond<strong>in</strong>g to the nature<br />
of control is pmvided<br />
The Chapter "Audit Responsibility to <strong>in</strong>ternal control weakness" is of<br />
particular imporlance. The <strong>in</strong>itial step <strong>in</strong> the audit approach is that the auditor should<br />
be able to identify <strong>in</strong>ternal control weakness, if any, <strong>and</strong> thereafter, assess the impact<br />
of such a weakness on the hancial statement. He has to assess the materiality of<br />
such a weakness. Should the auditor decide based upon his assessment of the<br />
weakness that a material error could occur, he should take such steps as to satisfy<br />
himself whether such an error has arisen <strong>and</strong> if it has arisen, the extent of the same.<br />
This publication of the Institute of Chartered Accountants of Engl<strong>and</strong> <strong>and</strong><br />
Wales drives home the po<strong>in</strong>t that a professional body has recognised the need for a<br />
different approach to audit <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> as dist<strong>in</strong>ct from a manual<br />
system. In view of the book hav<strong>in</strong>g been published as early as <strong>in</strong> 1978, technology<br />
wise it is not upto date. However, it is of rekvancc to note that the professional body<br />
has deemed it neccrsary to publish a book of this nature to create an awareness <strong>and</strong><br />
provide guidance to the Membcn of the Institute.<br />
Objectives of Audit<strong>in</strong>g <strong>in</strong> EDP <strong>environment</strong>' have been laid down as follows:-<br />
(i)<br />
To guide CPAs <strong>in</strong> <strong>audit<strong>in</strong>g</strong> bus<strong>in</strong>ess enterprises which use computers for<br />
record keep<strong>in</strong>g.<br />
I<br />
Gnrdon B. Davis 'Xudit<strong>in</strong>g & EDP'. New York, American Institute of Certified<br />
Public Accountants, 1968
(ii)<br />
(iii)<br />
(iv)<br />
To provide a start<strong>in</strong>g po<strong>in</strong>t for build<strong>in</strong>g a consensus of expert op<strong>in</strong>ion on an<br />
<strong>audit<strong>in</strong>g</strong> practices for exam<strong>in</strong><strong>in</strong>g such companies<br />
To suggest utility <strong>and</strong> applicability of different <strong>audit<strong>in</strong>g</strong> methods when<br />
experiena is still lack<strong>in</strong>g.<br />
To provide soura materials for tra<strong>in</strong><strong>in</strong>g <strong>and</strong> <strong>in</strong>formational purpose. It is of<br />
great importance to note that this publication is dated as early as 1968<br />
Specific mention is made of the fact that EDP does not lessen the need for<br />
an evaluation of the sptem of <strong>in</strong>ternal control. On the contrary, it appears that<br />
<strong>in</strong>creased emphasis must be given <strong>in</strong> the review of <strong>in</strong>ternal control to ascerta<strong>in</strong> that<br />
it is effective. It is pert<strong>in</strong>ent to quote that it is stated as early as <strong>in</strong> 1%8: "Computers<br />
have been commercially available for fifteen years <strong>and</strong> the recency of the major<br />
impact can be appreciated by not<strong>in</strong>g that it made <strong>in</strong> 1967 every use of all computers<br />
had betn done <strong>in</strong> the preced<strong>in</strong>g year, the number was expected to double aga<strong>in</strong> <strong>in</strong><br />
the succeed<strong>in</strong>g three years."<br />
This statement is very relevant to the fact that though the computers have<br />
been <strong>in</strong> existence <strong>in</strong> our country for more than 40 years <strong>in</strong> some form or the other,<br />
technological developments <strong>and</strong> usage of computers <strong>in</strong> the last ten years have more<br />
than doubled compared to that <strong>in</strong> the previous three decades. The technology<br />
referred to <strong>in</strong> the book though out-dated, the concepts are of great relevance. The<br />
<strong>in</strong>put process<strong>in</strong>g <strong>and</strong> output <strong>controls</strong> are discussed at great length.<br />
In view of the technological importance <strong>in</strong> the computer medium, some of the<br />
concepts on hardware are not of relevance. However, presentation regard<strong>in</strong>g the<br />
programmed control over process<strong>in</strong>g, evaluation of <strong>in</strong>ternal control <strong>and</strong> safeguard<strong>in</strong>g
of records <strong>and</strong> 6ks is of cumnt nkvance. Then is reference to three methods of<br />
<strong>audit<strong>in</strong>g</strong> viz<br />
(a) Audit<strong>in</strong>g without computer<br />
(b) Audit<strong>in</strong>g through the computer<br />
(c) Audit<strong>in</strong>g with the computer<br />
In the current context of technological developments, <strong>audit<strong>in</strong>g</strong> without the<br />
computer has no relevana. It is more appropriate to audit with the computer. In the<br />
absence of such skill <strong>and</strong> competence <strong>audit<strong>in</strong>g</strong> through the computer may be<br />
acceptable st<strong>and</strong>ard for effective <strong>audit<strong>in</strong>g</strong>.<br />
The questionnaire for evaluation of <strong>in</strong>ternal control is divided <strong>in</strong>to the<br />
follow<strong>in</strong>g significant paragraphs, each paragraph hav<strong>in</strong>g useful questions.<br />
(a) Background<br />
(b) Organisation<br />
(c) Control function<br />
(d) Contrnl over consol<br />
(e) Management praciices<br />
(f) Documentation<br />
(h) Program revisions<br />
(i) Hardware <strong>controls</strong><br />
fj) Control over <strong>in</strong>put <strong>and</strong> output data<br />
(k) Process control relevant to each application<br />
(1) Control over error <strong>in</strong>vestigation<br />
(m) Physical safeguards over files<br />
(n) Procedural <strong>controls</strong> for safeguard<strong>in</strong>g files
(0) Capability for fik nconstmction.<br />
The questronna<strong>in</strong> provides more than a start<strong>in</strong>g pa<strong>in</strong>t for the auditor who<br />
wishes to make a beg<strong>in</strong>n<strong>in</strong>g.<br />
The questions a n numbered as A, B, or C accord<strong>in</strong>g to the general control<br />
significance.<br />
A - represent<strong>in</strong>g con1101 element which may affect the auditor's evaluation of<br />
B -<br />
C -<br />
<strong>in</strong>ternal control<br />
Control element which tends to affect data process<strong>in</strong>g safeguards, but is<br />
however not likely to affect the audit procedures<br />
Application affect<strong>in</strong>g operational effectiveness or efficiency. 'Elise G.Jancura<br />
<strong>and</strong> Robert Boos dealt with<br />
Controls <strong>in</strong> system design <strong>and</strong> development<br />
Controls <strong>in</strong> distributed <strong>and</strong> <strong>in</strong>tegrated system.<br />
A detailed flow chan specify<strong>in</strong>g the operation, the designation of the person<br />
perform<strong>in</strong>g the operation <strong>and</strong> the process are expla<strong>in</strong>ed <strong>in</strong> depth. Though the<br />
narration is curnbenomc, splitt<strong>in</strong>g up of the entire operations <strong>in</strong>to various <strong>in</strong>gredients<br />
<strong>and</strong> connect<strong>in</strong>g each step to the ma<strong>in</strong> flow chart is useful. The chapter on computer<br />
assisted <strong>audit<strong>in</strong>g</strong> techniques deals with test data method, parallel simulation <strong>and</strong><br />
usage of other programs written for a specific purpose or generalised audit software.<br />
1. Elise G. Jancura <strong>and</strong> Robert Boos "Establish<strong>in</strong>g <strong>controls</strong> <strong>and</strong> <strong>audit<strong>in</strong>g</strong> the<br />
compuferised account<strong>in</strong>g system" New York, Van Nostr<strong>and</strong> Re<strong>in</strong>hold<br />
Company, 1981.
While this book makes an attempt <strong>in</strong> emphasis<strong>in</strong>g the need for establish<strong>in</strong>g<br />
<strong>controls</strong> <strong>and</strong> <strong>audit<strong>in</strong>g</strong> <strong>computerised</strong> account<strong>in</strong>g system, it does not specifically<br />
highlight the methodology to be adopted by EDP auditors.<br />
1W.Thomas Porter <strong>and</strong> William E Peny have discussed the impact of EDP<br />
on <strong>audit<strong>in</strong>g</strong> <strong>and</strong> control. They have discussed the concept of <strong>in</strong>formation as dist<strong>in</strong>ct<br />
from data. They have brought out the fact that one of the most difficult tasks an<br />
auditor has to perform while <strong>audit<strong>in</strong>g</strong> is comprehend<strong>in</strong>g the systems. Flow chart<strong>in</strong>g<br />
is one of the wry valuable tools that help the explanation of a system function. The<br />
concept of flow chart<strong>in</strong>g with detailed <strong>in</strong>structions <strong>and</strong> illustrations is well brought<br />
out. There is the problem of timel<strong>in</strong>ess. There are tendencies very often to modify<br />
the system without updat<strong>in</strong>g appropriate flow charts. This problem could be go\ over<br />
by utilis<strong>in</strong>g the facilities provided <strong>in</strong> the automatic flow-chart<strong>in</strong>g systems. Flow charts<br />
of a programme could be obta<strong>in</strong>ed froni the Source Code Statement. A specific<br />
mention is made of 'HIPO' - (Hierarchy plus Input, Process, Output) is a<br />
documentation aid. It has the ability not only to document the functions but also to<br />
show the hierarchical <strong>in</strong>ter- relationships between these two functions. This aspect is<br />
extremely useful to the auditor. The subsequent chapters deal with <strong>controls</strong> <strong>in</strong> EDP<br />
system under two categories:<br />
(a)<br />
(b)<br />
General <strong>and</strong> adm<strong>in</strong>istrative <strong>controls</strong><br />
Application <strong>controls</strong><br />
Every system is liable to have an exposure. Exposures or risks are threats to<br />
a system. Controls are a means to reduce these risks. In a <strong>computerised</strong> system, there<br />
W.Thomas Porter <strong>and</strong> William E Peny "EDP Controls <strong>and</strong> Audit<strong>in</strong>g" - Third<br />
edition , Massachusetts, Kent Publish<strong>in</strong>g Company, Boston, 1981.
is conantration of duties <strong>and</strong> functions which kads to certa<strong>in</strong> mmpkety. Hena<br />
there are grcater potential for control problems'<br />
Adm<strong>in</strong>istratiK <strong>controls</strong> deal with policies <strong>and</strong> procedures They cross<br />
application boundaries <strong>in</strong> view of the centralisation of the data process<strong>in</strong>g activities.<br />
There is conantration of many process<strong>in</strong>g steps In view of this,there needs to be<br />
segregation of duties specially <strong>in</strong> <strong>in</strong>compatible functions like programm<strong>in</strong>g <strong>and</strong><br />
operation. A useful checklist for organisational control is provided. Organisation of<br />
EDP department is of utmost importance <strong>and</strong> special attention should be paid to the<br />
follow<strong>in</strong>g:<br />
(a)<br />
(b)<br />
(c)<br />
(d)<br />
(e)<br />
System <strong>and</strong> programm<strong>in</strong>g of <strong>controls</strong><br />
Review <strong>and</strong> approval of new systems<br />
Programm<strong>in</strong>g-test<strong>in</strong>g procedurrs<br />
Programm<strong>in</strong>g-chanfc procedures<br />
Documentation st<strong>and</strong>ards<br />
Thcse would ensure a high degree of process<strong>in</strong>g reliability. There should be<br />
st<strong>and</strong>ards established for operat<strong>in</strong>g practices. They should <strong>in</strong>clude<br />
(a)<br />
(b)<br />
(c)<br />
(d)<br />
(fj<br />
Access to computer room<br />
Library <strong>and</strong> file control st<strong>and</strong>ards<br />
Data conversion st<strong>and</strong>ards<br />
Physical security of files <strong>and</strong> equipment (c) Back-up facilities<br />
Passwords.<br />
WThomas Porter <strong>and</strong> William E Perry "EDP Controls <strong>and</strong> Audit<strong>in</strong>g" - Third<br />
edition , Massachusetts, Kent Publish<strong>in</strong>g Company, Boston, 1981.
Interest<strong>in</strong>g probkm of a live care has been presented It deals with Equity<br />
Fund<strong>in</strong>g, <strong>in</strong>surance fraud.<br />
Application <strong>controls</strong> are designed to meet the specific control requirements<br />
of each process<strong>in</strong>g application. The <strong>controls</strong> are classified as preventive, detective <strong>and</strong><br />
corrective <strong>controls</strong>. Preventive <strong>controls</strong> arc congtrols which stop problems from<br />
mur<strong>in</strong>g <strong>and</strong> expected to help "th<strong>in</strong>gs happen as they should". Preventive <strong>controls</strong> are<br />
located throughout the entire EDP System. These are executed before the data<br />
enters the system<br />
The more important of preventive <strong>controls</strong> as discussed' are<br />
(a) Source data authorisation<br />
(b) Data conversion<br />
(c) Turn around documents<br />
(d) Pre-numbered forms<br />
(e) Input validation<br />
(f) Controls over process<strong>in</strong>g<br />
Detective <strong>controls</strong> are expected to br<strong>in</strong>g potential problems to the attention<br />
of <strong>in</strong>dividuals for appropriate action. Examples of detective <strong>controls</strong> are<br />
(a) Control Register<br />
(b) Control totals<br />
(c) Documentation <strong>and</strong> test<strong>in</strong>g<br />
(d) Labels<br />
(e) Output<br />
W.Thomas Poner <strong>and</strong> William E Perry "EDP Controls <strong>and</strong> Audit<strong>in</strong>g" - Third<br />
edition , Massachusetts, Kent Publish<strong>in</strong>g Company, Boston, 1981.
Corrective mntrols arise <strong>in</strong> the <strong>in</strong>vestigation <strong>and</strong> correction of cause of<br />
expower which have been detected Typical m p k s of comctive <strong>controls</strong> are<br />
(a)<br />
(b)<br />
(c)<br />
(d)<br />
Audit trails<br />
Discrepancy reports<br />
Back up <strong>and</strong><br />
Recovery<br />
While discuss<strong>in</strong>g on Review <strong>and</strong> evaluation of <strong>controls</strong> <strong>in</strong> EDP Audit system,<br />
it is recommended that underst<strong>and</strong><strong>in</strong>g <strong>and</strong> test<strong>in</strong>g of the system should be achieved<br />
through an analysis of the client's entire system of <strong>in</strong>ternal control. Once review <strong>and</strong><br />
test<strong>in</strong>g is over, it is possible to evaluate the adequacy or othenvise of the control<br />
system <strong>and</strong> make recommendations if any. There is an <strong>in</strong>terest<strong>in</strong>g case study provided<br />
with a useful questionnaire with hypothetical answers.<br />
The audit approach when the client's use service centre is different from usage<br />
of a computer <strong>in</strong>-house. The audit approach when the client uses a service centre is<br />
discussed' A specific mention is made of advanced <strong>audit<strong>in</strong>g</strong> techniques <strong>in</strong>clud<strong>in</strong>g test<br />
audit method, test case, system evaluation, <strong>in</strong>tegrity, test facility <strong>and</strong> parfallel<br />
simulation It is vcry well brought out that <strong>in</strong> an <strong>environment</strong> of accelerated changes<br />
<strong>in</strong> computer technology, newer <strong>and</strong> upto date <strong>audit<strong>in</strong>g</strong> techniques are needed.<br />
' W.Thomas Porter <strong>and</strong> William E Peny '%DP Controla <strong>and</strong> Audit<strong>in</strong>g" - Third<br />
edition , Massachusetts, Kent Publish<strong>in</strong>g Company, Boston, 1981.
lS.Rao Vallabhaneni, traces the importance of software <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> He mentions that 50 to 75% of the time of the system analysts <strong>and</strong><br />
programmers is spent <strong>in</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g the exist<strong>in</strong>g software <strong>and</strong> that more than 50%<br />
of the operat<strong>in</strong>g budget is for software. He br<strong>in</strong>gs out the fact that <strong>in</strong>spite of the<br />
abovc mentioned significant facts, auditors do not spend enough time review<strong>in</strong>g,<br />
test<strong>in</strong>g <strong>and</strong> evaluat<strong>in</strong>g the <strong>controls</strong> <strong>in</strong> the application systems when they are <strong>in</strong> the<br />
process of k<strong>in</strong>g developed He correctly mentions that more time is spent on<br />
software development actlvitles than lor review<strong>in</strong>g software ma<strong>in</strong>tenance <strong>controls</strong>. He<br />
expla<strong>in</strong>s the difficulties faced by systems <strong>and</strong> programm<strong>in</strong>g staff who are under<br />
pressure from the users <strong>and</strong> suffer from lack of appreciation of concepts by senior<br />
management. Many a time software is developed without consider<strong>in</strong>g future<br />
ma<strong>in</strong>tenance. Very few programs <strong>and</strong> systems are developed us<strong>in</strong>g structured<br />
techniques. This results <strong>in</strong> great deal of patch work be<strong>in</strong>g done. He refers to<br />
"spaghetti code" which is diff~culto control, ma<strong>in</strong>ta<strong>in</strong>, modify or audit In view of the<br />
absence of usage of structured techniques the systems staff are constra<strong>in</strong>ed to use an<br />
adhoc approach.<br />
Ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g software is a human activity which is error-prone <strong>and</strong> has a high<br />
risk Unless documentation is adequate a previously bug-free program may l<strong>and</strong> up<br />
with problems unless the modified program is thoroughly tested.<br />
The emphasis of this book is to highlight the importance of software<br />
ma<strong>in</strong>tenance activities along with their associated risks <strong>and</strong> exposures <strong>and</strong> to provide<br />
guidance to auditors for evolv<strong>in</strong>g procedures <strong>and</strong> approaches. The focus of the book<br />
- --<br />
' S. Rao Vallabhaneni, 'Audit<strong>in</strong>g the ma<strong>in</strong>tenance of software" New Jersey,<br />
Prentice-Hall Inc.1987.
is on the Internal Auditor <strong>and</strong> makes reference to SAS No.9, issued by the American<br />
Institute of Ccnificd Public Accountants - the <strong>in</strong>dependent external auditor should<br />
consider the procedures if any performed by the <strong>in</strong>ternal auditors <strong>in</strong> determ<strong>in</strong><strong>in</strong>g the<br />
nature, tim<strong>in</strong>g <strong>and</strong> extent of his own <strong>audit<strong>in</strong>g</strong> procedures".<br />
Thus, it naturaliy follows that if the <strong>in</strong>ternal audit's review of software<br />
ma<strong>in</strong>tenana is more comprehensive, the external auditor's scope should be less<br />
comprehensive. The term software ma<strong>in</strong>tenance is used to describe all changes made<br />
to a computer program after it has been implemented <strong>in</strong> a live <strong>environment</strong> He<br />
refers to US General Account<strong>in</strong>g Offiar (GAO) Repon - Page 5, footnote :<br />
The GAO studied 15 computer sites <strong>in</strong> detail <strong>and</strong> received responses for<br />
mailed questionnaires from several hundreds. It is mentioned that though the study<br />
was relat<strong>in</strong>g to Government <strong>environment</strong>, it is equally applicable to private <strong>and</strong> public<br />
sectors. Some of the problems enumerated are:<br />
(i)<br />
(ii)<br />
(iii)<br />
(iv)<br />
(v)<br />
Software ma<strong>in</strong>tenance cells are not easily identifiable<br />
Expert user requested modifications are not always based on real need<br />
User requirements <strong>in</strong> the software development phase are not adequately<br />
def<strong>in</strong>ed.<br />
Application systems document is <strong>in</strong>adequate if not miss<strong>in</strong>g.<br />
Gmputer programmer's attitude towards software ma<strong>in</strong>tenance is not<br />
enthusiastic.<br />
These po<strong>in</strong>ts are of relevance to the <strong>environment</strong> <strong>in</strong> our country also. The<br />
time <strong>and</strong> effort spent on system development phase is not always productive either<br />
because users do not def<strong>in</strong>e their requirements precisely or the systems staff decide
on thelr own on certaln requirements of the users As most of the appl~catlons are<br />
to be modified under pressure, documentation procedures are glvcn the go by<br />
Pnonty 1s for keeplng the system golng wth the modlficatlon In the ctrcumstances,<br />
the capaclty of the audltor to underst<strong>and</strong> the modlficatron <strong>and</strong> evaluate the <strong>controls</strong><br />
needs specla1 mentlon<br />
The author has d~nded the book Into three parts, the first part deallng wth<br />
ennronrnent, the second part wth control guldellnes <strong>and</strong> the th~rd one wth audit<br />
methodology; the fourth one belng on newng the future He explalns the software<br />
malntenancc 11fe cycles (SMLC) as d~stlnct from SDLC by d~vldlng the methodology<br />
Into different phases For each of the phases he lays down the ohject~ves <strong>and</strong><br />
actlntles <strong>and</strong> from the aud~tor's polnt of vlew the f<strong>in</strong>al dellverables for control revlew<br />
<strong>and</strong> flnal evaluat~on He h~ghl~ghts the polnt that aud~tors, spec~ally the ~nternal<br />
aud~tors w~th resources use for software malntenance are adequate <strong>and</strong> that they are<br />
used effectively <strong>and</strong> efficiently He hlghl~ghts In chapter IV that the audltor needs to<br />
be aware of what can go wrong m software malntenance, he hlghl~ghts three types<br />
of control, nz preventive, detectwe <strong>and</strong> correctlve wh~ch could prevent ~rregularlt~es<br />
<strong>and</strong> omlsslons dunng ,oftware malntenance He provldes a table of aud~tools <strong>and</strong><br />
techniques - use matrut<br />
The bwk 1s an excellent treatlse of the procedure to be followed In an Ideal<br />
srtuatlon Whlle 11 may not be possible to grve an deal, a readlng of the book by an<br />
aud~tor creates an awareness of the really of the problem <strong>and</strong> posslble practical steps<br />
he should take to ensure adequate <strong>controls</strong> are Introduced In the software<br />
rnatntenance phases
Technology is advanc<strong>in</strong>g important supportive functions that protect the<br />
technology from <strong>in</strong>tentional losses is not keep<strong>in</strong>g pace.' He makes reference to the<br />
systems auditability <strong>and</strong> control reports produced by Stanford Research Institute<br />
International of 1977 <strong>and</strong> observes that <strong>audit<strong>in</strong>g</strong> which is an important supportive<br />
function is lagg<strong>in</strong>g far beh<strong>in</strong>d. In view of the auditors lack of sufficient knowledge of<br />
the technology, he is constra<strong>in</strong>ed to rely on the trustworth<strong>in</strong>ess of computers,<br />
computer programmers, operators <strong>and</strong> other computer staff. An auditor is expected<br />
to be <strong>in</strong>dependent <strong>in</strong> attitude <strong>and</strong> appearance <strong>and</strong> the dependence of the auditor on<br />
data process<strong>in</strong>g staff is violative of basic audit pr<strong>in</strong>ciple. The author has very<br />
relevantly mentioned that the auditors perform<strong>in</strong>g their function <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> have realised that they have to acquire necessary skills to perform their<br />
lobs competently. Similarly, data process<strong>in</strong>g management are realis<strong>in</strong>g the need <strong>and</strong><br />
value of the services of the auditors who evaluate the adequacy of <strong>controls</strong> <strong>in</strong> the<br />
<strong>computerised</strong> <strong>environment</strong>. The book which has the focus on creat<strong>in</strong>g an awareness<br />
<strong>in</strong> the management of organisations which have <strong>in</strong>troduced computers deals with the<br />
subject <strong>in</strong> a non-technical manner. The authors make special reference to transmittal<br />
memor<strong>and</strong>um 1 circular Ail1 on security of federal automated <strong>in</strong>formation systems<br />
issued by the US office of management. This memor<strong>and</strong>um establishes a<br />
comprehensive policy regard<strong>in</strong>g establishment of computer security programmes <strong>in</strong><br />
all non-defence computer centres also. The objective is to establish of procedures for<br />
adopt<strong>in</strong>g security st<strong>and</strong>ards, a requirement for security <strong>in</strong> all hardware <strong>and</strong> software<br />
procurements, guidance on conduct<strong>in</strong>g risk analysis, perform<strong>in</strong>g security audits,<br />
develop<strong>in</strong>g cont<strong>in</strong>gency plans <strong>and</strong> establish<strong>in</strong>g personnel security policies.<br />
' Donn P.Parker1.k1onogers guide to Cornpuler&cutity". Reston, Virg<strong>in</strong>ia, Reston<br />
Publish<strong>in</strong>g Company Inc., A Prentice-Hall Company 1981.
'Ihis memor<strong>and</strong>um is considered a mile-stone for computer security even as<br />
early as 1978 One whole section is devoted to the nature of computer security. A<br />
useful table giv<strong>in</strong>g details of various types of security areas to be safeguarded <strong>and</strong><br />
how it could be safeguarded are expla<strong>in</strong>ed lucidly. Concepts of risks <strong>and</strong> threats an<br />
expla<strong>in</strong>ed The author 1s of the op<strong>in</strong>ion that what may appear as accidental <strong>and</strong><br />
un<strong>in</strong>tentional acts may not <strong>in</strong> reality be so. He drives home the po<strong>in</strong>t that one should<br />
be prepared for the worst <strong>and</strong> provide adequate security functions. While discuss<strong>in</strong>g<br />
the aspect of detterance which would be a preventive measure for the likelihood of<br />
security violations, the author makes special reference to audit. He very pert<strong>in</strong>ently<br />
po<strong>in</strong>ts out "one of the greatest values of <strong>audit<strong>in</strong>g</strong> is detterence". The aspects of<br />
preventive, detective, recovery <strong>and</strong> corrective <strong>controls</strong> are discussed with<br />
effectiveness. The importance of cont<strong>in</strong>gency <strong>and</strong> back up plans is discussed <strong>in</strong> detail.<br />
While discuss<strong>in</strong>g the recovery issues, the factors to be taken particular care of are<br />
mentioned as<br />
(a)<br />
(b)<br />
(c)<br />
Stafllng : the safety of people is of primary concern<br />
Facilities <strong>and</strong> neighbour<strong>in</strong>g site : consider<strong>in</strong>g the risk factors <strong>in</strong> the<br />
neighbourhood of computer room is of immense importance.<br />
Utilities : automatic local telephone switch<strong>in</strong>g centres or automative<br />
underground cables would affect on- t<strong>in</strong>e systems. These need to be protected<br />
to the same extent as computer or power supply or air-condition<strong>in</strong>g<br />
equipment. Other important factors Iik documentation st<strong>and</strong>ards, stor<strong>in</strong>g of<br />
production programs, operation system utilities, <strong>and</strong> data <strong>in</strong> a place away from<br />
the ma<strong>in</strong> operation which are mentioned are helpful. The book deals also with<br />
security factors for a computer site selection.
The aspect of earthquake which seems a theoratical conapt <strong>in</strong> our country<br />
has been considered as a possible reality by the author <strong>and</strong> guidance provided.<br />
Suggestion regard<strong>in</strong>g consult<strong>in</strong>g geologists are made.<br />
There is an exclusive chapter on computer security <strong>and</strong> the law, malt<strong>in</strong>g special<br />
reference to the k'rivacy Act of 1974 <strong>and</strong> the Foreign Practias Act of 1977.<br />
Section 3 of the book deals with computer security program <strong>and</strong> deals <strong>in</strong> great<br />
detail on the follow<strong>in</strong>g subjects.<br />
(i)<br />
(ii)<br />
Identification <strong>and</strong> valuation of assets<br />
Identification of threats <strong>and</strong> risk assessment<br />
While deal<strong>in</strong>g with safeguards, special mention is made ofauditability. It<br />
mentions that safeguards must be testable for the purpose of <strong>audit<strong>in</strong>g</strong> its performance<br />
<strong>and</strong> compliance with specifications. While illustrat<strong>in</strong>g this po<strong>in</strong>t, an example is glven<br />
of an auditor visit<strong>in</strong>g a data process<strong>in</strong>g facility <strong>and</strong> ask<strong>in</strong>g to be shown recovery from<br />
remote back- up files. The EDP department sent a vehicle to collect the back-up<br />
files, programs <strong>and</strong> operat<strong>in</strong>g <strong>in</strong>stmctions. It is <strong>in</strong>terest<strong>in</strong>gly reported that at this<br />
po<strong>in</strong>t, the test was term<strong>in</strong>ated because if all the back up materials were returned to<br />
the computer centre, there will be no back up material at the remote site. This lead<br />
to the organisation hav<strong>in</strong>g two copies at the back-up site.<br />
While conclud<strong>in</strong>g that EDP <strong>audit<strong>in</strong>g</strong> is an important activity for computer<br />
security, it is mentioned that <strong>audit<strong>in</strong>g</strong> tools <strong>and</strong> techniques must be considered as one<br />
of the most important safeguards. An <strong>in</strong>terest<strong>in</strong>g matrix on EDP audit tools by<br />
occupation applicability is reveal<strong>in</strong>g.
"M<strong>in</strong>o computer security, auditabiiity <strong>and</strong> <strong>controls</strong>" deals with the subject io<br />
three parts.'<br />
1. Microcomputers <strong>in</strong> general<br />
Z St<strong>and</strong>-alone microcomputer systems <strong>and</strong><br />
3. Micros connected to ma<strong>in</strong>frame systems.<br />
In Part I while deal<strong>in</strong>g generally with micro computers, the book provida<br />
statistics from a report regard<strong>in</strong>g the growth of micro computers. He quotes th<br />
market has gone from US $ 200 million <strong>in</strong> sales to a projected 426 billion dollars <strong>in</strong><br />
sales <strong>in</strong> 1983. In 1983 about one million units were sold <strong>and</strong> it is expected that 45<br />
million units may be sold by 1986 or 1987.<br />
A tabular statement provid<strong>in</strong>g !he prevail<strong>in</strong>g character~it~cs <strong>and</strong> associated<br />
threats are illustrated. Among the prevail<strong>in</strong>g character~vlics the follow<strong>in</strong>g are<br />
mentioned :<br />
* Prolifiration of application development<br />
* Staff limitation<br />
* Applications software<br />
Hardware<br />
Vendor system software, st<strong>and</strong>ards <strong>and</strong> practices<br />
Physical <strong>environment</strong>s, file <strong>and</strong> media storage outside<br />
Uunauthorised access.<br />
' Javier F.Kuong, Gerald I. Isaacson, Chester M. W<strong>in</strong>ters "Microcomputer security.<br />
auditability <strong>and</strong> <strong>controls</strong>" Wellesley Hills, Mass. Management Advisory<br />
Publications. 1985.
Under each of these heads, the conditions that are prevalent <strong>in</strong> a micro<br />
computer <strong>environment</strong> are discussed with the associated threat A detailed read<strong>in</strong>g<br />
of the above threats focuses attention on the fact that there is a clear need to have<br />
a well formulated set of control objectives with effective safeguards which provides<br />
solutions for a secure use of the microcomputers.<br />
Chapter 3 of the book deals with auditability considerations. A useful table<br />
giv<strong>in</strong>g the prevail<strong>in</strong>g condition <strong>and</strong> the correspond<strong>in</strong>g <strong>audit<strong>in</strong>g</strong> concerns <strong>and</strong><br />
considerations is provided. To sum up, the problem generally faced by auditors are<br />
(1) When same application is processed on different computers, how is the<br />
<strong>in</strong>tegrity of the application to be decided unless all the units are aud~ted.<br />
(2) With paucity of staff, there is no seperation of duties.<br />
(3) Audit trails may be lack<strong>in</strong>g <strong>in</strong> view of lack of facility for logg<strong>in</strong>g. When<br />
software packages are developeJ lack of documentation exists. Information<br />
regard<strong>in</strong>g what types of error h<strong>and</strong>l<strong>in</strong>g <strong>and</strong> <strong>controls</strong> are <strong>in</strong>cluded is not easily<br />
available. The author proceeds to deal with the control system divid<strong>in</strong>g it to<br />
three zones as follows:<br />
(1) General <strong>and</strong> adm<strong>in</strong>istrative <strong>controls</strong><br />
(2) Micro computer system<br />
(3) Micro computer software<br />
follows :<br />
While deal<strong>in</strong>g with connected micro systems he deals under three zones as<br />
(a)<br />
@)<br />
(c)<br />
Data communication<br />
Micro computer<br />
Ma<strong>in</strong>frame penetration by Hack<strong>in</strong>g
The fact that security <strong>and</strong> protection of micro computers is as important if not<br />
more important as the security of log system is emphasised. While deal<strong>in</strong>g with<br />
general aspects of micro computer security, software <strong>and</strong> data <strong>in</strong>tegrity issues of<br />
concern are mentioned as follows:-<br />
* Who can excess the micros<br />
To what extent can they access<br />
How is the data protected from the unauthorised distribution<br />
* What is the possibility of loss of critical data<br />
How is data <strong>in</strong>tegrity to be ma<strong>in</strong>ta<strong>in</strong>ed<br />
What is the possibility of <strong>in</strong>trusion from outsiders.<br />
What steps are to be taken for ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g cont<strong>in</strong>uity of operations.<br />
The book provides<br />
(1) sound framework for deal<strong>in</strong>g with <strong>in</strong>ternal <strong>and</strong> security <strong>controls</strong><br />
(2) An overall coverage of security auditability <strong>and</strong> <strong>controls</strong><br />
(3) Acomplete set of management policies <strong>and</strong> st<strong>and</strong>ards for management control<br />
of this new technology<br />
(4) A comprehensive list of control objectives, control techniques for different<br />
types of micro computen.<br />
A set of specific objectives along with a list of specific control techniques<br />
which would meet the control objective are mentioned.'<br />
' Javier F. Kuong "ControLs for Advoncedlon- Z<strong>in</strong>elData-base systems", Part 1 <strong>and</strong><br />
Pan 2 - 44, Wash<strong>in</strong>gton Street, Wellesley Hills, Mass.02181, Management Advisory<br />
Publications, 1983.
The author discusses as to what k<strong>in</strong>d of control the designer <strong>and</strong> the auditor<br />
should consider to build security <strong>and</strong> <strong>in</strong>tegrity <strong>in</strong> the advanced on l<strong>in</strong>e systems. He<br />
also deals with audit approaches <strong>and</strong> techniques which would effectively <strong>and</strong><br />
efficiently audit <strong>and</strong> review the systems. A tabular statement dist<strong>in</strong>guish<strong>in</strong>g the various<br />
features of the systems with the respective implications of such a feature are well<br />
brought out While deal<strong>in</strong>g with <strong>in</strong>ternal <strong>controls</strong>, the author classifies <strong>in</strong>tegrity under<br />
four categories:<br />
(i)<br />
(ii)<br />
(iii)<br />
(iv)<br />
Accuracy<br />
Securitylprivaq<br />
Cont<strong>in</strong>uity<br />
Environment<br />
(9<br />
(ii)<br />
(iii)<br />
(iv)<br />
(v)<br />
(vi)<br />
(W<br />
(viii)<br />
The author divides the control zones under 8 heads:<br />
Data entry<br />
Data communication<br />
Systems <strong>environment</strong> <strong>in</strong> general <strong>controls</strong><br />
On l<strong>in</strong>e application programs<br />
Data base<br />
Data base adm<strong>in</strong>istration<br />
Environmental software<br />
Data base control zones <strong>and</strong> audit base development st<strong>and</strong>ards<br />
Under each of these heads, the author deals with the follow<strong>in</strong>g:<br />
(i)<br />
(ii)<br />
General control objectives<br />
Various control po<strong>in</strong>ts
(iii)<br />
Under each of the control po<strong>in</strong>ts, the control objective <strong>and</strong> the correspond<strong>in</strong>g<br />
control techniques a n discussed <strong>in</strong> detail. The two pans of the book conta<strong>in</strong><br />
a precise presentation of the entire subject<br />
Computer Security<br />
Keith Heamdcn' presents a collection of 14 anicles on computer crime <strong>and</strong><br />
people, computer crime <strong>in</strong> the 1980r, risk management <strong>and</strong> computer security. While<br />
all the articles have special reference to the accepted procedures for security<br />
ma<strong>in</strong>tenance, there is narration of live cases of crimes committed on computer. The<br />
importance of these article is that computer crimes <strong>and</strong> frauds are not academic<br />
issues, but are realities which have been perpetrated <strong>in</strong> most cases by computer<br />
literates. This has been possible by penetrat<strong>in</strong>g the vulnerable po<strong>in</strong>ts <strong>in</strong> the control<br />
systems of computers.<br />
Security is the <strong>in</strong>tegral part of the design <strong>and</strong> implementation of an<br />
<strong>in</strong>formation system. V.P.Lane2 <strong>in</strong>terest<strong>in</strong>gly br<strong>in</strong>gs out the fact because that <strong>in</strong> many<br />
<strong>in</strong>stances security <strong>in</strong>volves cost, the decision of the management may be to ignore<br />
certa<strong>in</strong> security requirements, consider<strong>in</strong>g only the cost factor, He highlights the fact<br />
that good security must be built <strong>in</strong>to the system software before <strong>in</strong>dividual<br />
applications are designed. He deals with physical security <strong>and</strong> data security. While<br />
discuss<strong>in</strong>g physical security, he classified it under two major heads viz(1) protection<br />
Keith Hearnden, A H<strong>and</strong>book ofComputer Security Centre for Ertension<br />
Studies. bughborough University.<br />
' V.P.Lane "Security of Computer Based Information' Systems-Houndmills,<br />
Bas<strong>in</strong>gstoke, Hampshire, Macmillan Education Ltd., 1985.
aga<strong>in</strong>st natural disasters like flood <strong>and</strong> fire (2) protection aga<strong>in</strong>st <strong>in</strong>truders. Under the<br />
head natural disasters, he places special importance to fire <strong>and</strong> discusses at length the<br />
advantages <strong>and</strong> disadvantages of carbon-di-oxide as aga<strong>in</strong>st Halon <strong>and</strong> water<br />
spr<strong>in</strong>klers.<br />
While discuss<strong>in</strong>g access control <strong>and</strong> <strong>in</strong>truders, he highlights three ways of<br />
controll<strong>in</strong>g access.<br />
(i)<br />
(ii)<br />
(iii)<br />
By us<strong>in</strong>g receptionist <strong>and</strong> security officers<br />
By us<strong>in</strong>g mechanical devices such as locks <strong>and</strong> keys<br />
Electronic systems us<strong>in</strong>g identity cardslcard readers<br />
A systematic approach is necessary if a realistic plan for physical security has<br />
to be evolved.The author stresses the view that the management must assess what<br />
they are try<strong>in</strong>g to prevent <strong>and</strong> protect. To achieve this, he suggests the follow<strong>in</strong>g<br />
shouldbe performed :-<br />
(i)<br />
(ii)<br />
(iii)<br />
(iv)<br />
Identify undesirable events<br />
Evaluate physical threats <strong>and</strong> the probability of such an event occur<strong>in</strong>g<br />
Estimate possible loss to which the computer/premises are exposed<br />
The expected annual loss.<br />
While discuss<strong>in</strong>g data security, it is stated that it could be ma<strong>in</strong>ta<strong>in</strong>ed by four<br />
k<strong>in</strong>ds of control viz<br />
(a)<br />
(b)<br />
(c)<br />
(d)<br />
Access<br />
Information flow<br />
Inference<br />
Criptographic <strong>controls</strong>.
The author stresses the po<strong>in</strong>t that while these methods can reduce danger of<br />
compromise of data, they cannot totally elim<strong>in</strong>ate the possibility. The security role of<br />
components of computer configurations is highlighted by each of the aspects of<br />
hardware, systems software etc While discuss<strong>in</strong>g the system software i.e. the<br />
operat<strong>in</strong>g system, its security functions are classified under two heads vir Implicit<br />
security function <strong>and</strong> Explicit security functions. Under Implicit security functions are<br />
<strong>in</strong>cluded those security features that manage <strong>and</strong> control the system resources <strong>and</strong><br />
application programs. The explicit function <strong>in</strong>clude su~eilance <strong>and</strong> identification,<br />
access control <strong>and</strong> isolation. The chapter deal<strong>in</strong>g with people <strong>and</strong> security highlights<br />
the fact that sometimes the position of power exercised by a s<strong>in</strong>gle <strong>in</strong>dividual like<br />
system adm<strong>in</strong>istrator is both a weakness <strong>and</strong> a strength. He suggests remedial<br />
measures as<br />
(i)<br />
(ii)<br />
(iii)<br />
Job rotation<br />
Supervision by a superior<br />
Journalis<strong>in</strong>g i.e. record<strong>in</strong>g request from the adm<strong>in</strong>istrator or log to facilitate<br />
<strong>audit<strong>in</strong>g</strong> <strong>and</strong> exam<strong>in</strong>e the log for unauthorised activities.<br />
Security aspects of the operation of computer facilities <strong>in</strong>clude tra<strong>in</strong><strong>in</strong>g of<br />
computer operators, library management system as also short term recovely<br />
procedures. It is emphasised that management must highlight the fact that security<br />
is needed even dur<strong>in</strong>g rout<strong>in</strong>e operat<strong>in</strong>g of the system, to make the effort of plann<strong>in</strong>g<br />
overall security aspects a success. Special topics like privacy <strong>and</strong> data protection<br />
legislation <strong>and</strong> protection of proprietary software are discussed. The author concludes<br />
that software is currency; It is essential that those who provide the currency are<br />
protected from counterfeit<strong>in</strong>g <strong>and</strong> duplicity.
Chapter 11 of the book deals with a number of real life <strong>in</strong>cidents Amongst<br />
more <strong>in</strong>terest<strong>in</strong>g cases are that of a supervisor of a payments department <strong>in</strong> a local<br />
authority <strong>in</strong> London. He found a method of creat<strong>in</strong>g false documents. This resulted<br />
<strong>in</strong> a loss of approximately 40,000 pounds. Yet another case deals with how an<br />
executive officer utilised the <strong>computerised</strong> salary system to defraud health authority.<br />
A novel, yet a case of great conarn is where computer personnel stole the computer<br />
files <strong>and</strong> dem<strong>and</strong>ed ransome for restor<strong>in</strong>g them. Fortunately, the culprits were caught<br />
The last case reported is regard<strong>in</strong>g a boiler explosion which destroyed the computer<br />
office site. The author concludes that the misfortune did not become a calamity<br />
because of the cont<strong>in</strong>gency plans of the company. The 1981 survey <strong>and</strong> the 1984<br />
survey regard<strong>in</strong>g <strong>in</strong>cidents <strong>in</strong>volv<strong>in</strong>g theft <strong>and</strong> misuse are very reveal<strong>in</strong>g.<br />
James Arl<strong>in</strong> Cooper' discusses early development <strong>and</strong> <strong>environment</strong>al aspects<br />
under the follow<strong>in</strong>g heads:<br />
* Physical security<br />
* Personnel security<br />
* Regulatory security<br />
Hardware security<br />
Software network security.<br />
Each of these <strong>environment</strong>s are discussed <strong>in</strong> great detail under various heads<br />
of prevention, detention <strong>and</strong> correction. It is of impurtance to note that a mention<br />
is made of the computer Act of 1987. The Act requires the establishment of security<br />
'<br />
James Arl<strong>in</strong> Coo~rNCompukr<strong>and</strong> Communications Security Strategies for the<br />
1990s". New ~brk, ~c&aw- ill Book Campany, 1221 c venue of the Americas,<br />
1989.
st<strong>and</strong>ards for Civilian agency computers <strong>and</strong> communication sperns. The author<br />
makes a comparative study of the regulatory requirements <strong>in</strong> different countries like<br />
UK, Canada, France <strong>and</strong> Sweden A read<strong>in</strong>g of these legislations <strong>and</strong> their<br />
development makes one realise that other countries from their experience have found<br />
that legislations arc neassary which makes us to th<strong>in</strong>k that <strong>in</strong> view of the wide<br />
computerisation, it would not be too long before our country also feels the need.<br />
While discuss<strong>in</strong>g the software security <strong>environment</strong>, the author highlights the fact that<br />
the verification of system security features <strong>and</strong> system security performance can best<br />
bc achieved only by EDP auditor function. In the author's words,"EDP audit, if<br />
properly done, gives additional <strong>in</strong>sigh4 identi@ signals that po<strong>in</strong>t out security,<br />
weaknesses or failures <strong>and</strong> helps prevent security by-passes result<strong>in</strong>g from collusion!'<br />
He even goes to the extent of mention<strong>in</strong>g that a 30 million fraud which he dis( hisses<br />
<strong>in</strong> his book was possible because audit procedures were relared. He discusses<br />
amongst others 14 tools <strong>and</strong> techniques <strong>and</strong> concludes that audit procedures give a<br />
degree of protection aga<strong>in</strong>st <strong>in</strong>tentional attacks. They make a perpetrator's job<br />
difficult as the chances of detection are high. While discuss<strong>in</strong>g the current<br />
perspectives of computer security, he highlight^ the security strength by discuss<strong>in</strong>g the<br />
encryption techniques <strong>and</strong> also docs not lose sight of the negative side of the security<br />
i.e. weakness. The problems of controll<strong>in</strong>g access uniformly <strong>and</strong> reliably over widely<br />
dispersed locations is difficult. The author discusses the research perpespectives of<br />
the 1990s as also the outlook for the 1991s.
DISASTFX RECOVERY PLWNING<br />
The need for plann<strong>in</strong>g for disaster recovery <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong><br />
is expla<strong>in</strong>ed' The three areas of exposure that the management needs to review as<br />
described by the author arc f<strong>in</strong>ancial loss, legal responsibility <strong>and</strong> bus<strong>in</strong>ess<br />
<strong>in</strong>terruption<br />
Part I deals with management considerations. A detailed questionnaire deals<br />
with disaster recovery priority concerns of management under the heads:<br />
(1) Staff protection <strong>and</strong> actions<br />
(2) Ma<strong>in</strong>tenance of customer services <strong>and</strong><br />
(3) Cash flow ma<strong>in</strong>tenance.<br />
(4) Vital documi.nts protection<br />
(5) Facilities equipments,<br />
(6) Programs <strong>and</strong><br />
(7) Supplies.<br />
A reference is made to three levels of security <strong>and</strong> disaster recovery measures<br />
viz m<strong>and</strong>atory measures, necessary measures <strong>and</strong> desirable.<br />
M<strong>and</strong>atory measures are those needed by law. Necessary measures are those<br />
reasonable precautions which need to be taken.<br />
The desirable measures although necessary are not needed to be implemented<br />
as immediately as m<strong>and</strong>atory measures. Desirable measures are implemented as <strong>and</strong><br />
' The Chantico Series, ''Disaster Recovery Cont<strong>in</strong>gency Plann<strong>in</strong>g <strong>and</strong> Program<br />
Eualuation". Massachusetts, QED Information Sciences Inc. 1985.
when circumstances permit A cost benefit analysis is made tak<strong>in</strong>g <strong>in</strong>to consideration<br />
the perceived <strong>and</strong> desirable needs.<br />
The second pan deals with conduct<strong>in</strong>g the review programme. It is considered<br />
necessary to establish disaster recovery review objectives. The first <strong>and</strong> foremost, the<br />
types of disaster need to bc identified followed by identify<strong>in</strong>g the areas which may be<br />
impacted by a disaster. It is necessary to review the disaster recovery <strong>controls</strong>. A<br />
useful workshop concern<strong>in</strong>g <strong>in</strong>ternal back up site, checklist is very educative. A<br />
specimen typical agreement with time brokers vir those who would f<strong>in</strong>d another site<br />
that a company can use <strong>in</strong> the event of a disaster is <strong>in</strong>formative. The author gives<br />
procedure for test<strong>in</strong>g the disaster recovery programme <strong>and</strong> classifies the test<strong>in</strong>g <strong>in</strong>to,<br />
static test<strong>in</strong>g <strong>and</strong> dynamic test<strong>in</strong>g. Ht: deals with different techniques for test<strong>in</strong>g <strong>and</strong><br />
giver the base for select<strong>in</strong>g the appropriate technique. The basis for evaluat<strong>in</strong>g the<br />
basis for disaster recovery test are discussed. The importunt aspect regard<strong>in</strong>g<br />
<strong>in</strong>surance coverage is highlighted. The fact that extra <strong>in</strong>surance is needed on back<br />
up site is also mentioned.The pr<strong>in</strong>ciple of <strong>in</strong>surance coverage, as is wellknown, is to<br />
transfer the risk of major loss to another organisation. There should be a competent<br />
person for decid<strong>in</strong>g the degree of risk to be <strong>in</strong>sured. It is recommended that the<br />
cover should be for each class of equipment, records, media, mention<strong>in</strong>g their<br />
replacement costs <strong>and</strong> actual cash value. The po<strong>in</strong>ts to be considered while discuss<strong>in</strong>g<br />
with the <strong>in</strong>surance manager <strong>in</strong>clude also extra emergency expense, third party liability,<br />
revenue bear<strong>in</strong>g data. The extra emergency expenses <strong>in</strong>clude rental of temporary<br />
facilities, back-up equipment, mov<strong>in</strong>g cost, tempor.iry <strong>in</strong>surance cost. The third party<br />
liability arises only <strong>in</strong> the case of service bureaus. The example of revenue bear<strong>in</strong>g<br />
data would be the data regard<strong>in</strong>g the outst<strong>and</strong><strong>in</strong>g balances. Follow<strong>in</strong>g the test<strong>in</strong>g of
the disaster recovery program would be the procedure to evaluate the DRP. Various<br />
concerns <strong>and</strong> op<strong>in</strong>ions regard<strong>in</strong>g the adequacy of the disaster recovery programme<br />
need to be formed This op<strong>in</strong>ion is to be supported by sufficient evidence colketed<br />
dur<strong>in</strong>g the review process. It is necessary to evaluate each concern <strong>in</strong>dividually <strong>and</strong><br />
then the totality of the <strong>in</strong>dividual evaluations should be reviewed <strong>in</strong> mak<strong>in</strong>g a f<strong>in</strong>al<br />
judgment A useful guidel<strong>in</strong>e regard<strong>in</strong>g writ<strong>in</strong>g disaster report is provided. It is<br />
recommended that it should have the follow<strong>in</strong>g chapters-<br />
(i) Management summary<br />
(ii) Scope of review<br />
(iii) Background<br />
(iv) F<strong>in</strong>d<strong>in</strong>gs<br />
(v) Op<strong>in</strong>ion<br />
(n) Its impact of op<strong>in</strong>ion<br />
(vii) Recommendation.<br />
Robert R. Moellerl deals with computer audit, control <strong>and</strong> security aspects<br />
<strong>in</strong> a computcrised <strong>environment</strong> <strong>and</strong> the appropriate audit methodology. The <strong>controls</strong><br />
are considered under the follow<strong>in</strong>g three <strong>environment</strong>s viz<br />
(1) large computer centre,<br />
(2) m<strong>in</strong>i micro computer centres <strong>and</strong><br />
(3) distributed network.<br />
In Section 2, he deals with <strong>audit<strong>in</strong>g</strong> data process<strong>in</strong>g applications. He deals with<br />
the methodology to be obsemd <strong>in</strong> select<strong>in</strong>g applications for review. He describes the<br />
' Robert R.Moeller, "Computer Audit, Control <strong>and</strong> Security" United States of<br />
America, John Wiky & Sons, 1989.
procedures to be followed Different test<strong>in</strong>g techniques <strong>and</strong> methods of evidence<br />
gather<strong>in</strong>g <strong>in</strong> a paper kss <strong>environment</strong> arc discussed. The author emphasises the need<br />
for the auditor's role <strong>in</strong> review<strong>in</strong>g new applications <strong>and</strong> their development.<br />
In Section 3 he emphasises the need for<br />
(a)<br />
(b)<br />
(c)<br />
physical security<br />
<strong>in</strong>formation security <strong>and</strong> <strong>in</strong>tegrity <strong>and</strong><br />
an effective disaster recovery plan.<br />
There is a special chapter on audit <strong>and</strong> control of end-user comput<strong>in</strong>g. The<br />
many forms of end-user comput<strong>in</strong>g, the <strong>controls</strong> associated with end-user comput<strong>in</strong>g<br />
are discussed. The author provides a list of control objectivvs <strong>and</strong> proccdures for<br />
review<strong>in</strong>g various <strong>controls</strong>. The tabular statements are extremely useful <strong>and</strong> are <strong>in</strong><br />
detail. The auditor can make a ready reference to anyone situation <strong>in</strong> which he may<br />
be placed <strong>and</strong> immediately have anexhaustive checklist. The author has provided this<br />
<strong>in</strong>formation also on a diskette. This can be used on an IBM PC This enables the<br />
auditor to carry the floppy <strong>and</strong> have a ready reference to the list immediately <strong>in</strong> any<br />
of the client's offices. The author discusses the successful modern <strong>in</strong>ternal audit<br />
function. He is of the view that an audit professional of the future would have to<br />
have strengths <strong>in</strong> f<strong>in</strong>ancial, operational <strong>and</strong> computer <strong>audit<strong>in</strong>g</strong>. He concedes that<br />
while it is an ideal situation, an <strong>in</strong>dividual who possess all the qualifications may not<br />
be immediately available. His remarks are very significant. His description represents<br />
the audit of the future <strong>in</strong> the modern organisation <strong>and</strong> it should be .<strong>in</strong> audit<br />
organisation's goal to build personnel with these skills. He adds, that there is<br />
cont<strong>in</strong>ued need for special techniques for computer audit <strong>in</strong> new of the technical<br />
<strong>environment</strong> <strong>in</strong> the organisation. While describ<strong>in</strong>g the audit department of the future,
he states that "the computer auditor specialist of today who spends much time<br />
look<strong>in</strong>g at the general <strong>controls</strong> with<strong>in</strong> the computer operations area docs not get <strong>in</strong>to<br />
user areas to evolve application <strong>controls</strong>, <strong>and</strong> assess possible risks, runs the danger<br />
of becom<strong>in</strong>g obselele <strong>in</strong> the era of modern data process<strong>in</strong>g procedure. The auditor<br />
should denlop f<strong>in</strong>ancial - or operational audit skills, as well as computer <strong>and</strong> audit<br />
skills to operate as the organisation's auditor of the future". This statement of the<br />
author takes <strong>in</strong>to consideration that the present day auditor is ;able to evaluate the<br />
general <strong>controls</strong>!<br />
It is of significance to note that <strong>in</strong> our country auditors are not even able to<br />
evaluate the general <strong>controls</strong>. In view of the wide gap of the expectation of the audit<br />
department of the future, <strong>in</strong> the present position <strong>in</strong> our country there needs to be<br />
realisation about tra<strong>in</strong><strong>in</strong>g auditors to atta<strong>in</strong> better skills <strong>and</strong> competence to really<br />
operate as organisation's auditors of the future.<br />
William C Mair, Donald R.Wwd <strong>and</strong> Keagle W.Davisl have made a very<br />
comprehensive presentation of the various aspects of <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a <strong>computerised</strong><br />
en\,ironment. The matrix presentation is the highlight of the book. There are four<br />
matrixes as follows:<br />
' William C.Mair, Donald R.Wood <strong>and</strong> Keagle W.Davis "Computer Control <strong>and</strong><br />
Audit" M<strong>in</strong>neapolis, M<strong>in</strong>nesota, Touche Ross & Co., 1978.
Application aMtml evnlnation table<br />
It dealswith application causes of exposures under the heads <strong>in</strong>put, process<strong>in</strong>g,<br />
output <strong>and</strong> others. For each of these muses, preventive, detective <strong>and</strong> corrective<br />
<strong>controls</strong> an considered.<br />
System development wntml evaluation table<br />
Under the causes of exposure, it deals with <strong>in</strong>compkte economic evaluation,<br />
management abdication, <strong>in</strong>adequate specifications, system design errors, <strong>in</strong>competent<br />
personnel, unmanageable application etc The <strong>controls</strong> aga<strong>in</strong> are classified under<br />
preventive, detective <strong>and</strong> corrective <strong>controls</strong>. The reliance on <strong>controls</strong> are classified<br />
as<br />
(1) useful but not especially effective<br />
(2) control cause but should be accompanied by additional <strong>controls</strong><br />
(3) Reliable <strong>controls</strong><br />
Computer abuse wntml evaluation table<br />
The abuse is classified under object tool <strong>and</strong> <strong>environment</strong> <strong>and</strong> the <strong>controls</strong><br />
aga<strong>in</strong> are classified as preventive detective <strong>and</strong> corrective.<br />
The last table deals with <strong>in</strong>formation process<strong>in</strong>g facility control evaluation.<br />
Causes of Infomation Press<strong>in</strong>g Facility exposures are classified as human errors,<br />
hardware defects - software failures, computer abuse <strong>and</strong> catastrophy. The <strong>controls</strong><br />
are classifred under the heads preventive, detective <strong>and</strong> corrective. The authors have
achieved the objective of help<strong>in</strong>g the auditors to underst<strong>and</strong> as to what is meant by<br />
adequate control <strong>in</strong> data process<strong>in</strong>g <strong>environment</strong>.<br />
Mr.Per Br<strong>in</strong>ch Hansen' provides a oveniew of operat<strong>in</strong>g systems <strong>and</strong> gives<br />
a technical description thereafter of the various aspects of the operation system.<br />
Ignor<strong>in</strong>g the technical contenf it provides a good underst<strong>and</strong><strong>in</strong>g of the concept of an<br />
operat<strong>in</strong>g system <strong>and</strong> its capabilities <strong>and</strong> how it works.<br />
William E. Perry2 divides the <strong>audit<strong>in</strong>g</strong> <strong>in</strong>formation system function <strong>in</strong>to 30<br />
tasks <strong>and</strong> classifies them under the follow<strong>in</strong>g functions:<br />
* Scop<strong>in</strong>g the <strong>environment</strong><br />
Underst<strong>and</strong><strong>in</strong>g the <strong>in</strong>formation system<br />
' Identify<strong>in</strong>g the audit risk<br />
Identify<strong>in</strong>g the audit evidences<br />
* Identify<strong>in</strong>g key control po<strong>in</strong>ts<br />
' ldentify<strong>in</strong>g control weaknesses<br />
* Verify<strong>in</strong>g the <strong>in</strong>tegrity of the computer files<br />
Conduct<strong>in</strong>g the audit <strong>and</strong> conclud<strong>in</strong>g the audit.<br />
The relevant tasks under each of these functions are discussed <strong>in</strong> great detail.<br />
The author provides an approach for audit of <strong>in</strong>formation systems by concentrat<strong>in</strong>g<br />
on the bus<strong>in</strong>ess process<strong>in</strong>g sections of <strong>in</strong>formation system. The analytical approach<br />
' Per Br<strong>in</strong>ch Hansen, "Operat<strong>in</strong>g System Pr<strong>in</strong>ciples", New Delhi, India, Prentice-Hall<br />
of India Private Limited, 1990.<br />
William E. Perry Yudit<strong>in</strong>g Information Systems - A step-by-step audit<br />
approach. Carol Stream, ED? Auditors Foundat~on, 1983.
is of immense use <strong>and</strong> this approach has been adopted by me <strong>in</strong> my questionnaire<br />
<strong>and</strong> discussion with the auditors.<br />
S.Rao Vallabhaneni,' while <strong>in</strong>troduc<strong>in</strong>g the concept of software development<br />
process, presents both the management <strong>and</strong> the auditors concern over software. He<br />
discusses <strong>in</strong> detail the problems <strong>and</strong> issues that arise <strong>in</strong> development of application<br />
system whether it be developed <strong>in</strong>-house or by outsiders. He clarifies the<br />
responsibility of the senior management, data process<strong>in</strong>g management <strong>and</strong> the<br />
end-user <strong>in</strong> relation to the software development problems <strong>and</strong> issues. The fact that<br />
the auditor especially the <strong>in</strong>urnal auditor has a specific responsibility with regard to<br />
the software development process is highlighted The author discusses the audit<br />
strategies <strong>and</strong> the control guidel<strong>in</strong>es. He discusses <strong>in</strong> detail the audit methodology <strong>in</strong><br />
the follow<strong>in</strong>g areas.<br />
* Plann<strong>in</strong>g phase requirements,<br />
Design,<br />
* Programm<strong>in</strong>&<br />
' Test<strong>in</strong>g,<br />
* Conversion,<br />
' Post implementation.<br />
He concludes that if an <strong>audit<strong>in</strong>g</strong> is undertaken of the software development,<br />
the chances of its be<strong>in</strong>g usable, ma<strong>in</strong>ta<strong>in</strong>able, auditable, controllable <strong>and</strong> securable<br />
are very high. The author discusses 15 case studies <strong>in</strong> different <strong>environment</strong>s. Under<br />
each of these case studies, he describes the system audit scope <strong>and</strong> objectives <strong>and</strong><br />
I<br />
S.Rao Vallabhaneni, "Audit<strong>in</strong>g Software Development - A manual with case<br />
Studies", New York, John Wiley & Sons 1990.
!itdiy mentions audit f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> ncommendations While summaris<strong>in</strong>g the f<strong>in</strong>d<strong>in</strong>gs<br />
of the 15 case studies, he concludes that lcnowlcdge of <strong>audit<strong>in</strong>g</strong> software development<br />
when practiced properly would make organisations more aware of system <strong>in</strong>tegrity<br />
<strong>and</strong> security <strong>controls</strong>.<br />
Michael A Murph) <strong>and</strong> Xenia Ley Parker1 of Coopers Lybr<strong>and</strong>, International<br />
authorities on EDP Audit<strong>in</strong>g deal with the impact of EDP on Audit<strong>in</strong>g as also the<br />
<strong>in</strong>formation technology concepts. The entire book is written with the auditor <strong>in</strong> m<strong>in</strong>d<br />
Even technical aspects an discussed <strong>in</strong> great detail <strong>in</strong> a manner which can be<br />
understood by an auditor. In their chapter of <strong>in</strong>formation systems, they deal with<br />
bus<strong>in</strong>ess systems to enable the auditors as also the technical personnel to get an<br />
oveniew of a computer application systems. A special chapter deals with application<br />
<strong>controls</strong>.The authors deal with methods for document<strong>in</strong>g systems <strong>in</strong>clud<strong>in</strong>g usage of<br />
flow charts.While discuss<strong>in</strong>g audit of systems development, they highlight the practice<br />
<strong>and</strong> methodologies to be adopted Then is a special chapter on End-user comput<strong>in</strong>g.<br />
It is of immense importance to ow current scenario with the proliferation of personal<br />
wmputcn The authors discuss the management risks <strong>and</strong> issues as also user control<br />
<strong>and</strong> risk While discuss<strong>in</strong>g the applications of end-user's, they make spccilic<br />
referena to usage of spreadsheets, <strong>and</strong> the associated risks <strong>and</strong> the specific <strong>controls</strong><br />
to be used. The auditors' role <strong>in</strong> end-user comput<strong>in</strong>g is discussed <strong>and</strong> a view is<br />
expressed that the auditor should evaluate the <strong>controls</strong> <strong>in</strong> the follow<strong>in</strong>g risk areas :-<br />
Software <strong>and</strong> data <strong>in</strong>tegrity<br />
Back-up <strong>and</strong> cont<strong>in</strong>gency plann<strong>in</strong>g<br />
' Michael A Murphy <strong>and</strong> Xenia Ley Parker "H<strong>and</strong> book of EDPAudit<strong>in</strong>g" Coopers<br />
Lybr<strong>and</strong>, Boston, Massachussets, Warren, Gorharn & Lamong Inc. 1989.
Auditabiity<br />
Multi-user micro computer<br />
Communication security<br />
Controls <strong>in</strong> wMce bureau arc also discussed There is specific reference to<br />
third party review of se~vice bureau. Z\ detailed vmrkplan along with a specimen of<br />
a summary <strong>and</strong> third party review of application <strong>and</strong> data centres is of immense use.<br />
The chapter on test<strong>in</strong>g techniques by <strong>computerised</strong> systems <strong>in</strong>cludes the topic<br />
on use of computer assisted audit techniques (CAAT).<br />
The 1903 cumulative supplement deals with more current concepts like Expert<br />
Systems While discuss<strong>in</strong>g the <strong>in</strong>formation technology, concepts, <strong>and</strong> meet<strong>in</strong>g future<br />
needs the authors who have <strong>in</strong>ternational reputation have stated as follows:-<br />
"Future <strong>audit<strong>in</strong>g</strong> impacts of new <strong>in</strong>formation technology is significantly alter<strong>in</strong>g<br />
the conduct of au ditf.. At a su<strong>in</strong>g to the credibility of management assertions has<br />
been om of the provisions major responsibilities dur<strong>in</strong>g its entire history. For years,<br />
the service has been epitomiscd by the annual audited f<strong>in</strong>ancial statement To-day,<br />
the annual f<strong>in</strong>ancial statement - while still sen<strong>in</strong>g a valuable role by becom<strong>in</strong>g a<br />
smaller pan of the <strong>in</strong>formation needed by management.lenders <strong>and</strong> stock holders to<br />
make <strong>in</strong>formed decisions ... As other sources of <strong>in</strong>formation become more <strong>and</strong> more<br />
important, there is a current need to develop ways to similarly assure their currency<br />
compktenesr, neutrality, freedom from bias <strong>and</strong> credibility.<br />
The challenge - <strong>and</strong> the opportunity for the public account<strong>in</strong>g profession is<br />
considerable. Professional st<strong>and</strong>ards will need to be developed to cover these possible
new senicer In addition, the responsibility that public accountants would assume <strong>and</strong><br />
the legal exposures they would <strong>in</strong>cur would need to be assessed. Most important,<br />
however, there is a clear <strong>in</strong>dication of need, <strong>and</strong> the profession is well situated to<br />
respond".<br />
It is important to note that the situation regard<strong>in</strong>g t~chnological developments<br />
<strong>and</strong> usage of computers have change <strong>in</strong> our country also. The profession <strong>in</strong> our<br />
country is not well equipped to respond <strong>and</strong> the management of organisations an not<br />
as yet ceased of the problem.<br />
Research publications<br />
The publication of the Institute of the Internal Auditors USA' reviews, risk,<br />
<strong>controls</strong> <strong>and</strong> audit techniques while describ<strong>in</strong>g the fast chang<strong>in</strong>g technology to help<br />
<strong>in</strong>ternal auditors to perform their jobs better. The report consists of 11 modules as<br />
follows :-<br />
Executive summary<br />
Audit <strong>and</strong> control <strong>environment</strong><br />
Us<strong>in</strong>g <strong>in</strong>formation technology <strong>in</strong> audit<br />
Manag<strong>in</strong>g computer resources<br />
Manag<strong>in</strong>g <strong>in</strong>formation <strong>and</strong> development systems<br />
Bus<strong>in</strong>ess systems<br />
End-user - departmental systems<br />
Telecommunications Security<br />
'<br />
Price Waterhouse, "Systems Audilabilily <strong>and</strong> Control", The Institute of Internal<br />
Auditors, Orl<strong>and</strong>o, 1991.
Cont<strong>in</strong>gency Plann<strong>in</strong>g<br />
Emerg<strong>in</strong>g technologies<br />
The project was f<strong>in</strong>anced by IBM <strong>and</strong> Price Water Hons performed the work<br />
Thc report ckarly recogniscs that the <strong>in</strong>ternal auditor's responsibility regard<strong>in</strong>g<br />
<strong>in</strong>formation technology has changed tremendously. The report concludes that as a<br />
major aspect of strategy plann<strong>in</strong>g, the auditor should have an overall assessment of<br />
associated risks <strong>and</strong> concerns, to cmphasise the fact that the auditors need to be<br />
current It is necessary for the <strong>in</strong>ternal auditors to underst<strong>and</strong> the <strong>environment</strong> <strong>and</strong><br />
the technology, to enable them to <strong>in</strong>form the management correctly about the actual<br />
<strong>and</strong> potenticl risks <strong>and</strong> control concepts.<br />
Mr. Kamal Guptal Technical Director of the Institute of Chartered Institute<br />
of India while discuss<strong>in</strong>g various aspects of audit, devotes whole chapter on <strong>audit<strong>in</strong>g</strong><br />
EDP based accounts. A reference is made to the various st<strong>and</strong>ards <strong>and</strong><br />
pronouncements of professional bodies abroad. It is recognised that the <strong>in</strong>creas<strong>in</strong>g<br />
use of computers has changed the approach <strong>and</strong> techniques of audit also". It is<br />
reliably learnt that <strong>in</strong> view of the <strong>in</strong>creased use of computers, the Institute of<br />
Chartered Accountants itself has made a start <strong>in</strong> provid<strong>in</strong>g guidel<strong>in</strong>es to its members<br />
for procedures to be followed while <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> It is<br />
learnt that the Indian Institute also may be with<strong>in</strong> 2/3 years after the process of<br />
different committees, approv<strong>in</strong>g the same, is completed issue official professional<br />
st<strong>and</strong>ards as a statement hopefully.<br />
' Kamal Gupta "Contemporary Audit<strong>in</strong>g", New Delhi, Tata McGraw-Hill Publish<strong>in</strong>g<br />
6. Ltd1986.
Professional bodits elsewhere <strong>in</strong> the world, haw issued st<strong>and</strong>ards for Audit<strong>in</strong>g<br />
practice <strong>in</strong> a wmputeriscd <strong>environment</strong>.<br />
S.Rao Vallabhanenil discusses the audit methodology <strong>and</strong> control guidel<strong>in</strong>es.<br />
He classiKcs the computer security under the follow<strong>in</strong>g heads:-<br />
* Physicalsecurity<br />
* Personnel security<br />
Data security<br />
Application software security<br />
System software security<br />
' Telecommunication security<br />
Computer operation security<br />
While critically analys<strong>in</strong>g the various concerns, he has prepared useful<br />
worksheets for risk assessments <strong>in</strong> the different areas. The criteria considered is very<br />
exhaustive <strong>and</strong> the methodology very practical. He has provided values for the risk<br />
<strong>and</strong> weightage for the criteria <strong>and</strong> anived at the total risk score. He has a very useful<br />
suggestion of prepar<strong>in</strong>g a risk rank<strong>in</strong>g worksheet which, from the data collected on<br />
each of the computer security areas, grades, the risk level as "low, medium <strong>and</strong> high".<br />
An analysis of this approach <strong>and</strong> his conclusions have a practical bear<strong>in</strong>g. The<br />
methodology adopted for risk assessments for the purpose of my study are similar to<br />
the one proposed by this author. A copy of the questionnaire for risk assessment<br />
under each area of security <strong>and</strong> risk assessment work sheet are enclosed (ReLAppendh).<br />
' S.Rao Vallabhaneni, "Audit<strong>in</strong>g Cornpuler Security -A manual with case<br />
studies". New York, John Wiley & Sons, 1989.
Wabley <strong>and</strong> Peter1 deal with computer <strong>audit<strong>in</strong>g</strong> as a conceptual foundation<br />
The topic of <strong>in</strong>ternal control structure is presented under the heads of organisation<br />
<strong>controls</strong>, personnel practices, st<strong>and</strong>ard operat<strong>in</strong>g procedures as also systems<br />
development documentation <strong>controls</strong> Specific mention is made to the systems<br />
documentation st<strong>and</strong>ards. The documentation is expected to have the follow<strong>in</strong>g :<br />
Problem def<strong>in</strong>ition<br />
System documentation<br />
Program documentation<br />
Operations documentation<br />
User documentation<br />
While conced<strong>in</strong>g that ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g gwd st<strong>and</strong>ards of documentation is<br />
necessary, the author realiscs the difficulties <strong>in</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g the same. He makes<br />
specific reference to software aids to documentation. The section deal<strong>in</strong>g with<br />
<strong>audit<strong>in</strong>g</strong> EDP systems is of importance <strong>and</strong> the <strong>audit<strong>in</strong>g</strong> is divided by authors <strong>in</strong>to the<br />
follow<strong>in</strong>g tasks :-<br />
Audit of computer programs<br />
Audit of data files <strong>and</strong> data bases<br />
Audit of computer process<strong>in</strong>g - general concepts<br />
Audit of computer process<strong>in</strong>g - user control systems<br />
Audit of computer process<strong>in</strong>g - third party systems<br />
I<br />
Donald AWatne <strong>and</strong> Peter B.B. Tumey, ']Audit<strong>in</strong>g EDP Systems" New Jersey,<br />
Prenticc-Hall International. Inc. 1984.
Mention is made to usage of expert systems <strong>and</strong> the role of auditor <strong>in</strong> <strong>audit<strong>in</strong>g</strong><br />
such an <strong>environment</strong> It is <strong>in</strong>terest<strong>in</strong>g to note that the author mentions that the<br />
auditor should use the expen system as a twl to be more effective <strong>and</strong> efficient<br />
Ron Weber'sl book is a bible to auditors who wish to ga<strong>in</strong> basic knwrkdp<br />
of computericed <strong>environment</strong>, associated <strong>controls</strong>, evidence collection methodologies,<br />
<strong>and</strong> evidence evaluation procedures. There are important chapters on manag<strong>in</strong>g EDP<br />
audit function. The author highlights the importance of chang<strong>in</strong>g EDP audit function.<br />
With the advent of micro computers, growth of end- user comput<strong>in</strong>g <strong>and</strong> impact of<br />
knowledge systems <strong>and</strong> the growth <strong>in</strong> data communications, the authors feel the EDP<br />
auditor should keep pace with the new technology. An <strong>in</strong>terest<strong>in</strong>g question posed by<br />
the author is as to how an auditor can determ<strong>in</strong>e what ciianges need to be made to<br />
<strong>controls</strong> <strong>and</strong> audit procedures when an organisation changes from its exist<strong>in</strong>g<br />
technology to new technology for its data process<strong>in</strong>g. He concludes that the role of<br />
EDP auditor <strong>and</strong> basic audit methodologies rema<strong>in</strong> unchanged. However, the EDP<br />
auditor must underst<strong>and</strong> the new technologies, be capable of determ<strong>in</strong><strong>in</strong>g their<br />
impact on <strong>controls</strong> <strong>and</strong> audit procedures <strong>and</strong> ensure that appropriate evidence<br />
coUection twls <strong>and</strong> techniques have been developed<br />
Michael G. Grottola' elaborates on us<strong>in</strong>g UNIX to Audit Unix. He provides<br />
guidel<strong>in</strong>es as to how the operat<strong>in</strong>g system UNlX can be controlled by its owners. His<br />
book deals with facts concern<strong>in</strong>g what to look for <strong>in</strong> an UNIX system, how to<br />
Ron Weber, "EDPAudit<strong>in</strong>g Conceptual foundations <strong>and</strong> pmctice" New York,<br />
Mcgraw-Hill Bwk Cn., 1988<br />
Michael G.Grottola, "The UVEaudit. Us<strong>in</strong>g UNM &Audit UN1X"', New York,<br />
McGraw-Hill Inc, 1993.
exam<strong>in</strong>e it <strong>and</strong> how to report its f<strong>in</strong>d<strong>in</strong>gs. The author mentions that us<strong>in</strong>g a UNIX<br />
operat<strong>in</strong>g system to audit the <strong>environment</strong> thus require apart from audit experience,<br />
UNIX litracy. It provides useful guidel<strong>in</strong>es for the auditor to become "Unix Literate".<br />
There is a chapter on which it takes the auditor through the various process of<br />
<strong>in</strong>stall<strong>in</strong>g the UNIX system. It gives a brief description of each of the comm<strong>and</strong>s. The<br />
book conta<strong>in</strong>s useful <strong>in</strong>formation on how an effective audit can be conducted <strong>in</strong> an<br />
UNIX <strong>environment</strong> us<strong>in</strong>g the UNIX comm<strong>and</strong>s themselves.<br />
Unix Security is an important subject. Mr.N.Derek Amold' while help<strong>in</strong>g the<br />
reader to learn about the UNIX operat<strong>in</strong>g system, concepts <strong>and</strong> securities, also helps<br />
the underst<strong>and</strong><strong>in</strong>g concepts of <strong>in</strong>formation control <strong>and</strong> security aspects. A special<br />
chapter on audit programs refer to the several ways the systems auditor can keep<br />
track of what is go<strong>in</strong>g on <strong>in</strong> the system. It highlights the fact that more the system<br />
adm<strong>in</strong>istrator knows about the activities of the system, better steps can be taken to<br />
secure the system. The importance of End- user ma<strong>in</strong>tenance is highlighted. The<br />
possibility of new user's mess<strong>in</strong>g up needs to be borne <strong>in</strong> m<strong>in</strong>d. The vulnerabilities<br />
because of <strong>in</strong>stallation of special devices are discussed. It is mentioned that devices<br />
which have the potential to bypass st<strong>and</strong>ard unix security are be<strong>in</strong>g built. On the face<br />
of it though the publication looks as if it is highly technical, it is of immense use to<br />
the auditor as it conta<strong>in</strong>s useful guidel<strong>in</strong>e for the usage of different comm<strong>and</strong>s. The<br />
ways of bypass<strong>in</strong>g security by us<strong>in</strong>g yet other comm<strong>and</strong>s are highlighted. There are<br />
special chapters on data base security <strong>in</strong> unix <strong>environment</strong>. The chapter of "break<strong>in</strong>g<br />
techniques" is very reveal<strong>in</strong>g as it describes the method used by an attacker. As the<br />
author mentioned, this is of particular use to the adm<strong>in</strong>istrator. The techniques<br />
N. Derek Arnold UNIX Security. New York, McGraw-Hill Inc., 1992
mentioned <strong>in</strong> the chapter are of immense importance, as the knowledge of the facts<br />
will help the auditor to know what could heppen. Yet another chapter on VIRUS<br />
<strong>in</strong>fection helps to get an underst<strong>and</strong><strong>in</strong>g of how a virus works <strong>in</strong> a UNIX <strong>environment</strong><br />
This chapter provides some guidel<strong>in</strong>es on how viruses can be prevented <strong>and</strong> if<br />
prevention fails how to detect them. The problems associated with prevention <strong>and</strong><br />
detection discussed <strong>in</strong> this chapter gives an <strong>in</strong>sight <strong>in</strong>to the problem that one will face<br />
when a virus <strong>in</strong>filtrates <strong>in</strong> a computer system <strong>in</strong> a unix <strong>environment</strong><br />
Database management system <strong>and</strong> system functions are expla<strong>in</strong>ed lucidly by<br />
Gordon G.Everestl Specific chapters on data base <strong>in</strong>tegrity deal<strong>in</strong>g with back up <strong>and</strong><br />
recovery, quality control <strong>and</strong> concurrent update access control <strong>and</strong> encryption are of<br />
utmost importance to the auditor. The author expla<strong>in</strong>s <strong>in</strong> simple language the<br />
concepts of data base, provides guidel<strong>in</strong>es for theauditor to acquire knowledge on the<br />
necessary <strong>controls</strong> <strong>in</strong> a data base <strong>environment</strong>. The awareness of the knowledge of<br />
the <strong>controls</strong> <strong>and</strong> the procedures which should be implemented <strong>in</strong> a data base system<br />
facilitates the auditor to test the adequacy of the <strong>controls</strong> <strong>in</strong> a data base management<br />
system <strong>environment</strong><br />
The literature surveyed deals with different computer <strong>environment</strong> <strong>and</strong> the<br />
<strong>controls</strong> <strong>and</strong> audit concerns associated with it Each of the technological<br />
developments have been dealt with <strong>in</strong> detail.<br />
However, a concerted study of what the auditor is expected to do <strong>in</strong> a<br />
Computerised <strong>environment</strong> as per the <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards of different professional<br />
Gordon G. Everest "Data Base Management, Objectives System f<strong>in</strong>ctions. &<br />
Adm<strong>in</strong>istration", New York, McGraw Hill Book Company, 1986.
odies tak<strong>in</strong>g <strong>in</strong>to consideration control objectives <strong>and</strong> audit concerns <strong>in</strong> specific<br />
computcrised <strong>environment</strong>, specially as prevalent <strong>in</strong> India, is not available.<br />
The study has been undertaken to attempt to fill upthis gap. A sample survey<br />
ofcontrol<strong>and</strong> audit practices has been undertaken <strong>and</strong> analysis <strong>in</strong>cluded.<br />
IMPORTANCE OF THE STUDY<br />
The present study is an attempt at evaluat<strong>in</strong>g the <strong>controls</strong> <strong>in</strong> different<br />
<strong>computerised</strong> <strong>environment</strong>s generally <strong>and</strong> specifically like End User Comput<strong>in</strong>g, net<br />
work<strong>in</strong>g, Data base management. A study of the <strong>controls</strong> that should exist <strong>in</strong> the<br />
different <strong>computerised</strong> enviroments has been made. This has been compared with the<br />
<strong>controls</strong> that are exist<strong>in</strong>g <strong>in</strong> a sample set of organisations <strong>in</strong> different <strong>environment</strong>s.<br />
The audit concerns <strong>in</strong> each of the <strong>environment</strong>s <strong>in</strong> particular <strong>and</strong> <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> generally has been stated.An analysis of the f<strong>in</strong>d<strong>in</strong>gs has been reported<br />
with suggestions, based on the f<strong>in</strong>d<strong>in</strong>gs.<br />
A study of the professional statements <strong>and</strong> <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards of different<br />
professional bodies has been made. An audit approach which has been well<br />
recognised has been described The audit procedures followed as described by the<br />
organisations which have ken <strong>in</strong>cluded <strong>in</strong> the sample has been analysed. Similarly<br />
five lead<strong>in</strong>g firms of statutory auditon have been approached <strong>and</strong> the procedures that<br />
they follow while <strong>audit<strong>in</strong>g</strong> on a <strong>computerised</strong> <strong>environment</strong> had been noted by way of<br />
answers obta<strong>in</strong>ed from them on the questionnaire provided to them. The hypothesis<br />
for this thesis is that the <strong>controls</strong> <strong>and</strong> <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> as prevail<strong>in</strong>g <strong>in</strong> India is <strong>in</strong>adequate. The analysis of the control
procedures <strong>in</strong> organisations <strong>and</strong> the audit procedures followed as reported by the<br />
organisations <strong>and</strong> the audit approach as mentioned by lead<strong>in</strong>g auditors have been<br />
undertaken to verify the hypothesis.<br />
The <strong>in</strong>formation technology security probkmsbecome very vital <strong>and</strong> important<br />
as most organisations have automated their activities. Even electronic l<strong>in</strong>ks ari be<strong>in</strong>g<br />
established with their trade partners (ED1 EFD). Tak<strong>in</strong>g advantage of the<br />
technological developments organisations are computeris<strong>in</strong>g extensively. Along with<br />
this development the security problems are also on the <strong>in</strong>crease. Most of the<br />
companies have some <strong>in</strong>adequacy or the other <strong>in</strong> their IT security. Organisations are<br />
fail<strong>in</strong>g to wake upto this problem while as now <strong>in</strong> our country there have been no<br />
formally reported cases of fraud <strong>and</strong> loases.<br />
Tak<strong>in</strong>g <strong>in</strong>to consideration the experience of other countries, it would be a<br />
matter of time before sophisticated crimes <strong>and</strong> frauds associated with computers<br />
would be as common place as frauds <strong>in</strong> a non-<strong>computerised</strong> <strong>in</strong>vironment.<br />
Macro Kapp, Director, hpers & Lybr<strong>and</strong>, London <strong>in</strong> his presentation "IT<br />
Security <strong>in</strong> a chang<strong>in</strong>g world" at the South EastAsia Regional Computer Conference,<br />
December 1989 discussed the possible problems <strong>and</strong> estimated that worldwide losses<br />
caused by IT security would be S 15-30 billion or so. A body of French Insurance<br />
Industry, APSAIRD has published data for France <strong>in</strong> the year 1987. The table below<br />
gives the detail. It is very shock<strong>in</strong>g <strong>and</strong> reveal<strong>in</strong>g to note that more than 72% of the<br />
losses are caused by<br />
(a)<br />
(b)<br />
System Design Programm<strong>in</strong>g Errors<br />
Fraud Software Sabotage
(c)<br />
(d)<br />
Theft <strong>and</strong> disclosure of data<br />
Theft of software.<br />
Data regard<strong>in</strong>g losses due to IT security are available for countries other than<br />
India. In advanced countries,Audit<strong>in</strong>g Techniques are tyng to keep pace with<br />
technological development. In our country technological development have bern<br />
taken advantage of <strong>and</strong> specially dur<strong>in</strong>g the last decade. The impact of<br />
computerisation on organisations has been very very significant. However, the aspects<br />
of control <strong>and</strong> audit has been lost sight of under the impression, most probably that<br />
companies are falliable <strong>and</strong> hence personnel <strong>and</strong> systems associated with the<br />
computers have to be <strong>in</strong>falliable!!<br />
It is III this context that the aspect of mak<strong>in</strong>g a study of the control procedures<br />
that need to be implemented <strong>in</strong> different computer <strong>environment</strong>s <strong>and</strong> the<br />
correspond<strong>in</strong>g audit methodologies to be adopted has been undertaken to evaluate<br />
the adequacy of <strong>controls</strong> <strong>and</strong> take preventive, detective <strong>and</strong> corrective steps to<br />
m<strong>in</strong>imise the impact of possible losses.<br />
SCENARIO IN OTHER PARTS OF THE WORLD<br />
A new pattern of computer related crime is emerg<strong>in</strong>g. It is characterised by<br />
a shift from <strong>in</strong>siders to outsiders <strong>and</strong> from applications to systems. The risk is to<br />
management <strong>in</strong> general, but computer auditors <strong>in</strong> particular. In response to this<br />
pattern, computer auditors may wish to leave the audit of ;~pplications to others <strong>and</strong><br />
shift their focus to systems. In the earlier decades, it was speculated that there would<br />
be exploitation of system vulnerabilities. But what was actually seen was the
exploitation of application vulnerabilities. There was a concern about <strong>in</strong>terference<br />
with or contam<strong>in</strong>ation of the application programmes by unauthorised people. What<br />
was seen was manipulation of the <strong>in</strong>put by authorised people! The computer auditors<br />
emphasised shift to applications.'<br />
There was speculation about attacks from outsiders. What was actually<br />
happen<strong>in</strong>g was that there were attacks by <strong>in</strong>siders. It became clear that while system<br />
access <strong>controls</strong> were necessary, they were not sufficient. People could not be relied<br />
upon to behave safely. In such circumstances, access <strong>controls</strong> would not bc effective.<br />
The empahsis of the auditor shifted to such areas as password management,<br />
separation of duties <strong>and</strong> user accountability. It is reported that the traditionally<br />
managed systems are contribut<strong>in</strong>g to the vulnerability. The analysis of the attacks<br />
which had been studied demonstrate that serious problems would be caused <strong>and</strong> they<br />
are likely to be <strong>in</strong> the <strong>in</strong>crease.'<br />
The contribut<strong>in</strong>g factors :<br />
(i)<br />
There are large number of previlege users on the target systems. In some<br />
cases, all of the users are privileged. In many cases, privilege on one system<br />
transmits <strong>in</strong>to privilig<strong>in</strong>g on nearby system. The analysis proved that if a<br />
hacker is able to ga<strong>in</strong> previlege on a system, he is able to change passwords<br />
on dormant accounts <strong>and</strong> add "secret doorsn he can contam<strong>in</strong>ate the system<br />
' "Computer. related &me <strong>and</strong> <strong>audit<strong>in</strong>g</strong> <strong>in</strong> the rn<strong>in</strong>eties" by William H.Murray<br />
1990 Volume I1 The EDP Auditor Journal.<br />
' "Computer - related d<strong>in</strong>e <strong>and</strong> <strong>audit<strong>in</strong>g</strong> <strong>in</strong> the m<strong>in</strong>eties" by William H.Murray<br />
1990 Volume 11 The EDP Auditor Journal.
<strong>in</strong> such a way that it will be impossible to exclude him without seriously<br />
disrupt<strong>in</strong>g operations.<br />
(ii)<br />
(iii)<br />
(iv)<br />
The second factor is the cont<strong>in</strong>ued reliance on re-usable passwords. This leads<br />
to wlnerability to dictionary attacks.<br />
The presence on the system of active but rarely used passwords.<br />
The presence on the system of widely authorised <strong>and</strong> used, very general, fully<br />
previleged but otherwise <strong>in</strong>secured programmes. The statistics prove that the<br />
sample of 150 MVS systems 103 (67%) had one or twomore of these<br />
programmes <strong>and</strong> of these 88 (85%) still had the default lockwards <strong>in</strong> place.<br />
An analysis of various <strong>in</strong>stances of attacks on the computer suggests a shift <strong>in</strong><br />
the source <strong>and</strong> nature of the exposure. These exposures are so widely<br />
documented that any exploitation will be extraord<strong>in</strong>arily embarass<strong>in</strong>g to<br />
management <strong>and</strong> to computer audit. The study recommends that while<br />
auditors are not responsible for prevent<strong>in</strong>g computer related crime, they are<br />
responsible for identify<strong>in</strong>g <strong>and</strong> report<strong>in</strong>g to management conditions which<br />
contribute to the crime.<br />
The recommendations of the study have been as follows :<br />
(i)<br />
Identify <strong>and</strong> report excessive previlege<br />
The auditor should identify all user profiles that conta<strong>in</strong> system management<br />
previleges. The presence of more than one should be reported.<br />
Identify <strong>and</strong> report programmes that run with system previleges. Application<br />
code <strong>and</strong> system management code should run <strong>in</strong> application state with the previlege<br />
of the user. The auditor should identify <strong>and</strong> report all such codes that run with the<br />
system previleges. The auditor should look for <strong>and</strong> report any evidence that these
programmes were available to others. The use of the default lockwords to one such<br />
evidence.<br />
Identify <strong>and</strong> rtvoke dormant profiles<br />
remedied.<br />
A large number of such profiles constitute a risk to the srjtem <strong>and</strong> should be<br />
Identib unused or unnecessary ports<br />
The auditor can contribute appropriate management consideration. Any<br />
evidence of unused or unnecessary codes were reconcil<strong>in</strong>g the presence of system<br />
codes to their use <strong>and</strong> also by exam<strong>in</strong><strong>in</strong>g the process by which such decisio~c are<br />
made.<br />
The recommendation reflect st<strong>and</strong>ards of practice that the auditor should<br />
expect. These practices are motivated by emerg<strong>in</strong>g exposure to outsider attack.<br />
However, these can be expected to reduce the exposure even more from the likely<br />
t!lreats from <strong>in</strong>siders.<br />
Statistics have been provided on the computer crime. The statistics has been<br />
collected from 3 discreet surveys. The 1986 computer crime survey consisted of<br />
contact<strong>in</strong>g 250 prosecutors' offices. 75 cases were reported.'<br />
' Computer m'me <strong>and</strong> abuse by J.J.Buck Blook Becker EDPAA Audit Journal,<br />
Volume 11, 1990,
US.<br />
In 1989 computer survey consisted of mail<strong>in</strong>g to 2500 prosecutors' offices <strong>in</strong><br />
The third survey conducted <strong>in</strong> late 1988 was with the cooperation of the<br />
<strong>in</strong>formation systems security association. The survey went to 3500 computer security<br />
professionals. Approximately 14% responded.<br />
Computer crime availability of <strong>in</strong>formation<br />
On the basis of the three surveys, it was clear that very few computer crimes<br />
are reported to prosecution authorities. The chart (1.1) on responses to serious<br />
security <strong>in</strong>cidents shows that as aga<strong>in</strong>st 2% <strong>in</strong> 1987 it was 6% <strong>in</strong> 1988. The research<br />
further prove:\ that any study of reported computer crime cases may nor be<br />
representative of the universe of "serious security <strong>in</strong>cidents" known to the respondents<br />
<strong>in</strong> the centre survey. There was a survey conducted when computer security<br />
professionals were asked for "known <strong>in</strong>formation security losses" for 1988. The<br />
average loss reported was $1,09,000. Figure 1.2 represents average annual computer<br />
abuse loss.<br />
In 1986 theft of money represented almost half of all prosecuted computer<br />
crime cases <strong>and</strong> theft of services represented only 10%. By 1988 money theft<br />
exceeded theft of services only 36% to 34% (Figure 1.3).<br />
More than half of the cases <strong>in</strong> our natural sample of computer crime<br />
prosecutions <strong>in</strong>volved losses of S 10,000 or lcs only 125% <strong>in</strong>volved losses of $ 1,00,000<br />
or more (Figure 1.5).
The National Centre for Computer Crime Data (NCCCD) published an<br />
anlaysis for whic focused on the California (USA) data (Fig.l.6). Computer<br />
Professionals predicted phenomenal growth <strong>in</strong> software products to prevent virus<br />
attacks (Fig. 1.7).<br />
Trends <strong>in</strong> Computer abuse<br />
The National Centre for Computer Crime Data has the opportunity to<br />
compare the make up prosecuted cases before 1986 <strong>and</strong> after 1986. They have<br />
attempted to <strong>in</strong>fer some significance from the changes <strong>and</strong> they are as follows:<br />
No significant development is the grow<strong>in</strong>g evidence of the vulnerability of<br />
computer communication n,:tworks.<br />
Figure 1.4 deta~ls the types of the computer crimes. Computer security<br />
professionals predicts enormous growth <strong>in</strong> the use of software to prevent viruses.<br />
However, it was proved that v<strong>in</strong>rses are less of a concern than down time, destruction<br />
of data or extraord<strong>in</strong>ary disclosure of data.<br />
Implications of computer crime<br />
Computer crime become a media issue whenever a major case comes up. Wise<br />
computer security professionals <strong>and</strong> auditors have been able to convert public <strong>in</strong>terest<br />
<strong>in</strong> crime to enlarged budgets for computer security efforts. The survey f<strong>in</strong>ally<br />
concluded that controll<strong>in</strong>g computer systems to reduce computer crime is a serious<br />
challenge. The problem has been grow<strong>in</strong>g <strong>and</strong> the assets which can be broad to beer<br />
aga<strong>in</strong>st computer crime have also grown. The authors have concluded that the key
I<br />
FIG 1.7 : USE OF TECHNOLOGY/PRODUCTS<br />
IN 1985, 1988 & 1991 (CHART 2)<br />
% Percentage of Users<br />
70 1 I<br />
Advanced Intrusion Audit Secure Secure Secure Anti-vlrur<br />
Encryption Detection Analysis Operat<strong>in</strong>g Networks DBMS's products<br />
Expert Aids Syatema<br />
Syatema<br />
Sources : NCCCD <strong>and</strong> RGC Associates<br />
Security Survey
to this problem is commitment. 'here is need for generat<strong>in</strong>g commitments to security.<br />
Technological solutions would not solve the problem.<br />
Computer abuse <strong>in</strong> Australia'<br />
Statistics recently released by Australian computer Abuse Research Bureau<br />
identify that reported computer abuse <strong>in</strong>cidents have <strong>in</strong>creased dramatically. N<strong>in</strong>e<br />
years the Bureau collected reports of 205 cases represent<strong>in</strong>g almost $ 11 million. In<br />
1989 alone, there were 51 reported cases represent<strong>in</strong>g $ 26 million. In the 10 years<br />
that the bureau has been <strong>in</strong> operation they have identified a number of ~nterest<strong>in</strong>g<br />
aspects relat<strong>in</strong>g to the TOP 9 TEST was a measur<strong>in</strong>g mechanism developed by<br />
Gerry Benboo <strong>and</strong> his friends. C appeidix top tests. Of the 392 respond<strong>in</strong>g<br />
organisations .02% pass the test with 60% of the respondents not receiv<strong>in</strong>g a rank<strong>in</strong>g<br />
at all. The study was reperformed recently with the same poor results.<br />
Industrial group<strong>in</strong>gs<br />
ACARP statistics confirm that approximately 36% of computer fraud by value<br />
is performed <strong>in</strong> the f<strong>in</strong>ancial sector.<br />
Fraud report<strong>in</strong>g<br />
There is an underst<strong>and</strong>able reluctancc to publicly disclose <strong>in</strong>formation which<br />
is considered confidential <strong>and</strong> computer abuse falls <strong>in</strong>to that category. In Australia<br />
it is observed that a computer crime is performed <strong>in</strong> 80% of <strong>in</strong>stances by <strong>in</strong>ternal<br />
-<br />
' Computer Abuse <strong>in</strong> Australia by Garry Bonbow EDPAA Audit Journal 1990<br />
Volume 2
employees <strong>and</strong> yet only 20% of the organisations are prepared to perform security<br />
evaluations on prospective employees. It is reported that <strong>in</strong> 1984 the American<br />
Bank<strong>in</strong>g System electronically transmitted <strong>in</strong> excess of S 180 billion everyday. It is<br />
reported that "given the known statement of computer security this is not a surprise<br />
that computer experts around the world are on the edge wait<strong>in</strong>g for an organised<br />
attack which should spell disaster for corporate identities either to consider<br />
<strong>in</strong>v<strong>in</strong>cible".<br />
OBJECTIVES OF THE STUDY<br />
The basic hypothesis for this thesis is to prove or disprove that <strong>controls</strong> <strong>in</strong> a<br />
computer <strong>environment</strong> as they exist now are <strong>in</strong>sufficient <strong>and</strong> that <strong>audit<strong>in</strong>g</strong> practices<br />
followed to evaluate the <strong>controls</strong> <strong>and</strong> report on them are well below the accepted<br />
st<strong>and</strong>ards.<br />
In specific terms, the objectives of this study are to:<br />
(1) Identify exist<strong>in</strong>g control systems select types of <strong>computerised</strong> <strong>environment</strong>s<br />
(Personal Computers, End User Comput<strong>in</strong>g, LAN, DBMS etc.) ;<br />
(2) Review the procedures which the selective auditors are adopt<strong>in</strong>g <strong>in</strong> those<br />
<strong>computerised</strong> <strong>environment</strong>s to satisfy themselves that the <strong>in</strong>ternal <strong>controls</strong> are<br />
adequate <strong>in</strong> terms of the completeness, accuracy <strong>and</strong> reliability of the<br />
<strong>in</strong>formation which forms the basis of the f<strong>in</strong>ancial statement of the<br />
organisation;<br />
(3) Exam<strong>in</strong>e the levels of efficiency of control procedures <strong>in</strong> the light of well-laid<br />
out st<strong>and</strong>ards of <strong>controls</strong> <strong>in</strong> different <strong>environment</strong>s;
(4) Evaluate overall level of <strong>controls</strong> meant to ensure the appropriateness of audit<br />
requirements; <strong>and</strong><br />
(5) Suggest suitable control mechanism to improve effectiveness of audit practices<br />
<strong>in</strong> a computeriscd <strong>environment</strong><br />
SOURCES OF DATA<br />
Study is based both on primary <strong>and</strong> secondary data. The secondary data<br />
sources are well-known publications of studies effected <strong>in</strong> US4 <strong>and</strong> UK Primary<br />
data is that personally collected from organisations <strong>and</strong> auditors.<br />
Secondary data<br />
1. Systems Auditability & Control Reports published by Institute of Internal<br />
Auditors USA<br />
2 A H<strong>and</strong>book of Computer Security edited by Keith Heardnden.<br />
3. Audit<strong>in</strong>g computer security - A manual wityh case studies by S.Rao<br />
Vallabhaneni.<br />
To generate plausible hypothesis for study a focus group discussion was<br />
adopted with experts fully conversant with EdP <strong>audit<strong>in</strong>g</strong> practices <strong>and</strong> then the<br />
consensus from the group was stated as an <strong>in</strong>itial hypothesis for further research<strong>in</strong><br />
this study.<br />
The actual methodology adopted for this research falls under the category of<br />
<strong>in</strong>depth case study method. There are two typical methods available for do<strong>in</strong>g
esearch with empirical data. One is large sample survey method <strong>and</strong> another <strong>in</strong>depth<br />
w e study method. Generally large sample survey method is resorted to when the<br />
system be<strong>in</strong>g studied or be<strong>in</strong>g researched is very familiar to the respondents <strong>and</strong> they<br />
can correctly <strong>in</strong>terpret <strong>and</strong> answer the questions posed to them. Wherever for the<br />
first time a research is undertaken to study the performance of any system, it is<br />
preferable to have a detailed checklist of relevant questions perta<strong>in</strong><strong>in</strong>g to the study<br />
which could be personally adm<strong>in</strong>istered by the researcher so that he/she can clarify<br />
the mean<strong>in</strong>g <strong>and</strong> <strong>in</strong>terpretation of the questions to the various respondents. In that<br />
process, additional <strong>in</strong>sights can be obta<strong>in</strong>ed about the performance of the system<br />
thorugh personal discussions. Underst<strong>and</strong>ably, the umber of such cases cannot be too<br />
large to facilitate <strong>in</strong>depth discussion. So <strong>in</strong> this research, the study has the second<br />
method of <strong>in</strong>depth case study. Also <strong>in</strong> this method the number of organisations <strong>and</strong><br />
the number of respondents taken are not too large. Hence conventional statistical<br />
tests for validat<strong>in</strong>g the responses will not be mean<strong>in</strong>gful.<br />
Selective data which is not biased has been selected for sampl<strong>in</strong>g purposes.<br />
Lead<strong>in</strong>g audit firms who have extensive clientele both <strong>in</strong> public sector <strong>and</strong> private<br />
sector, operat<strong>in</strong>g <strong>in</strong> different areas of f<strong>in</strong>ancial, market<strong>in</strong>g, manufactur<strong>in</strong>g etc had<br />
been chosen. As regards organisations, which have been us<strong>in</strong>g computers a sample<br />
size of 30 was tested. As lead<strong>in</strong>g auditors were contacted for <strong>audit<strong>in</strong>g</strong> methodology<br />
adopted by them, data would represent audit procedures adopted <strong>in</strong> more than 100<br />
organisations.<br />
As regards wmputerised <strong>environment</strong>, the sample size of 30 <strong>in</strong>stallations<br />
<strong>in</strong>clude different types of management like public sector, private sector, public limited<br />
companies, private limited companies, f<strong>in</strong>ancial <strong>in</strong>stitutions, bank<strong>in</strong>g etc.
The methodology <strong>and</strong> sample size are defended on the follow<strong>in</strong>g grounds:<br />
1. The f<strong>in</strong>d<strong>in</strong>gs of the study are though substantially based on the responses to<br />
the questionnaire still considerable personal <strong>in</strong>tervention has taken place with<br />
the Managers concerned to get deeper <strong>in</strong>sights <strong>in</strong>to their problems <strong>and</strong> state<br />
of affairs. This would not be possible if a larger sample is taken.<br />
2. (a) The organisations chosen for the study are typical of most of the Indian<br />
Commercial organisations.<br />
(b)<br />
(c)<br />
The auditors <strong>in</strong>terviewed are also the reputed ones.<br />
The variation <strong>in</strong> the responses <strong>in</strong> the sample organisationslauditors is<br />
practically nil. This gives substantive credibility to the f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong><br />
hence generalisations also are valid.<br />
The fundamental pr<strong>in</strong>ciple <strong>in</strong> sampl<strong>in</strong>g theory that lesser the variation <strong>in</strong><br />
responses small sample will be adequate has been adopted.<br />
LIMITATIONS OF THE STUDY<br />
The study has the follow<strong>in</strong>g limitations:<br />
a) The data for the study is not volum<strong>in</strong>ous though illustrative. This is due to the<br />
fact that a representative sample which has not been subjective has been<br />
chosen.<br />
b) Throughout the study no dist<strong>in</strong>ction has been made between different<br />
management styles of the various organisations. This is due to the fact that<br />
though the style of management may vary the concept of basic accountability<br />
of top management does not cease.
c) The auditors selected are mostly seniors <strong>and</strong> well established <strong>in</strong> the profession.<br />
Juniors <strong>and</strong> freshen have not been many <strong>in</strong> the sample. This is due to the fact<br />
that larger organisation with wider computerisation are mostly audited by<br />
seniors. However, <strong>in</strong> the smaller organisations, it is mostly PC based <strong>and</strong><br />
<strong>controls</strong> <strong>in</strong> PC <strong>environment</strong>s have been fairly well covered <strong>in</strong> the samples.<br />
ARRANGEMENT OF TEE CHAPTERS<br />
The thesis has been divided <strong>in</strong>to n<strong>in</strong>e chapters. Chapter I1 deals with <strong>audit<strong>in</strong>g</strong><br />
st<strong>and</strong>ards where the need for st<strong>and</strong>ards is emphasised. The professional<br />
pronouncements <strong>in</strong> the form of St<strong>and</strong>ards of <strong>in</strong>ternational bodies like the American<br />
Institute of Certified Public Accountants. Institute of Chartered Accountants of<br />
Engl<strong>and</strong> <strong>and</strong> Wales, Institute of Internal Auditors, USA, EDP Auditors Association,<br />
USA are referred to with special reference to those st<strong>and</strong>ards which are applicable<br />
to <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>. Reference is also made to 1SO-9000-3,<br />
where<strong>in</strong> quality st<strong>and</strong>ards required for software development are specifically<br />
mentioned.<br />
Chapters 111, IV, V <strong>and</strong> VI deal with <strong>controls</strong> <strong>in</strong> specific <strong>environment</strong>s. Four<br />
important <strong>and</strong> more commonly used <strong>environment</strong>s have been chosen. Chapter III<br />
deals with <strong>controls</strong> <strong>in</strong> Eud-User comput<strong>in</strong>g. The reasons for the rapid growth of<br />
End-User comput<strong>in</strong>g, control concerns <strong>and</strong> audit considerations are also highlighted.<br />
A copy of the questionnaire which was used to make a sample survey of five<br />
organisations hav<strong>in</strong>g End-User comput<strong>in</strong>g is enclosed. The f<strong>in</strong>d<strong>in</strong>gs at the end of the<br />
chapter are based not only on the <strong>in</strong>formation collected from the responses to the
questionnaire, but also of the research team of the US of Institute of Internal Auditor<br />
as published <strong>in</strong> their Report, "Systems Auditability <strong>and</strong> Control".<br />
Chapter IV deals with Local Area Network. A technology overview is<br />
provided. The current utilisation of LAN <strong>in</strong> different organisations are discussed.<br />
Accepted procedures regard<strong>in</strong>g the establishment of <strong>controls</strong> <strong>and</strong> <strong>audit<strong>in</strong>g</strong> procedures<br />
are discussed. A sample questionnaire to evaluate the <strong>controls</strong> <strong>in</strong> organisations hav<strong>in</strong>g<br />
LAN is enclosed. This questionnaire was utilised to secure responses from five<br />
organisations <strong>and</strong> a comparison of exist<strong>in</strong>g practices for implementation of <strong>controls</strong><br />
<strong>and</strong> audit procedures <strong>in</strong> these <strong>environment</strong> is compared with accepted <strong>controls</strong> <strong>and</strong><br />
audit procedures <strong>in</strong> a local area <strong>environment</strong>. This is followed by analysis <strong>and</strong><br />
f<strong>in</strong>d<strong>in</strong>gs. The f<strong>in</strong>d<strong>in</strong>gs <strong>in</strong>clude my own based on the lesponses from five organisations<br />
as also the IAA's f<strong>in</strong>d<strong>in</strong>gs as reported <strong>in</strong> SAC The suggestions regard<strong>in</strong>g effective<br />
implementation of <strong>controls</strong> <strong>in</strong> a LAN <strong>and</strong> specific audit procedures needed form the<br />
subject matter of the section regard<strong>in</strong>g suggestions.<br />
Chapter V deals with the topic of Database Management System (DBMS).<br />
While expla<strong>in</strong><strong>in</strong>g the concept the specific vulnerabilities of the <strong>environment</strong> <strong>and</strong> the<br />
steps to be taken to plug the loapholes are discussed. The procedures <strong>and</strong> systems<br />
as followed <strong>in</strong> organisations which have implemented the DBMS is discussed. The<br />
st<strong>and</strong>ard accepted procedures, control objectives <strong>and</strong> audit guidel<strong>in</strong>es <strong>in</strong> a database<br />
management system <strong>environment</strong> are stated. The <strong>controls</strong> <strong>and</strong> audit procedures as<br />
they exist are compared with norms. The results are analysed <strong>and</strong> the f<strong>in</strong>d<strong>in</strong>gs<br />
reported. The f<strong>in</strong>d<strong>in</strong>gs also <strong>in</strong>clude those reported <strong>in</strong> SAC of IAA. The f<strong>in</strong>al section<br />
Conta<strong>in</strong>s suggestions regard<strong>in</strong>g implementation of <strong>controls</strong> <strong>and</strong> practices of the<br />
acceptable audit procedures.
Chapter VI deals with <strong>controls</strong> <strong>in</strong> a UNIX<strong>environment</strong>. The operat<strong>in</strong>g systems<br />
UNIX had been the subject matter of controversy. It was even stated that "UNIX<br />
security" is a contradiction <strong>in</strong> terms as the orig<strong>in</strong>al version of the operat<strong>in</strong>g system<br />
UNIX had a great deal of vulnerabilities. Over a period of time, later versions had<br />
attempted to plug the loopholes. Many proprietory operat<strong>in</strong>g systems of UNIX have<br />
also been supplied by vendors. A general discussion on UNIX operat<strong>in</strong>g system with<br />
possible loopholes <strong>and</strong> attempts made by subsequent versions of different vendors to<br />
plug the same are also discussed. Special audit concerns <strong>in</strong> this operat<strong>in</strong>g system <strong>and</strong><br />
how the auditor should audit the system by UNIX itself are discussed. Based on the<br />
questionnaire enclosed, responses have been obta<strong>in</strong>ed from five organisations <strong>and</strong><br />
analysis <strong>and</strong> f<strong>in</strong>d<strong>in</strong>gs have been reported. Suggestions for implementation of effective<br />
<strong>controls</strong> <strong>and</strong> proner procedures to be adopted hy auditors are discussed.<br />
Chap:er VII deals with Disaster Recovery Plan. The importance of Disaster<br />
Recovery Plan is highlighted <strong>and</strong> <strong>in</strong>stances of successful disaster recovery plan (DRP)<br />
<strong>and</strong> failures due to the absence of DRP are highlighted.<br />
The anticipation of possible exposures <strong>and</strong> provid<strong>in</strong>g for the same is<br />
duscussed. The contents of DRP, the method of implementation <strong>and</strong> review are<br />
highlighted. The role of the auditor with regard to the disaster recovery plan is<br />
discussed.<br />
A sample questionnaire for collect<strong>in</strong>g <strong>in</strong>formation from a sample of 30<br />
organisations is enclosed. Analysis of the f<strong>in</strong>d<strong>in</strong>gs have been reported. Suggestions for<br />
effective implementation of DRP <strong>and</strong> the role of the auditor are also brought out.
The technological developments are cont<strong>in</strong>uously tak<strong>in</strong>g place <strong>in</strong> the area of<br />
development, storage, communication, database etc. Concepts of CASE tools,<br />
Recng<strong>in</strong>eer<strong>in</strong>g <strong>and</strong> ED1 have been highlighted. Control objectives <strong>and</strong> audit concerns<br />
<strong>in</strong> these areas have been discussed <strong>and</strong>, <strong>in</strong>cluded <strong>in</strong> the chapter "Summary,<br />
Conclusions <strong>and</strong> Recommendations".<br />
Chapter Vlll deals with an audit approach. Without consider<strong>in</strong>g any specific<br />
<strong>environment</strong>, a general approach which an auditor should have when <strong>audit<strong>in</strong>g</strong> a<br />
<strong>computerised</strong> <strong>environment</strong> is highlighted.<br />
The current scenario is discussed briefly. A detailed discussion on<br />
well-accepted approaches for <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a computerisltd <strong>environment</strong> is attempted<br />
giv<strong>in</strong>g the various step5 <strong>and</strong> the tasks <strong>in</strong>volved <strong>in</strong> each step. A sample questionnaire<br />
is enclosed to illustrate <strong>in</strong>formation regard<strong>in</strong>g the approach of auditors as currently<br />
practised.<br />
Practis<strong>in</strong>g Auditors' responses for the questionnaire has been analysed. This<br />
is also supported by <strong>in</strong>formation gathered from a sample of 30 organisations<br />
regard<strong>in</strong>g audit practices of their respective organisations.<br />
conclusion.<br />
Chapter IX presents a summary of the f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> draws an overall
CHAPTER I1<br />
AUDITING STANDARDS<br />
INTRODUCTION<br />
Audit<strong>in</strong>g St<strong>and</strong>ards as the very name <strong>in</strong>dicates refers to St<strong>and</strong>ards for Audit<br />
performance. They are the measures of quality of performance of <strong>audit<strong>in</strong>g</strong> procedure<br />
<strong>and</strong> the objective to be atta<strong>in</strong>ed by us<strong>in</strong>g the procedures followed.<br />
The auditor's objective is to reach a conclusion on whether the f<strong>in</strong>ancial<br />
statements taken as a whole are materially mis-stated. The auditor is expected to<br />
accumulate the potential of such adjustments <strong>and</strong> evaluate the comb<strong>in</strong>ed effect. If he<br />
has concluded that the f<strong>in</strong>ancial statements are materially affected by an irregularity<br />
he should either <strong>in</strong>sist on the f<strong>in</strong>ancial statements be<strong>in</strong>g revised or if they are not<br />
revised he should qualify his op<strong>in</strong>ion on the f<strong>in</strong>ancial statements. He should disclose<br />
substantive reasons for his op<strong>in</strong>ion.<br />
In a <strong>computerised</strong> <strong>environment</strong> it is expected that the auditor should satisfy<br />
himself that the <strong>controls</strong> are adequate enough to produce accurate <strong>and</strong> complete<br />
f<strong>in</strong>ancial statements. Should he not have evaluated the <strong>controls</strong> or hav<strong>in</strong>g evaluated<br />
the <strong>controls</strong> he concludes that they are <strong>in</strong>adequate <strong>and</strong> hence the likelihood of the<br />
f<strong>in</strong>ancial statements be<strong>in</strong>g materially misstated, the auditor is expected to qualify his<br />
op<strong>in</strong>ion.
American Institute of Certified Public Accountants (AICPA) issues st<strong>and</strong>ards<br />
on Audit<strong>in</strong>g St<strong>and</strong>ards. (SAS) which concern the external Auditors responsibilities.<br />
Periodically new SASS are issued superced<strong>in</strong>g the earlier ones.<br />
SAS 31 deals with evidential matter.<br />
SAS No.31 (AU Section 326.12): as emended by SAS No. 48,makes it clear<br />
that audit evidence is not affected by the use of computer process<strong>in</strong>g. Only the<br />
method by which the auditor gathers that evidence can be affected.<br />
The auditor's specific audit objectives do not change whether account<strong>in</strong>g data<br />
is processed manually or by computer. However, the methods of apply<strong>in</strong>g audit<br />
procedures to gather evidence may he <strong>in</strong>fluenced by the method of data process<strong>in</strong>g.<br />
The auditor can use either manual audit procedures, computer-assisted audit<br />
techniques, or a comb<strong>in</strong>ation of both to obta<strong>in</strong> sufficient, competent evidential<br />
matter. However, <strong>in</strong> some account<strong>in</strong>g systems that use a computer for process<strong>in</strong>g<br />
significant account<strong>in</strong>g applications, it may be difficult or impossible for the auditor<br />
to obta<strong>in</strong> certa<strong>in</strong> data for <strong>in</strong>spection, <strong>in</strong>quiry, or confirmation without computer<br />
assistance.<br />
The American Institute of Certified Public Accounts Computer Audit<strong>in</strong>g subcommittee<br />
provides guidance on the effect of computerisation on the audit process.<br />
This committee advises the Audit St<strong>and</strong>ards Board <strong>and</strong> other NCPA Committees on<br />
matters relat<strong>in</strong>g to Audits that <strong>in</strong>volve <strong>computerised</strong> systems. The AICPA has come<br />
Out with several publications provid<strong>in</strong>g guidance related to the computer<br />
<strong>environment</strong>. However, these are not official pronouncements but only guidel<strong>in</strong>es.
1. Management Control <strong>and</strong> Audit of Advanced EDP systems was issued<br />
<strong>in</strong> 1983. This guidel<strong>in</strong>e describes the characteristics of advanced EDP<br />
systems. It discurses control mechanisms <strong>and</strong> <strong>audit<strong>in</strong>g</strong> of such systems.<br />
2 Audit & considerations <strong>in</strong> an "on-l<strong>in</strong>e <strong>environment</strong>" is another guidel<strong>in</strong>e<br />
published <strong>in</strong> 1983. This guidel<strong>in</strong>e conta<strong>in</strong>s a description of the various<br />
<strong>environment</strong>s that are encompassed by 'on-l<strong>in</strong>e systems'.<br />
This guidel<strong>in</strong>e identifies the impact of the 'on- l<strong>in</strong>e <strong>environment</strong>' on the<br />
auditor's study <strong>and</strong> evaluation of the system of <strong>in</strong>ternal account<strong>in</strong>g control.<br />
"Controls over us<strong>in</strong>g <strong>and</strong> chang<strong>in</strong>g computer programmes is a guidel<strong>in</strong>e issued <strong>in</strong> 1979<br />
which provides guidance to ensure thatno unauthorised changes are made to the<br />
programme <strong>and</strong> that any changes are duly authorised by Management".<br />
"Computer-assisted audit techniques" .The guidel<strong>in</strong>e issued as early as <strong>in</strong> 1979<br />
describes audit tools <strong>and</strong> techniques that are relevant for <strong>audit<strong>in</strong>g</strong> effectively <strong>in</strong> a<br />
<strong>computerised</strong> <strong>environment</strong>.<br />
An Account<strong>in</strong>g Guide entitled "Audit of Service Centre" was orig<strong>in</strong>ally issued<br />
<strong>in</strong> 1974 <strong>and</strong> subsequently revised <strong>in</strong> 1987. This guide addresses the special problem<br />
for <strong>audit<strong>in</strong>g</strong> organisations which utilise external service centre facility. The revised<br />
guide has <strong>in</strong>corporated all relevant <strong>audit<strong>in</strong>g</strong> pronouncements as also the general<br />
guidance <strong>in</strong> SAS 44 "Special purpose reports on official account<strong>in</strong>g control by service<br />
organisations. The guide has three chapters as follows:<br />
i. Effect of an organisation's use of an EDP Service Centre on the<br />
auditor's study <strong>and</strong> evaluation of <strong>in</strong>ternal control.
ii. Repon<strong>in</strong>g of reviews on EDP Service Centre;<br />
iii. Us<strong>in</strong>g reports on <strong>in</strong>ternal control at EDP Service Centre on the<br />
auditor's study <strong>and</strong> evaluation of <strong>in</strong>ternal control.<br />
i. Effect of an organisation's use of EDP Sen<strong>in</strong> Centre on the auditor's study<br />
<strong>and</strong> evaluation of <strong>in</strong>ternal wntrol<br />
This Chapter discusses the impact of us<strong>in</strong>g EDP Service Centre on the system<br />
of <strong>in</strong>ternal account<strong>in</strong>g control <strong>and</strong> the user organisation. It also deals with the impact<br />
which it will have on the auditor's study <strong>and</strong> evaluation of the system of the<br />
organisation. It makes specific mention of the circumstances <strong>in</strong> which the auditor of<br />
such an organisation should <strong>in</strong>clude <strong>in</strong> the study control procedures at an EDP<br />
Service Centre.<br />
ii.<br />
Report<strong>in</strong>g of reviews on EDP Service Centres<br />
The EDP Service Centre would generally be used by different organisations<br />
who may be hav<strong>in</strong>g different auditors. It would be difficult for the service centre to<br />
subject itself for a review by aU the auditors. In this chapter, a reasonable alternative<br />
has been suggested by which a s<strong>in</strong>gle auditor specifically reviews the <strong>in</strong>ternal control<br />
procedures of the senice Centre <strong>and</strong> reports the results of other auditors.<br />
The guide describes the manner <strong>in</strong> which the auditor of the Service Centre<br />
would report the results of the Review of the SeM'ce Centre. The guide further<br />
provides that while the auditors use the report of the service centre auditor, they<br />
would cont<strong>in</strong>ue to reta<strong>in</strong> the responsibility for evaluat<strong>in</strong>g the <strong>in</strong>ternal control system<br />
at the senice centre.
Us<strong>in</strong>g reports on <strong>in</strong>ternal control at EDP Service Cent=<br />
The guide discusses how the service auditor's report can be utilised by the<br />
auditor of the organisation <strong>in</strong> evaluat<strong>in</strong>g the <strong>in</strong>tegrity of the f<strong>in</strong>ancial statements of<br />
the client.<br />
AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS, U.SA.<br />
The American Institute of Certified Public Accountant (AICPA) issues<br />
procedure studies which though not authoritative, provide practical assistance <strong>in</strong><br />
carry<strong>in</strong>g out <strong>audit<strong>in</strong>g</strong> procedures.<br />
Computer Audit sub committee of AICPA have five separate Task Forces for<br />
develop<strong>in</strong>g <strong>audit<strong>in</strong>g</strong> procedure studies <strong>in</strong> <strong>computerised</strong> <strong>environment</strong>. The studies<br />
which have been completed <strong>and</strong> released for member's benefit ;ire as follows:<br />
a) Auditors use of micro-computer published <strong>in</strong> 1986. This provides guidance to<br />
auditors to use micro-computers as an audit tool.<br />
b) Audit<strong>in</strong>g <strong>in</strong> a paperless <strong>environment</strong><br />
This study describes the benefit of a paperless environemnt on the audit<br />
approach, specially <strong>in</strong> view of the <strong>in</strong>herent risk when there is no paper trail to<br />
substantiate the transactions.<br />
c. Audit impact on small (micro-m<strong>in</strong>i) computer systems<br />
The study provides guidance when clients operate <strong>in</strong> the above <strong>environment</strong><br />
with special reference to the fact that reliance on computer <strong>controls</strong> unlikely.
d. Audit impact on mid-size (m<strong>in</strong>i/m<strong>in</strong>ilreme) computer systems<br />
This study will guide when clients use not so much complex a compute:<br />
systems but there is some reliance on computer <strong>controls</strong>.<br />
c Audit impact of large (complex) computer systems<br />
This study will provide guidance on follow<strong>in</strong>g <strong>in</strong>herent <strong>and</strong> control risks <strong>in</strong><br />
<strong>audit<strong>in</strong>g</strong> an organisation <strong>in</strong> the above <strong>environment</strong>. There is greater likelihood of<br />
there be<strong>in</strong>g significant relevance on <strong>controls</strong>.<br />
Audit<strong>in</strong>g st<strong>and</strong>ards Board has approved the issue of a set of general st<strong>and</strong>ards<br />
called Attestation St<strong>and</strong>ards. These specifically affect some computer-related<br />
engagement They are u7itten broadly to apply to all attestation certificates <strong>in</strong> which<br />
a certified public accountant issues a report which conta~:ls conclusion on an assertion<br />
after exam<strong>in</strong><strong>in</strong>g such assertion.<br />
Attestation st<strong>and</strong>ards deal with<br />
a) Technical competence<br />
b) Due care<br />
c) Adequate Plann<strong>in</strong>g<br />
d) Sufficient evidence<br />
e) Proper report<strong>in</strong>g<br />
Attestation st<strong>and</strong>ards are thus similar to the generally accepted <strong>audit<strong>in</strong>g</strong><br />
st<strong>and</strong>ards (GAAS).
INSTITUTE OF INTERNAL AUDITORS, U.S.A.<br />
The Institute of Internal Auditors <strong>in</strong> 1977 published a Report (systems<br />
auditability <strong>and</strong> control report). IBM provided a grant to IIA <strong>and</strong> the study was<br />
conducted by Stanford Research Institute which published <strong>in</strong> three volumes as:<br />
i. Executive report<br />
ii.<br />
iii.<br />
Control Practices report<br />
Audit practices report.<br />
Though published almost two decades ago, many of the f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong><br />
conclusions of the study are relevant <strong>and</strong> proper to the audit <strong>and</strong> control of EDP<br />
Systems of the current day.<br />
Executive mport<br />
This provides an overview of the audit of EDP systems <strong>and</strong> the study has<br />
concluded that <strong>in</strong> spite of data process<strong>in</strong>g systems <strong>and</strong> <strong>in</strong>ternal audit techniques<br />
cont<strong>in</strong>u<strong>in</strong>g to evolve mrd<strong>in</strong>ation between the two discipl<strong>in</strong>es is not keep<strong>in</strong>g pace.<br />
Control practices report while discuss<strong>in</strong>g specific control techniques classifies<br />
the control as general control <strong>and</strong> application control. The study recommends that<br />
the auditor should be associated with pre-<strong>in</strong>stallation review so that better systems<br />
<strong>and</strong> effective <strong>controls</strong> could be applied.<br />
The Audit Practices Report conta<strong>in</strong>s a list of 28 audit tools <strong>and</strong> techniques for<br />
effective use by auditors while <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>.
The Institute of Internal Auditors aga<strong>in</strong> under a grant from IBM <strong>and</strong> research<br />
by Price Waterhouse published the systems auditability <strong>and</strong> control report <strong>in</strong> 1991.<br />
The grant was as large as US $500000 <strong>and</strong> over 150 volunteers participated <strong>in</strong> the<br />
development <strong>and</strong> review of the SAS report. The report consists of 12 modules as<br />
follows:<br />
Executive summary<br />
Audit <strong>and</strong> Control <strong>environment</strong><br />
Us<strong>in</strong>g Information Technology <strong>in</strong> Audit<strong>in</strong>g<br />
Manag<strong>in</strong>g Computer Resources<br />
Manag<strong>in</strong>g Information <strong>and</strong> Develop<strong>in</strong>g systems<br />
Bus<strong>in</strong>ess systems<br />
End-user <strong>and</strong> department comput<strong>in</strong>g<br />
Telecommunications<br />
Security<br />
Cont<strong>in</strong>gency Plann<strong>in</strong>g<br />
Emerg<strong>in</strong>g Technologies<br />
Index<br />
The Research Report <strong>in</strong> its Executive summary concludes as follows:<br />
"Professional <strong>in</strong>ternal auditors of the 1992 have the necessary underst<strong>and</strong><strong>in</strong>g<br />
<strong>and</strong> skills to review <strong>controls</strong> over <strong>in</strong>formation technology. As control specialists,<br />
auditors assist management <strong>in</strong> its responsibility to implement cost-effective <strong>controls</strong><br />
to mitigate the risks associated with the use of <strong>in</strong>formation technology <strong>and</strong> to meet<br />
the objectives of the organisation.
Responsible <strong>in</strong>formation systems professionals <strong>and</strong> system users of the 1990s<br />
underst<strong>and</strong> <strong>in</strong>formation technology risks, implement proper <strong>controls</strong> <strong>and</strong> ensure<br />
auditability of <strong>in</strong>formation systems The SAS Repon provides the guidanoc to<br />
management <strong>and</strong> practitioners <strong>in</strong> <strong>in</strong>ternal audit, <strong>in</strong>formation systems, user functions<br />
<strong>and</strong> other groups <strong>in</strong>terested <strong>in</strong> the control <strong>and</strong> audit of all areas of <strong>in</strong>formation<br />
system <strong>and</strong> technology.<br />
The EDP Auditors Association which has its headquarters <strong>in</strong> USA is the only<br />
professional Association dedicated solely to EDP <strong>audit<strong>in</strong>g</strong>. The EDP Auditors<br />
Association was established <strong>in</strong> 1985.<br />
EDP Auditors Foundation (EDPAF)<br />
The EDP Auditors Foundation develops <strong>and</strong> promulgates official <strong>audit<strong>in</strong>g</strong><br />
st<strong>and</strong>ards applicable to EDP <strong>audit<strong>in</strong>g</strong>. Its objectives as stated are:<br />
1. Develop <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong> professional st<strong>and</strong>ards, provide credentials as<br />
Certified Information Systems Auditors (CISA) to <strong>in</strong>dividuals whose<br />
competence meets the organisation's st<strong>and</strong>ards.<br />
2 Provide education <strong>in</strong> EDP <strong>audit<strong>in</strong>g</strong>.<br />
3. Conduct Rescarch <strong>in</strong> EDP <strong>audit<strong>in</strong>g</strong> <strong>and</strong> Controls<br />
4. Assist qualified <strong>in</strong>dividuals <strong>in</strong> the study of EDP Audit<strong>in</strong>g<br />
ETHICS AND STANDARDS<br />
EDP Auditors Foundation has established a code of professional conduct for<br />
Grtified Information Systems Auditors. The EDP Auditors Association published <strong>in</strong>
1987 a "General St<strong>and</strong>ards for Information Systems Audit<strong>in</strong>g". The EDP Auditors<br />
Association has a St<strong>and</strong>ards Board which is a St<strong>and</strong><strong>in</strong>g Committee. The Board's<br />
formally adopted mission is as follows:<br />
'To advance the quality of <strong>in</strong>formation systems <strong>audit<strong>in</strong>g</strong>, it is the responsibility<br />
of the St<strong>and</strong>ards Board to promulgate <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong> st<strong>and</strong>ards of practices. These<br />
st<strong>and</strong>ards apply to members of the EDPAA <strong>and</strong> to holders of the certification <strong>in</strong><br />
<strong>in</strong>formation systems <strong>audit<strong>in</strong>g</strong>.<br />
The St<strong>and</strong>ards authority is derived from the code of professional ethics which<br />
provides that members of the EDPAA <strong>and</strong> holders of CISA will apply Information<br />
Systems Audit<strong>in</strong>g St<strong>and</strong>ards adopted by the EDPA Foundation. As is mentioned by<br />
the EDPAF, the authority of guidel<strong>in</strong>es <strong>and</strong> procedures is secondary to the st<strong>and</strong>ards<br />
themselves.<br />
The relationship between Information Systems Audit<strong>in</strong>g St<strong>and</strong>ards <strong>and</strong> other<br />
<strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards: The <strong>in</strong>formation systems <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards promulgated by the<br />
EDPA Foundation are <strong>in</strong>tended to supercede <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards developed by other<br />
professional bodies. However, where there is a situation when aconflict is perceived<br />
to exist between the St<strong>and</strong>ards of EDPA Foundation <strong>and</strong> any other professional<br />
body, it is the responsibility of the EDPA Association Foundation to use the<br />
professional judgment to resolve the matter.<br />
GENERAL STANDARDS FOR INFORMATION SYSTEMS AUDITING<br />
EDP Auditors foundation has stated that the follow<strong>in</strong>g ten st<strong>and</strong>ards are<br />
applicable to Information Systems <strong>audit<strong>in</strong>g</strong>:
Independence<br />
General St<strong>and</strong>ard No. 1<br />
Attitude <strong>and</strong> Appearance: In all matters related to <strong>audit<strong>in</strong>g</strong>, the <strong>in</strong>formation<br />
systems auditor is to be <strong>in</strong>dependent of the auditee <strong>in</strong> attitude <strong>and</strong> appearance.<br />
General St<strong>and</strong>ard No.2<br />
Organisational Relationship- The <strong>in</strong>formation systems audit function is to be<br />
sufficiently <strong>in</strong>dependent of the area be<strong>in</strong>g audited to permit objective completion of<br />
the audit<br />
General St<strong>and</strong>ard No3<br />
Code of Professional ethics - The <strong>in</strong>formation systems auditor is to adhere to<br />
the Code of Professional Ethics of the EDP Auditors Foundation.<br />
Technical competence<br />
General St<strong>and</strong>ard No.4<br />
Skills <strong>and</strong> knowledge - The <strong>in</strong>formation systems auditor is to be technically<br />
competent, possess<strong>in</strong>g the skills <strong>and</strong> knowledge necessary <strong>in</strong> the performance of the<br />
auditor's work<br />
General st<strong>and</strong>ard No.5<br />
Cont<strong>in</strong>u<strong>in</strong>g Professional Education - The <strong>in</strong>formation systems auditor is to<br />
ma<strong>in</strong>ta<strong>in</strong> technical competence through appropriate cont<strong>in</strong>u<strong>in</strong>g education.
General St<strong>and</strong>ard Na6<br />
Plann<strong>in</strong>g <strong>and</strong> Supervision: - Information Systems audits are to beplanned <strong>and</strong><br />
supervised to provide assurance that audit objectives are achieved <strong>and</strong> compliance<br />
with these st<strong>and</strong>ards is met<br />
General St<strong>and</strong>ard No. 7<br />
Evidence Requirement - Dur<strong>in</strong>g the course of the audit, the <strong>in</strong>formation<br />
systems auditor is to obta<strong>in</strong> evidence of a nature <strong>and</strong> sufficiency to support f<strong>in</strong>d<strong>in</strong>gs<br />
<strong>and</strong> conclusions reported.<br />
General St<strong>and</strong>ard No.8<br />
Due Professional care - Due professional care is to be exercised <strong>in</strong> all aspects<br />
of the <strong>in</strong>formation systems auditor's work, <strong>in</strong>clud<strong>in</strong>g observance of applicable <strong>audit<strong>in</strong>g</strong><br />
st<strong>and</strong>ards.<br />
Report<strong>in</strong>g<br />
General St<strong>and</strong>ard No. 9<br />
Report<strong>in</strong>g of Audit Coverage - In prepar<strong>in</strong>g reports, the <strong>in</strong>formation systems<br />
auditor is to state the objectives of the audit, the period of coverage <strong>and</strong> the nature<br />
<strong>and</strong> extent of the audit work performed.
General St<strong>and</strong>ard No.10<br />
Report<strong>in</strong>g of F<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> conclusions - In prepar<strong>in</strong>g reports, the <strong>in</strong>formation<br />
systems auditor is to state f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> conclusions concern<strong>in</strong>g the audit work<br />
performed <strong>and</strong> any reservations or qualifications that the auditor has with respect to<br />
the audit<br />
The effective date of the st<strong>and</strong>ards is from January 1, 1988.<br />
The two statements on <strong>in</strong>dependence issued by the Board of EDPA<br />
Foundation are effective from 1st July 1989.<br />
Statement No.1 deals with with <strong>in</strong>dependence, attitude <strong>and</strong> appearance -<br />
organisational relationship.<br />
It lays down the follow<strong>in</strong>g:<br />
(a)<br />
(b)<br />
(c)<br />
Information systems auditor should have an <strong>in</strong>dependent attitude<br />
towards audit<br />
If the auditor's <strong>in</strong>dependence is impaired, the auditor should not<br />
participate <strong>in</strong> the audit The auditor's <strong>in</strong>dependence is deemed to have<br />
been impaired if the auditor has expectation of f<strong>in</strong>ancial ga<strong>in</strong> or any<br />
other advantage due to his <strong>in</strong>fluence as an auditor.<br />
Perception of auditor's <strong>in</strong>dependence could affect the acceptance of<br />
auditor's work. For example, if the auditor becomes aware that a<br />
situation or relationship is perceived to impair his <strong>in</strong>dependence the
auditor is expected to <strong>in</strong>form the auditee management as early as<br />
possible of the perceived impairment.<br />
(d)<br />
(e)<br />
(f)<br />
(g)<br />
An auditor should be organisationally <strong>in</strong>dependent of the area be<strong>in</strong>g<br />
audited to ensure that the audit is objective <strong>and</strong> fair.<br />
When the auditor's <strong>in</strong>dependence is impaired <strong>and</strong> if he cont<strong>in</strong>ues to be<br />
associated with the audit a disclosure needs to be made.<br />
Independence of the auditor needs to be cont<strong>in</strong>uously assessed by the<br />
auditor <strong>and</strong> management.<br />
The auditor's work <strong>and</strong> report should represent a discharge of<br />
professional responsibility which exemplifies <strong>in</strong>tegrity <strong>and</strong> objectivity.<br />
Statement No.2<br />
This statement deals with <strong>in</strong>volvement <strong>in</strong> the systems development process.<br />
This statement provides def<strong>in</strong>ition for the systems:<br />
(a)<br />
(b)<br />
(c)<br />
Application systems<br />
Systems development process<br />
Application development review<br />
This statement lays down that<br />
(a)<br />
the Auditor should ma<strong>in</strong>ta<strong>in</strong> an attitude <strong>and</strong> appearance of<br />
<strong>in</strong>dependence <strong>in</strong> conduct<strong>in</strong>g application development review.<br />
(b)<br />
The auditor should be <strong>in</strong>dependent of the project team. However, the<br />
auditor may recommend control <strong>and</strong> other systems <strong>in</strong>herent without<br />
impair<strong>in</strong>g his <strong>in</strong>dependence.
(c)<br />
(d)<br />
(e)<br />
The performance of application development review does not impair<br />
the auditor's ability to perform an <strong>in</strong>dependent evaluation of the<br />
application after its implementation;<br />
The <strong>in</strong>dependence of the auditor may be impaired if the auditor<br />
becomes actively <strong>in</strong>volved <strong>in</strong> the design <strong>and</strong> implementation of the<br />
application system; example, by becom<strong>in</strong>g a decision-mak<strong>in</strong>g member<br />
of the project team.<br />
The auditor's <strong>in</strong>volvement merely as a member of the Project Team<br />
(not as a decision mak<strong>in</strong>g member) <strong>in</strong> the design <strong>and</strong> implementation<br />
of audit tools <strong>and</strong> techniques, does not impair the auditor's<br />
<strong>in</strong>dependence.<br />
Statement Nos. 3, 4, 5, 6 <strong>and</strong> 8 deal with performance of work.<br />
Statement No3<br />
Becomes effective €ram 1st July 1991. This statement deals with "evidence<br />
requirement" which def<strong>in</strong>es evidence as <strong>in</strong>formation used by the auditor to meet<br />
audit objectives. The nature of <strong>in</strong>formation used as evidence should be relevant <strong>and</strong><br />
reliable; it should also be sufficient to form an op<strong>in</strong>ion of support f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong><br />
conclusions.<br />
conclusion.<br />
Evidence is relevant if it has a logical relationship to the f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong><br />
supportable.<br />
Evidence is reliable if <strong>in</strong> the auditor's op<strong>in</strong>ion it is valid, objective <strong>and</strong>
There an various types of evidences which <strong>in</strong>clude physical evidena,<br />
documentary cvidena, representations <strong>and</strong> analysis.<br />
Evidence should be sufficient to support the auditor's f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> conclusions<br />
<strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> A mere programme list<strong>in</strong>g is not sufficient evidence<br />
to verify that it represents the actual programme used <strong>in</strong> a production-run. If<br />
sufficient evidence is not obta<strong>in</strong>able the auditor should disclose this fact Procedures<br />
used to collect evidence <strong>in</strong>clude enquiry, observation, <strong>in</strong>spection, confnmation <strong>and</strong><br />
re-performance. These procedures may be manually audited procedures or computerassisted<br />
audit techniques (CAAT).<br />
Evidence gathered should be properly documented <strong>and</strong> organised to support<br />
audit f<strong>in</strong>d<strong>in</strong>gs.<br />
Statement No.4<br />
Due professional care: The statement is effective from 1st July 1991. 'Due<br />
mre" is def<strong>in</strong>ed as that level of diligence which a prudent person would exercise <strong>in</strong><br />
a given set of circumstances. ''Duepm~bnoI are" applies to an <strong>in</strong>dividual who<br />
professes to exercise a special skill such as <strong>in</strong>formation systems <strong>audit<strong>in</strong>g</strong>.<br />
"Due professional care" requires the <strong>in</strong>dividual to exercise that skill to a level<br />
commonly possessed by practitioners of that speciality.<br />
"Due professional care" does not imply that the professional is <strong>in</strong>fallible. If <strong>in</strong><br />
spite of exercise of "due professional care" <strong>and</strong> <strong>in</strong>tegrity an <strong>in</strong>correct conclusion is<br />
drawn <strong>and</strong> subsequently it is discovered that the conclusion is <strong>in</strong>correct, it does not
<strong>in</strong>dicate <strong>in</strong>adequate professional judgment or lack of diligence on the pan of the<br />
auditor.<br />
Due professional care <strong>in</strong>cludes:<br />
(i) Evaluation of audit risk;<br />
(ii) Formulation of audit objectives;<br />
(iii) Establishment of audit scope;<br />
(iv) Selection of audit tests;<br />
(v) Evaluation of test results;<br />
The auditor should not accept an assignment unless adequate skills, knowledge<br />
<strong>and</strong> other resources are available to complete the assignment <strong>in</strong> a manner expected<br />
of a professional.<br />
The fact that the auditor has not complied with professional st<strong>and</strong>ards, the<br />
auditor should disclose the circumstances under which it was done.<br />
The use of risk assessment <strong>in</strong> <strong>audit<strong>in</strong>g</strong>:<br />
The statement is effective from 1st November 1992. The statement def<strong>in</strong>es the<br />
terms, risk exposure <strong>and</strong> risk assessment as follows:<br />
"Risk.. The possibility of an act or event occur<strong>in</strong>g that would have an adverse<br />
effect on the organisation <strong>and</strong> its <strong>in</strong>formation systems"
Exposure: The potential loss to an area due to the occurence of an adverse<br />
event ... Exposure can be reduced by implementation of properly designed <strong>controls</strong>.<br />
Risk assessment<br />
A process used to identify <strong>and</strong> evaluate risks <strong>and</strong> their potential impact The<br />
statement lays down that the auditor should use risk assessment techniques <strong>in</strong><br />
develop<strong>in</strong>g overall audit plan <strong>and</strong> <strong>in</strong> plann<strong>in</strong>g specific audits. The auditor should<br />
document risk assessment methodology used for specific audit. As no s<strong>in</strong>gle risk<br />
assessment methodology is appropriate for all situations the auditor should<br />
reevaluate the appropriateness of the particular methodology periodically.<br />
Statement No.6<br />
Audit documentation - The statement is effective from 1st November 1992.<br />
Documentation is a record of audit work performed <strong>and</strong> the evidence gathered.<br />
Documentation should <strong>in</strong>clude details of record of plann<strong>in</strong>g <strong>and</strong> preparation, audit<br />
programme, audit steps, audit f<strong>in</strong>d<strong>in</strong>gs, report <strong>and</strong> auditee's responses. The extent of<br />
auditor's documentation would <strong>in</strong>clude :<br />
i. Auditor's underst<strong>and</strong><strong>in</strong>g of the area to be audited <strong>and</strong> its <strong>environment</strong>.<br />
ii.<br />
Auditor's underst<strong>and</strong><strong>in</strong>g of the <strong>in</strong>formation process<strong>in</strong>g systems <strong>and</strong> the<br />
<strong>in</strong>ternal control <strong>environment</strong>.<br />
...<br />
111. Documentation should <strong>in</strong>clude <strong>in</strong>formation that is required by law or<br />
by any other statutory agency any applicable st<strong>and</strong>ards.<br />
Documentation regard<strong>in</strong>g audit f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> conclusions should be organised<br />
<strong>and</strong> stored <strong>and</strong> secured <strong>in</strong> a manner that is appropriate for the media on which it is<br />
reta<strong>in</strong>ed.
Statement Na8<br />
Deals with audit considerations for irregularities. The statement is effective<br />
from 1st September, 1993. The statement def<strong>in</strong>es irregularities "as <strong>in</strong>tentional<br />
violations of established management policy or wilful mis-statements or omissions of<br />
<strong>in</strong>formation of the area under audit or the organisatiom ..... Irregularities <strong>in</strong>clude but<br />
are not limited to, deliberate circumvention of <strong>controls</strong> with the <strong>in</strong>tent to conceal the<br />
purported commission of irregularities, fraud, unauthorised use of assets or services<br />
<strong>and</strong> abett<strong>in</strong>g or help<strong>in</strong>g to conceal these type of activities.<br />
The statement lays down that it is the responsibility of the management to<br />
have an effective system of <strong>in</strong>ternal <strong>controls</strong> to provide a reasonable assurance of<br />
prevent<strong>in</strong>g or detect<strong>in</strong>g irregularities.<br />
The auditor should assess the risk of occurences of irregularities connected<br />
with the area under audit. While prepar<strong>in</strong>g an assessment the auditor should<br />
consider:<br />
i. Organisational characteristics<br />
ii. The types of assets held<br />
iii. The system of <strong>in</strong>ternal <strong>controls</strong><br />
iv. Applicable legal requirements<br />
v. Basis of risk assessment<br />
The auditor has the responsibility to such audit tests which would reasonably<br />
help to detect irregularities that could have a significant impact on the area under<br />
audit.
Audit cannot guarantee that irregularities will be detected. The detection of<br />
irregularities should be communicated to persons at the appropriate knl <strong>in</strong> the<br />
organisation. Further, if the auditor discovers fraudulent activities, he is required to<br />
report to appropriate Government agencies.<br />
Report<strong>in</strong>g: Statement No.7<br />
Deals with Audit Reports <strong>and</strong> is effective from 1st September 1993. The<br />
statement def<strong>in</strong>es the report as a formal means of communicat<strong>in</strong>g the objectives of<br />
the audit, audit scope <strong>and</strong> the f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> conclusions.<br />
If any audit objective set out <strong>in</strong> the report was not met the auditor is expected<br />
to disclose this <strong>in</strong> the report. The report should identify specific professional<br />
st<strong>and</strong>ards used <strong>in</strong> perform<strong>in</strong>g the audit <strong>and</strong> also report any professional st<strong>and</strong>ard<br />
which should have been used, was not used.<br />
The report should <strong>in</strong>clude all significant audit f<strong>in</strong>d<strong>in</strong>gs.<br />
IS0 STANDARDS<br />
St<strong>and</strong>ards issued by "International Organisation lor St<strong>and</strong>ards" (ISO):.<br />
IS0 has come out with st<strong>and</strong>ards for products. There are specific guidel<strong>in</strong>es<br />
given for the procedures to be adopted for obta<strong>in</strong><strong>in</strong>g a certificate under ISO. To get<br />
<strong>in</strong>ternational recognition for the products, it has been a prestige issue for various<br />
organisations whether it be for products or for senices to obta<strong>in</strong> a certificate under<br />
IS0 9000.
It is of <strong>in</strong>terest to note that IS0 9000 <strong>in</strong> part 111 provides guidel<strong>in</strong>es for the<br />
application of IS0 9001 to the deoelopment. supply <strong>and</strong> ma<strong>in</strong>tenance of<br />
software. It has been rcmgniscd that "process of development <strong>and</strong> ma<strong>in</strong>tenance of<br />
software is different from that of most other types of <strong>in</strong>dustrial products. In such a<br />
rapidly evolv<strong>in</strong>g technology field, it has been found necessary to provide additional<br />
guidance for quality systems where software products are <strong>in</strong>volved tak<strong>in</strong>g <strong>in</strong>to account<br />
the present state of the technology". IS0 9000-3 deals with situations where specific<br />
software is developed as part of a contract accord<strong>in</strong>g to the purchaser's specifications.<br />
IS0 9000-3 is <strong>in</strong>tended to provide demonstration of a software supplier's<br />
capability to develop, supply <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong> software products. In this connection,<br />
def<strong>in</strong>itions provided <strong>in</strong> the guidel<strong>in</strong>es are important <strong>and</strong> they are reproduced below:<br />
Software item<br />
Development<br />
Phase<br />
Verification<br />
Validation<br />
Para 4.1.1.1 def<strong>in</strong>es quality policy. 'The supplier's management shall def<strong>in</strong>e<br />
<strong>and</strong> document its policy <strong>and</strong> objectives for, <strong>and</strong> commitment to quality. The supplier<br />
shall ensure that this policy is understood, implemented <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong>ed at all levels<br />
<strong>in</strong> the organisation".<br />
Paragraph 4.1.1.21 describes the responsibility <strong>and</strong> authority of the personnel,<br />
who manage, perform <strong>and</strong> verify work affect<strong>in</strong>g quality.
Paragraph 4.1.2 lays down the purchaser's management responsibility<br />
paragraph 4.1.2 is of particular importance. It mentions that the purchaser should<br />
co-oprate with the supplier to provide all necessary <strong>in</strong>formation <strong>in</strong> a timely manner<br />
<strong>and</strong> resolve pend<strong>in</strong>g items.<br />
The purchaser should assign a representative with the responsibility for deal<strong>in</strong>g<br />
with the supplier on contractual matters. This representative should have the<br />
authority commensurate with the need to deal with contractual matters which <strong>in</strong>clude,<br />
but are not limited to the follow<strong>in</strong>g:<br />
a) Def<strong>in</strong><strong>in</strong>g the purchaser's requirements to supplier<br />
b) Answer<strong>in</strong>g questions from the supplier<br />
c) Approv<strong>in</strong>g the supplier's proposals<br />
d) Conclud<strong>in</strong>g agreements with the supplier<br />
e) Ensur<strong>in</strong>g the purchaser's organisation observes the agreements made<br />
with the supplier;<br />
f) Def<strong>in</strong><strong>in</strong>g acceptance criteria <strong>and</strong> procedures<br />
g) Deal<strong>in</strong>g with the purchascr-supplied software items that are found<br />
unsuitable for use.<br />
Paragraph 4.21 generally gives the description of the quality system. The<br />
supplier should establish <strong>and</strong> ma<strong>in</strong>to<strong>in</strong> a documenled qwlity system. The<br />
quality system should be an <strong>in</strong>tegrated process throughout the entire life c~cI~, thus<br />
ensur<strong>in</strong>g that quality is be<strong>in</strong>g built <strong>in</strong> as development progresses rather than be<strong>in</strong>g<br />
distributed at the end of the process. Problem prevention should be emphasised
ather than depend<strong>in</strong>g on correction after occurrence. The supplier should ensure the<br />
effective implementation of the documented quality system.<br />
Paragraph 4.3 is ofparticular releoance to the research topic. It deals with<br />
<strong>in</strong>ternal quality system audits. It is as follows:<br />
'The supplier shall carry out a comprehensive system of planned <strong>and</strong><br />
documented <strong>in</strong>ternal quality (system) audits to verify whether quality activities comply<br />
with planned arrangements <strong>and</strong> to determ<strong>in</strong>e the effectiveness of the quality system".<br />
"Audits shall be scheduled on the basis of the status <strong>and</strong> importance of the activity".<br />
'The audits <strong>and</strong> follow-up actions shall be carried out <strong>and</strong> brought to the attention<br />
of the personnel hav<strong>in</strong>g responsibility <strong>in</strong> the area audited. The management personnel<br />
responsible for the area shall take timely corrective action on the deficiencies found<br />
by the audit".<br />
Paragraph 4.4 deals with corrective action:<br />
'The supplier shall establish, document <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong> procedures for<br />
a) Investigat<strong>in</strong>g the cause of non-conform<strong>in</strong>g product <strong>and</strong> the corrective<br />
action needed to prevent recurrence;<br />
b) Analys<strong>in</strong>g all processes, work operations, concessions, quality records,<br />
senice reports <strong>and</strong> customer compla<strong>in</strong>ts to detect <strong>and</strong> elim<strong>in</strong>ate<br />
potential causes of non-conform<strong>in</strong>g product<br />
c) Initiat<strong>in</strong>g preventive actions to deal with problems to a level<br />
correspond<strong>in</strong>g to the risks encountered;
d) Apply<strong>in</strong>g <strong>controls</strong> to ensure that corrective actions an taken <strong>and</strong> that<br />
they arc effective<br />
e) Implement<strong>in</strong>g <strong>and</strong> record<strong>in</strong>g changes <strong>in</strong> proceduns result<strong>in</strong>g from<br />
corrective action".<br />
Paragraph deals with qualityof system-life-cycle activities The major po<strong>in</strong>ts<br />
<strong>and</strong> activities listed are:<br />
1.<br />
ii.<br />
iii.<br />
iv.<br />
v.<br />
vi.<br />
vii.<br />
viii.<br />
ix<br />
Contract review<br />
Purchaser requirement specification<br />
Development plann<strong>in</strong>g<br />
Qual~ty plann<strong>in</strong>g<br />
Design <strong>and</strong> implementation<br />
Test<strong>in</strong>g <strong>and</strong> validation<br />
Acceptance<br />
Replication, delivery <strong>and</strong> <strong>in</strong>stallation<br />
Ma<strong>in</strong>tenance<br />
The guidel<strong>in</strong>es spec@ very clearly the various procedures to be strictly<br />
adhered to under each of the above-mentioned items. Of particular importance to the<br />
auditor are the paragraphs deal<strong>in</strong>g with test<strong>in</strong>g <strong>and</strong> validation.<br />
paid:<br />
Paragraph 5.7.3 deals with the aspects for which special attention should be<br />
a) The test results should be recorded as def<strong>in</strong>ed <strong>in</strong> the relevant<br />
specification
) Any discovered probkms <strong>and</strong> their possible impacts to any other parts<br />
of the snfhvare should be noted <strong>and</strong> those responsible notified so the<br />
probkms can be tracked until they are solved<br />
c) Areas impacted by any modifications should be identified <strong>and</strong> retested.<br />
d) Test adeqauacy <strong>and</strong> relevancy should be evaluated;<br />
e) The hardware <strong>and</strong> software configuration should be considered <strong>and</strong><br />
documented.<br />
It is specifically mentioned that the supplier should validate the operation of<br />
the software as a complete product<br />
Paragraph 6 deals with quality system-- support<strong>in</strong>g activities. It deals with the<br />
follow<strong>in</strong>g aspects <strong>and</strong> lay down the procedure to be adhered to under each head:<br />
a) Configuration management<br />
b) Change control<br />
c) Document control<br />
d) Quality records<br />
e) Measurement of products<br />
It further deals with rules, practices <strong>and</strong> conventions <strong>and</strong> tools <strong>and</strong> techniques<br />
to be followed.<br />
ANALYSIS OF OFFICIAL PRONOUNCEMENTS<br />
Professional bodies like AlCPA, IAA <strong>and</strong> EDPAA disclose that auditors have<br />
a special responsibility while <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>.
SPECIFIC STANDARDS WHICH NEED TO BE ADHERED TO<br />
The Institute of Chartered Accountants, we. reliably learn, are <strong>in</strong> the process<br />
of provid<strong>in</strong>g guidel<strong>in</strong>es which would eventually be formulated as st<strong>and</strong>ards. With<br />
globalisation <strong>and</strong> liberalisation policies of our Government, import as also export of<br />
software as also hardware, which is already on the <strong>in</strong>crease, would bc reach<strong>in</strong>g a peak<br />
very soon<br />
In view of IS0 9000-3 prescribed for software development organisations<br />
would be expected to conform to the same <strong>and</strong> obta<strong>in</strong> certification. It is of great<br />
importance to note that it is expected that there has to be an <strong>in</strong>ternal audit of the<br />
software development.<br />
It should not be mistaken that quality assurance for software is needed only<br />
<strong>in</strong> cases of export. IS0 9000-3 lays down the concept that software is a produce <strong>and</strong><br />
like other products it is necessary to ma<strong>in</strong>ta<strong>in</strong> quality. Therefore, it is of paramount<br />
importance to take cognisance of the fact that awareness has been created that audit<br />
should bc performed of the software before it becomes marketable product<br />
In these circumstances, the auditors duty <strong>and</strong> responsibility is of great<br />
importance for the implementation of the software <strong>in</strong> an organisation.<br />
PROFESSIONAL PRONOUNCEMENTS IN INDIA<br />
The Institute of Chartered Accountants of India (ICAI) issues different<br />
statements from time to time on specific matters of importance to its members. This<br />
has affected the work<strong>in</strong>g of the auditors <strong>in</strong> India. The statement of Audit Practices
issued by ICAI sets out practices which a n generally obta<strong>in</strong><strong>in</strong>g <strong>in</strong> other countries <strong>and</strong><br />
which the Council considers desirable <strong>in</strong> the light of prevail<strong>in</strong>g circumstances of India<br />
The provisions of the statement of Account<strong>in</strong>g Procedures issued <strong>in</strong> 1979 while<br />
expla<strong>in</strong><strong>in</strong>g the mpc <strong>and</strong> functions of the Account<strong>in</strong>g St<strong>and</strong>ards Board has clarified<br />
that <strong>in</strong> the <strong>in</strong>itial years the St<strong>and</strong>ards will be nwmmendatory <strong>in</strong> character. It is<br />
accepted that once a general awareness for the need <strong>and</strong> utility of the st<strong>and</strong>ards has<br />
been agreed, steps will be taken to enforce compliance with them. It states, "that<br />
while discharg<strong>in</strong>g their functions, it will be the duty of the Members of the Institute<br />
to ensure that the account<strong>in</strong>g st<strong>and</strong>ards are implemented <strong>in</strong> the presentation of<br />
f<strong>in</strong>ancial statements covered by their Audit Repor+.s. In the event of any deviation<br />
from the st<strong>and</strong>ards it will also be their duty to make adequate disclosures <strong>in</strong> their<br />
Reports so that the users of such statements may be aware of such deviation". The<br />
Institute of Chartered Accountants of India has issued a statement of basic pr<strong>in</strong>ciples<br />
which govern the audit. It lays down various pr<strong>in</strong>ciples which <strong>in</strong>clude:<br />
L<br />
ii<br />
iii.<br />
iv.<br />
Integrity, objectivity <strong>and</strong> <strong>in</strong>dependence<br />
Coniidentiality<br />
Skills <strong>and</strong> competence;<br />
Documentation;<br />
v. Plann<strong>in</strong>g<br />
vi.<br />
Audit evidence<br />
The statement on Audit Practices was issued <strong>in</strong> 1964, for which a third edition<br />
was brought <strong>in</strong> 1977. In chapter I1 it deals with general considerations; the concept<br />
of materiality is discussed. It is mentioned that "Materiality" is also a matter of
importance <strong>in</strong> relation to items <strong>in</strong> the balance sheer It is added that "it is difficult to<br />
lay down anyst<strong>and</strong>ards by which materiality can be judged. It is a matter <strong>in</strong> which the<br />
decision is arrived at on the basis of the auditor's professional experience <strong>and</strong><br />
judgment".<br />
Para 210 deals with the objectives It lays down that the auditors objective<br />
both <strong>in</strong> regard to assets has to satisfy that they exist <strong>and</strong> belong to the client that they<br />
are recorded <strong>in</strong> the accounts. It is accepted that the audit procedure should be<br />
devised accord<strong>in</strong>gly".<br />
Chapter 217 which deals with that of computers, lays down:<br />
"While the pr<strong>in</strong>ciples <strong>and</strong> concepts of audit are applicable to computer-based<br />
account<strong>in</strong>g systems to the same degree as to manual systems the <strong>audit<strong>in</strong>g</strong> techniques<br />
<strong>and</strong> procedures will need modification depend<strong>in</strong>g upon:<br />
a) the extent to which electronic data process<strong>in</strong>g (EDP) are used to<br />
compile <strong>and</strong> analyse account<strong>in</strong>g records;<br />
b) the system of <strong>in</strong>ternal control <strong>in</strong> existence <strong>in</strong> the company <strong>in</strong> regard to:<br />
(i) flow of correct <strong>and</strong> complete data to the process<strong>in</strong>g centre<br />
(ii) process<strong>in</strong>g, analysis <strong>and</strong> report<strong>in</strong>g tasks undertaken <strong>in</strong> the<br />
<strong>in</strong>stallation <strong>and</strong> f<strong>in</strong>ally<br />
(iii) the impact of computer-based account<strong>in</strong>g system on the audit<br />
control that could othelwise be expccted to exist <strong>in</strong> an entirely<br />
manual system.
The guidel<strong>in</strong>e proceeds to expla<strong>in</strong> the fundamental concepts of a client who<br />
may be us<strong>in</strong>g his own computer-system or a semce bureau for obta<strong>in</strong><strong>in</strong>g management<br />
<strong>in</strong>formation. It will be of relevance to reproduce para "A".<br />
"A Where a computer is used for compil<strong>in</strong>g account<strong>in</strong>g records if the system<br />
developed is such a 'pr<strong>in</strong>t out' (L. a visible record) is available at every stage, as <strong>in</strong><br />
a manual system (e.g. Day books, statement of Journal entries, Ledger, Trial Balance<br />
<strong>and</strong> so on) the audit trail rema<strong>in</strong>s complete <strong>and</strong> Free of the EDP <strong>in</strong>fluence. This gives<br />
the auditor all the freedom he needs to determ<strong>in</strong>e the extent <strong>and</strong> manner of<br />
verification of transactions, tak<strong>in</strong>g <strong>in</strong>to account the <strong>in</strong>ternal check <strong>and</strong> control that<br />
exists with<strong>in</strong> the organisation but outside of the Data Process<strong>in</strong>g Centre. Nevertheless<br />
it would be necessary for the auditor to make enquiries <strong>and</strong> particularly satisfy<br />
himself on the follow<strong>in</strong>g po<strong>in</strong>ts<br />
a) Adeqauate procedures exist to ensure that the data transmitted is<br />
correct <strong>and</strong> complete.<br />
@) Cross verification of records, reconciliation statements <strong>and</strong> control<br />
systems between primary <strong>and</strong> subsidiary ledgers do exist <strong>and</strong> are<br />
operative <strong>and</strong> that accuracy of computer compiled records are not<br />
assumed<br />
Developments <strong>in</strong> Data Process<strong>in</strong>g <strong>in</strong> India <strong>in</strong> so far as account<strong>in</strong>g records are<br />
concerned, have not yet materially threatened the audit trail s<strong>in</strong>ce extensive 'pr<strong>in</strong>t<br />
outs' are made available, but the future po<strong>in</strong>ts to the <strong>in</strong>evitable need for the auditor<br />
to acquire newer skills to deal with a computer <strong>environment</strong> when audit trails as are<br />
now known <strong>and</strong> accepted, might become expensive <strong>and</strong> even anachronistic.
Where audit trails have been affected, thc auditor will f<strong>in</strong>d that 'kisibility" has<br />
become poorer. This will force upon him the need to acquire skills to verify "<strong>in</strong>visible<br />
records". Depend<strong>in</strong>g upon the degree of "visibiiity" he can adopt one or two courses.<br />
(1) have the process<strong>in</strong>g part of the computer applications, but verify the systems<br />
<strong>and</strong> <strong>controls</strong> that exist:<br />
(a) to ensure correct <strong>and</strong> complete data be<strong>in</strong>g made available for<br />
process<strong>in</strong>g;<br />
(b) to provide for error detection <strong>and</strong> correction<br />
(c) to restart compilation <strong>in</strong>terrupted by power, mechanical or process<strong>in</strong>g<br />
failures without duplicat<strong>in</strong>g the entries <strong>and</strong> records;<br />
(d) to ensure checks <strong>and</strong> <strong>controls</strong> on output or accuracy <strong>and</strong> completeness;<br />
(e) to provide adequate data security aga<strong>in</strong>st fire <strong>and</strong> other calamities,<br />
wrong process<strong>in</strong>g, fraud;<br />
(q to prevent unauthorised amendments, corrections <strong>and</strong> process<strong>in</strong>g<br />
<strong>in</strong>structions (Programmes) operat<strong>in</strong>g <strong>in</strong>structions as sequences; <strong>and</strong><br />
(g) to keep custody of the data files.<br />
Many more "peripheral" checks may be added but the above would be the<br />
pr<strong>in</strong>cipalones. This approach is referred to as <strong>audit<strong>in</strong>g</strong> around the computer.<br />
(2) It is possible for the auditor to take the further logical steps to verify the<br />
programmes themselves <strong>and</strong> technically satisfy himself that systems, checks,<br />
<strong>controls</strong>, error detection <strong>and</strong> data security procedures are satisfactory. The<br />
auditor could also use test-checks to test the system <strong>in</strong> operation <strong>and</strong> ask for<br />
special pr<strong>in</strong>t outs by mak<strong>in</strong>g use of programm<strong>in</strong>g facilities available with<strong>in</strong> the
<strong>in</strong>stallation or at his comm<strong>and</strong> to improve the quality of hi own audit <strong>and</strong><br />
reduce time spent on detailed verification of transactions. This approach is<br />
referred to as <strong>audit<strong>in</strong>g</strong> through the computer.<br />
Given the necessary skills, an auditor could, on request, audit the computer<br />
system itself'.' A study of the various st<strong>and</strong>ards pronounced by different authorities,<br />
discloses that all of them uniformly deal with<br />
1. Independence<br />
2 Due professional care<br />
3. Professional competence<br />
4. Plann<strong>in</strong>g the audit<br />
5. Underst<strong>and</strong><strong>in</strong>g Internal control<br />
6. Evidence collection<br />
7. Report<strong>in</strong>g<br />
' Page 284 - Contemporary Audit<strong>in</strong>g. Third Edition, Kamal Gupta.
CHAF'TER<br />
I11<br />
END-USER COMPUTING (EUC)<br />
The technological developments <strong>in</strong> the computer field have made computers<br />
"User friendly". Users tend to use local comput<strong>in</strong>g power which has resulted <strong>in</strong><br />
tremendous growth of End - User Comput<strong>in</strong>g. The user <strong>in</strong>stead of depend<strong>in</strong>g upon<br />
a central computer department <strong>and</strong> its staff to render assistance <strong>in</strong> us<strong>in</strong>g computers<br />
for its department depends upon itself. End-User Comput<strong>in</strong>g as "user created or<br />
acquired sbstems that are ma<strong>in</strong>ta<strong>in</strong>ed <strong>and</strong> operated outside of traditional <strong>in</strong>formation<br />
systems (IS) <strong>controls</strong>.
Figure 3.1<br />
END-USER COMPUTING RISK CONTROL LEVELS'<br />
High<br />
Controls<br />
Requaed<br />
'Svsfems AudiiabrMy <strong>and</strong> ~onfroi Module 7, ~nd-user <strong>and</strong> Departmental Comput<strong>in</strong>g, lnstltute of Internal<br />
4udnors Research Foundation. Florida. 1991.
There are many masons for this rapid growth of this trend:-<br />
(i)<br />
(ii)<br />
There is always backlog of projects <strong>and</strong> the priorities which the user<br />
may have for its application may not be. the same for the centralised<br />
computer department.<br />
The user's desire to have direct control over their applications.<br />
There are different types of end user comput<strong>in</strong>g activities:-<br />
S<strong>in</strong>gle user<br />
(i)<br />
Multi-user<br />
St<strong>and</strong>-alone PC: This may be used by a s<strong>in</strong>gle department for rout<strong>in</strong>e<br />
preparation of some reports.<br />
(ii)<br />
(iii)<br />
It may be used for prepar<strong>in</strong>g adhoc reports us<strong>in</strong>g software like spread<br />
sheet etc.<br />
Bus<strong>in</strong>ess applications may be developed which are of immediate use to<br />
the department.<br />
Different users may be utilis<strong>in</strong>g the services of the same PC.<br />
The PC may be one of the nodes <strong>in</strong> a LAN <strong>environment</strong> when the node may<br />
be used for not only develop<strong>in</strong>g rout<strong>in</strong>e reports but also to access commonly available<br />
data on the network<br />
Special reports useful for achiev<strong>in</strong>g the goals<br />
<strong>and</strong> objectives of the<br />
department
AUDIT RISKS AND CONTROLS TO BE EVALUATED'<br />
Bar 1 EUC Risks <strong>and</strong> <strong>controls</strong><br />
Traditional IS Risks <strong>and</strong> Controls<br />
Level of Trechnical Support Required by Users<br />
Bar 2 Low Moderate High NI A<br />
Level of Control Required Over System<br />
Bar 3 Low Moderate High Very High<br />
Level of Technical Audit<strong>in</strong>g Expertise required<br />
Bar 4 Low Moderate High Very High<br />
The specific advantages of end user comput<strong>in</strong>g are that<br />
(i) It helps <strong>in</strong> satisfy<strong>in</strong>g the <strong>in</strong>creased need for analysed data <strong>and</strong> respond<br />
to queries.<br />
(ii) It meets one time requirements by develop<strong>in</strong>g temporary systems<br />
(iii) It reduces the normal user <strong>and</strong> computer department conflicts by<br />
provid<strong>in</strong>g users with more direct operational control over the system.<br />
The development cycle is shortened, as the realisation of priorities by the user<br />
is more than the DP department.<br />
It is <strong>in</strong> keep<strong>in</strong>g with the general corporate policy to decentralise activities.<br />
As aga<strong>in</strong>st the advantages, there are certa<strong>in</strong> disadvantages. The follow<strong>in</strong>g are<br />
likely to occur:-<br />
-<br />
' "Systems Auditability <strong>and</strong> Control Module 7'. End-user <strong>and</strong> Departmental<br />
Comput<strong>in</strong>g, Institute of Internal Auditors Research Foundation, Florida, 1991.
(i)<br />
As there k no oentraliscd effort <strong>in</strong> pool<strong>in</strong>g resources experience <strong>and</strong><br />
skills, the end-user may not have appropriate appreciation of the<br />
associated risks. Users <strong>in</strong> their over enthusiasm tend to tackle tasks<br />
which are beyond their capability. With the desire to keep up with the<br />
latest technology, hardware <strong>and</strong> software may be acquired which does<br />
not justify the bus<strong>in</strong>ess needs.<br />
Delegation of decisions not <strong>in</strong> keep<strong>in</strong>g with position of responsibility of<br />
<strong>in</strong>dividuals may take place.<br />
There are many control issues <strong>in</strong> the nature of<br />
(a)<br />
(b)<br />
(c)<br />
(d)<br />
(e)<br />
(f)<br />
(g)<br />
<strong>in</strong>consistent data<br />
Incomplete <strong>in</strong>formation trails<br />
Poor system change <strong>controls</strong><br />
Poor documentation<br />
Poor security<br />
Inadequate back up <strong>and</strong> recovery procedures<br />
Software security.<br />
PROBLEM AREAS<br />
In view of the decl<strong>in</strong><strong>in</strong>g costs <strong>and</strong> <strong>in</strong>creas<strong>in</strong>g importance of <strong>in</strong>formation on<br />
timely basis, the awareness <strong>and</strong> the need for end-users themselves to have the<br />
computer facility has been on the <strong>in</strong>crease. Users have become self-reliant <strong>and</strong> feel<br />
that they do not have to bear all the over-heads that are allocated to the department
for % services rendered by the antralised computer department The end-users<br />
make e*tewire use of spread-sheets <strong>and</strong> word process<strong>in</strong>g facilities.<br />
The more enterpris<strong>in</strong>g of the staff <strong>in</strong> user departments have acquired work<strong>in</strong>g<br />
Imowkdge of us<strong>in</strong>g the computer <strong>and</strong> the software. It cannot be claimed that the<br />
Imowkdge of such users b of a high level. The situation as it exists <strong>in</strong> many<br />
organisations b as follows:<br />
(i)<br />
Systems development<br />
Many sptems which the users feel <strong>in</strong> their limited knowledge would be useful<br />
are developed without adopt<strong>in</strong>g any of the st<strong>and</strong>ard prescribed procedures. The<br />
application while they may be usable immediately, it cannot be assured that they<br />
would be ma<strong>in</strong>ta<strong>in</strong>able, auditable <strong>and</strong> securable. Applications like budget<br />
preparation, consolidation of accounts, cost<strong>in</strong>g, pric<strong>in</strong>g, product-mix decisions are<br />
some of the more popular applications which the end-users have developed.<br />
ii.<br />
Change <strong>controls</strong><br />
As the end-users themselves are dewlop<strong>in</strong>g the programmes the programmes<br />
are changed at will without cornform<strong>in</strong>g to, aga<strong>in</strong>, any established procedures. The<br />
fact that the programme with the change implemented has gone live by their own<br />
efforts bl<strong>in</strong>ds them to the fact that established procedures have been given the go-by.
iii.<br />
Data consbtency<br />
As mentioned earlier then an data applications which an used <strong>in</strong> the<br />
F<strong>in</strong>ana department market<strong>in</strong>g department, manufactur<strong>in</strong>g department as slso the<br />
cost<strong>in</strong>g dcpartments. It is not uncommon to f<strong>in</strong>d that there an different versions of<br />
the same data Wig used <strong>in</strong> the various functional departments. The st<strong>and</strong>ard costs<br />
as orig<strong>in</strong>ally developed might have been updated by the cost<strong>in</strong>g department but still<br />
the old version may cont<strong>in</strong>ue to be used <strong>in</strong> the market<strong>in</strong>g <strong>and</strong> f<strong>in</strong>ance departments<br />
while the cost<strong>in</strong>g department uses the latest version This naturally leads to data<br />
which is not synchronised <strong>and</strong> <strong>in</strong>formation which is neither reliable nor consistent<br />
be<strong>in</strong>g provided.<br />
iv.<br />
Documentation<br />
Documentation be<strong>in</strong>g a cumbersome process <strong>and</strong> a very limited number of<br />
staff be<strong>in</strong>g conversant with the usage of computers, it is generally felt that there is no<br />
requirement for documentation <strong>and</strong> the present practices are that there is total<br />
absence of documentation regard<strong>in</strong>g the systems <strong>and</strong> programmes, programme<br />
changes <strong>and</strong> trouble shoot<strong>in</strong>g.<br />
v. Software piracy<br />
There b no overall control on the programs that are used at the end-usen<br />
when the organisation be<strong>in</strong>g aware their own departments violate the Cow Rights<br />
Acts <strong>and</strong> are utili<strong>in</strong>g pirated copies of the more popular software.
Back-up <strong>and</strong> wnt<strong>in</strong>tmy plann<strong>in</strong>g for raovery<br />
In the absence of organisation's policies <strong>and</strong> proadwes there is no systematic<br />
back-up <strong>and</strong> rewry procedures, End-users due to lack of technical tra<strong>in</strong><strong>in</strong>g an not<br />
completely unaware of the need to have adequate back up of data files <strong>and</strong><br />
programs In the absena of organisations not hav<strong>in</strong>g a disaster recovery plan or<br />
because end - usen are not planned end users do not have adequate cont<strong>in</strong>gency<br />
plann<strong>in</strong>g. It is not uncommon to f<strong>in</strong>d end user comput<strong>in</strong>g gett<strong>in</strong>g <strong>in</strong>terrupted for<br />
unusual kngths of time, this necessarily has its own impact on the organisation's<br />
operations.<br />
Back-up, at the utmost consists of hav<strong>in</strong>g copies of programs not necessarily..<br />
at a remore place. Back-ups if any are generally located <strong>in</strong> the same area as ma<strong>in</strong><br />
storage facility. It is not uncommon to f<strong>in</strong>d another floppy box conta<strong>in</strong><strong>in</strong>g data <strong>and</strong><br />
programs be<strong>in</strong>g stored <strong>in</strong> another drawer of the computer table.<br />
Exposwe to virus<br />
Viruses get <strong>in</strong>troduced <strong>in</strong>to the system <strong>in</strong> any of the follow<strong>in</strong>g situations.<br />
i To avoid gett<strong>in</strong>g approval to purchase the software unauthorised copies<br />
of the software are surreptiously used by the end user. This may result<br />
<strong>in</strong> virus contam<strong>in</strong>ation of the entire system.<br />
ii. In the absence of adequate back up <strong>and</strong> cont<strong>in</strong>gency plann<strong>in</strong>g attack<br />
of a virus does run around program <strong>and</strong> wipe out tiles.<br />
The problems were generally the same <strong>in</strong> all the organisations with End-User<br />
comput<strong>in</strong>g. Five organisations were selected at r<strong>and</strong>om. All the organisations were
large public limited companies which were mak<strong>in</strong>g use extensively of LOTUS I, I1<br />
<strong>and</strong> III <strong>and</strong> certa<strong>in</strong> simple programs <strong>in</strong> D-Base. In one organisation, the market<strong>in</strong>g<br />
department was mak<strong>in</strong>g extensive use of Wl'VS I, I1 <strong>and</strong> 111 for pric<strong>in</strong>g decisions<br />
It was found that <strong>in</strong> view of their be<strong>in</strong>g no control procedures there were certa<strong>in</strong><br />
accidental changes to cell values In addition, <strong>in</strong> some cases, <strong>in</strong> view of the software<br />
be<strong>in</strong>g a pirated copy, the software itself contributed to certa<strong>in</strong> other problems of cell<br />
values gett<strong>in</strong>g altered without reason. The department staff were programmers,<br />
operatorsam-users, all rolled <strong>in</strong>to one. It was a common feature to f<strong>in</strong>d alterations<br />
be<strong>in</strong>g made "ON THE FLIGW i.e. even while the software was be<strong>in</strong>g used.<br />
In one organisation, a mere crisis situation arose as the s<strong>in</strong>gle staff <strong>in</strong> the user<br />
department resigned for bctter prospects. In the absence of documentation <strong>and</strong><br />
separation of duties <strong>and</strong> no systematic back up of programs <strong>and</strong> files, the operations<br />
came to a gr<strong>in</strong>d<strong>in</strong>g halt<br />
STANDARD ACCEPTED PROCEDURES<br />
As on many organisations an EUC (End User Comput<strong>in</strong>g) represents<br />
siwcant <strong>in</strong>vestment, it is essential that it should be properly managed <strong>and</strong><br />
adm<strong>in</strong>istered.<br />
The St<strong>and</strong>ard Accepted Procedures could be considered under two heads:<br />
* Control Procedures<br />
Audit procedures
CONTROL PROCEDURES<br />
Plann<strong>in</strong>g<br />
End User Comput<strong>in</strong>g should be dealt with like any other bus<strong>in</strong>ess activity.<br />
The plann<strong>in</strong>g for EUC should address the follow<strong>in</strong>g areas:.<br />
(a)<br />
Tra<strong>in</strong><strong>in</strong>g organisation should have plans for tra<strong>in</strong><strong>in</strong>g personnel on any<br />
IT which should wver use of software <strong>and</strong> hardware <strong>and</strong> systems<br />
development<br />
Hardwarr acquisition<br />
Clear guidel<strong>in</strong>e should be given regard<strong>in</strong>g the type of hardware to be acquired<br />
<strong>and</strong> the procedure to be followed for such acquisition.<br />
The typt of applications to be developed <strong>and</strong> the method to be adopted for<br />
such development Eg. the language to be used -whether <strong>in</strong> house development or<br />
purchase from vendors.<br />
Utilisation of mourns<br />
It is necessary to underst<strong>and</strong> that end users form a part of a whok<br />
organisation. Hencc there should be coord<strong>in</strong>ation <strong>and</strong> <strong>in</strong>ter-action amongst end users<br />
as also the data process<strong>in</strong>g department.
Intcsption with ~ t i w ' bus<strong>in</strong>tss s plan<br />
Then should be a central department at the corporate level which should<br />
decide on the follow<strong>in</strong>&-<br />
(i)<br />
(ii)<br />
(iii)<br />
What type of equipment to buy<br />
Whether to buy the equipment or lease it<br />
If a network<strong>in</strong>g system is already <strong>in</strong> existence, whether end user could<br />
be provided additional modes.<br />
Design<strong>in</strong>g of appropriate <strong>controls</strong> <strong>in</strong> EUC specially <strong>in</strong> areas where key<br />
<strong>in</strong>formation is produced to ensure its <strong>in</strong>tegrity is essential.<br />
The responsibility of the user with regard to EUC development <strong>and</strong> <strong>in</strong>tegrity<br />
<strong>and</strong> security of data should form part of the overall long term plan of the<br />
organisation for IT development The hardware <strong>and</strong> software acquisition at EUC<br />
should fit <strong>in</strong>to the overall blue pr<strong>in</strong>t of the organisation.<br />
Organisational supporl<br />
Though end user may do its own comput<strong>in</strong>g the overall responsibility for its<br />
control exists with the organisation. It cannot, under any circumstanws, be delegated<br />
The organisation should provide the follow<strong>in</strong>g:-<br />
The organisation should have a small group of IT consultants <strong>and</strong> also an<br />
auditor which should provide guidance regard<strong>in</strong>g development of applications as
also clarify any technical doubts 'Ihe auditor component of the group should be abk<br />
to evaluate the <strong>controls</strong> of applications <strong>in</strong> EUC as also its impact on the overall<br />
organisation Thc EUC should be provided clear guidance on the follow<strong>in</strong>g :<br />
Operational system<br />
Documentation of systems <strong>and</strong> programs<br />
Programs changed procedure<br />
Data <strong>in</strong>tegrity<br />
Responsibility for <strong>controls</strong><br />
The ultimate responsibility for the <strong>controls</strong> <strong>in</strong> EUC lies with the Head of the<br />
department. They should ensure<br />
(i) Organisational policies <strong>and</strong> procedures are be<strong>in</strong>g adhered to<br />
(ii) Discipl<strong>in</strong>e regard<strong>in</strong>g systems development, program changes, operations<br />
etc are be<strong>in</strong>g followed.<br />
To a great extent, <strong>controls</strong> <strong>in</strong> EUC <strong>environment</strong> depend on the effectiveness<br />
of the adm<strong>in</strong>istrative <strong>controls</strong>. As the end user has taken on the responsibility of<br />
adher<strong>in</strong>g to the control procedures onus passes on to the end-user.<br />
AUDIT<br />
In view of the extensive growth of EUC specially <strong>in</strong> view of the significant<br />
benefits that the end user would derive it is necessary for the auditors specially the<br />
<strong>in</strong>ternal auditors <strong>and</strong> subsequently the external auditors to underst<strong>and</strong> the<br />
implications of EUC <strong>and</strong> its impact on <strong>in</strong>ternal <strong>controls</strong>. The auditors must pay<br />
special attention to the follow<strong>in</strong>g areas :
(i)<br />
(ii)<br />
(iii)<br />
(iv)<br />
(v)<br />
(vi)<br />
Organisational impact of user EUC<br />
Reasons associated with EUC<br />
The need for corporate policies <strong>and</strong> guidel<strong>in</strong>es<br />
The awareness of management to EUC risks <strong>and</strong> <strong>controls</strong><br />
The procedures be<strong>in</strong>g followed <strong>in</strong> department utilis<strong>in</strong>g EUC<br />
Study of the applications <strong>in</strong> EUC to evaluate its impact specially on<br />
management decision mak<strong>in</strong>g.<br />
Perform<strong>in</strong>g the audit<br />
The auditor should devote his attention to<br />
(i)<br />
(ii)<br />
Controls at organisational level <strong>and</strong><br />
<strong>controls</strong> at application level<br />
(i)<br />
Organisational level<br />
Organisational level he should evaluate the follow<strong>in</strong>g:<br />
Adm<strong>in</strong>istration<br />
Policies <strong>and</strong> procedures<br />
End-user support<br />
Adm<strong>in</strong>istration<br />
He should study the responsibilities associated with<br />
Data ownership<br />
Hardware <strong>and</strong> software compatibility<br />
Tra<strong>in</strong><strong>in</strong>g<br />
* Technical support
(ii)<br />
Policies <strong>and</strong> procedures<br />
The auditor should evaluate whether there are policies <strong>and</strong> procedures<br />
regard<strong>in</strong>g EUC<br />
The policies <strong>and</strong> procedures should cover the follow<strong>in</strong>g:<br />
Documentation<br />
Back up <strong>and</strong> recovery<br />
Security<br />
Hardware acquisition<br />
Software acquisition<br />
Development of applications<br />
Changes to life runn<strong>in</strong>g programs<br />
End-user support<br />
The End-users need support <strong>and</strong> the support if any provided should be<br />
reviewed to f<strong>in</strong>d out whether the follow<strong>in</strong>g are <strong>in</strong>cluded :<br />
Tra<strong>in</strong><strong>in</strong>g<br />
Availability of support<br />
ANALYSIS AND FINDINGS<br />
Controls<br />
A sample of five organisations at r<strong>and</strong>om were chosen <strong>and</strong> a questionnaire<br />
(Table 3.1) was utilised to obta<strong>in</strong> responses. The practices currently prevalent are<br />
as follows :
(a)<br />
Segregation of duties h totally absent as the user is a programmer,<br />
systems analyst<strong>and</strong> an operator.<br />
@)<br />
The documentation was totally <strong>in</strong>adequate if not absent In their<br />
eagerness <strong>and</strong> enthusiasm to develop systems least importance was<br />
given 10 documentation. The situation did <strong>in</strong> some cases lead to<br />
confusion when the orig<strong>in</strong>al developer left the department or the<br />
organisation. The systems development life cycle procedure has been<br />
very rarely followed. There was no feasibility study. No documentation.<br />
No test results.<br />
With an attempt at "keep<strong>in</strong>g up with the Jonesses" expensive hardware not<br />
justify<strong>in</strong>g the usage of the user department was acquired <strong>and</strong> rema<strong>in</strong>ed under utilixd.<br />
The systems that are developed did not bear <strong>in</strong> m<strong>in</strong>d the possible <strong>in</strong>tegration<br />
with other exist<strong>in</strong>g systems or future systems.<br />
"Change control procedures" i.e. the procedures that are needed to be strictly<br />
adhered to whenever an exist<strong>in</strong>g program is modified or be<strong>in</strong>g replaced. Change<br />
control procedures were of an <strong>in</strong>adequate st<strong>and</strong>ard. Aga<strong>in</strong>, the system was entirely<br />
dependent upon the present <strong>in</strong>dividual who was us<strong>in</strong>g it<br />
Back up <strong>and</strong> cont<strong>in</strong>gency procedures were not<br />
adequate. The back up<br />
procedure consisted of a copy of the program be<strong>in</strong>g ma<strong>in</strong>ta<strong>in</strong>ed separately <strong>in</strong> the<br />
same room. The usage of unauthorised software was very common. While the<br />
organisations might have purchased a licenced software, the end users were hav<strong>in</strong>g<br />
different pirated copies.
The vulnerability for virus was very common. The viruses generally get spread<br />
either through the usage of unauthorised copies of software or the floppies which the<br />
Ma<strong>in</strong>tenance Eng<strong>in</strong>eers will be. br<strong>in</strong>g<strong>in</strong>g.<br />
AUDIT<br />
Infonnation was gathered from a sample of 30 auditors regard<strong>in</strong>g the<br />
procedures they adopt <strong>in</strong> organisations where End-User comput<strong>in</strong>g was <strong>in</strong> existence<br />
<strong>and</strong> utilised for important areas of operation.<br />
The auditors, either <strong>in</strong>ternal or external, were aware of the risks associated<br />
with End-User comput<strong>in</strong>g <strong>environment</strong> There was no audit be<strong>in</strong>g performed. The<br />
auditors <strong>in</strong> spite of be<strong>in</strong>g aware that Personal Computers were <strong>in</strong>stalled <strong>in</strong> all the<br />
functional departments, they were ignorant of the type of applications. The audit <strong>in</strong><br />
that area was totally absent. Counter-check<strong>in</strong>g of this fact was made with the<br />
End-Users who confirmed the same.
TABLE 3.1<br />
Yes l No<br />
Are end-usen aware of organisational <strong>and</strong><br />
departmental <strong>in</strong>formation security policies<br />
<strong>and</strong> guidel<strong>in</strong>es?<br />
Are they adequqatc <strong>and</strong> upto date?<br />
Are computer systems passwords kept<br />
confidential by user-employees?<br />
2. General control<br />
Are then policies <strong>and</strong> guidel<strong>in</strong>es available<br />
regard<strong>in</strong>g the follow<strong>in</strong>g:-<br />
Access security<br />
Systems Development<br />
Change Controls<br />
Date consistency<br />
Documentation<br />
Back-up<br />
Recovery<br />
Cont<strong>in</strong>gency Plann<strong>in</strong>g<br />
Copyright violation<br />
Virus vulnerabilit
116<br />
Yes I No<br />
3. Access security<br />
Is there a security management function?<br />
Are visitors or unauthoriscd users hav<strong>in</strong>g<br />
easy access to areas where EUC is<br />
performed?<br />
Are files conta<strong>in</strong><strong>in</strong>g sensitive data<br />
ennypted?<br />
4. Systems development<br />
Are there procedures <strong>and</strong> <strong>controls</strong> for<br />
systems development?<br />
5. Change control<br />
Are there adequate documentation<br />
regard<strong>in</strong>g any changes to the programs?<br />
6. Documentation<br />
Are there adequate documentation for<br />
programs, hardware, system configuration<br />
<strong>and</strong> procedures?<br />
7. Beck-up recovery <strong>and</strong> cont<strong>in</strong>gency<br />
Plann<strong>in</strong>g :<br />
Are there procedures <strong>and</strong> st<strong>and</strong>ards for<br />
program<strong>in</strong>g <strong>and</strong> data back-up?<br />
Is there any tra<strong>in</strong><strong>in</strong>g provided to End-usen<br />
regard<strong>in</strong>g dangers of magnetic files static<br />
electricity, equipment failure etc.?<br />
If back-up <strong>and</strong> storage facilities are<br />
available, are they <strong>in</strong> the same area or at a<br />
different location?
117<br />
Yes I No<br />
8. Copy-right violation<br />
Are them written policies <strong>in</strong>form<strong>in</strong>g<br />
End-users to the legal consequences of<br />
us<strong>in</strong>g un-authorised copies of software?<br />
Are there policies <strong>and</strong> guidel<strong>in</strong>es issued on<br />
prevent<strong>in</strong>g an attack of virus, debugg<strong>in</strong>g it if<br />
it is attacked <strong>and</strong> consequential actions to<br />
be taken to nullify the attack of virus?<br />
Are there specific guidel<strong>in</strong>es given regard<strong>in</strong>g<br />
usage of spread-sheet, specially when used<br />
for decision-mak<strong>in</strong>g?
The Institute of Internal Auditors Research Foundation <strong>in</strong> their "Systems,<br />
Auditability <strong>and</strong> Control" report <strong>in</strong> Module 7 dealt with End-User <strong>and</strong> departmental<br />
comput<strong>in</strong>g. They have conducted a swey <strong>and</strong> the key survey f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong><br />
observations are as follows :<br />
* Forty-one percent of the 249 respondents <strong>in</strong>dicated that one of the highest<br />
related risks is poor data accuracy or <strong>in</strong>tegrity. Of this 41% (101<br />
respondents), 63% felt the risk would <strong>in</strong>crease <strong>in</strong> the future, 25% felt there<br />
would be no change, <strong>and</strong> 12% said it would decrease.<br />
The most effective control mitigate this risk was thought to be policies,<br />
st<strong>and</strong>ards, <strong>and</strong> procedures (27%), followed by <strong>in</strong>putloutput <strong>controls</strong> (19%)<br />
<strong>and</strong> systems test<strong>in</strong>g (9%). The respondents cit<strong>in</strong>g policies, st<strong>and</strong>ards <strong>and</strong><br />
procedures as the best control <strong>in</strong>dicated that the control is not used <strong>in</strong> 26%<br />
of the organizations, partially used <strong>in</strong> 70%, <strong>and</strong> fully used <strong>in</strong> 4%.<br />
* Other significant risks mentioned <strong>in</strong>cluded development of <strong>in</strong>compatible<br />
systems <strong>and</strong> unauthorized access or changes to data or systems. Related<br />
<strong>controls</strong> <strong>in</strong>cluded policies, st<strong>and</strong>ards, <strong>and</strong> procedures, <strong>and</strong> access <strong>controls</strong> <strong>and</strong><br />
security, respectively.<br />
Internal audit organizations of all sizes plan to <strong>in</strong>crease audit coverage of<br />
EUC' over the next three yeqars. Actual coverage <strong>in</strong> the past three years <strong>and</strong><br />
planned audit coverage <strong>in</strong> the next three yean are presented <strong>in</strong> Figure 1.2 for<br />
small (one to ten auditors), medium (eleven to sixty auditors) <strong>and</strong> large (over<br />
sixty auditors) <strong>in</strong>ternal audit organisations.
Percent of Respondents peffonn<strong>in</strong>g full or limited scope of EUC Audits<br />
Actual - Past<br />
Three Years<br />
Planned - Nut 91 %<br />
Three Years<br />
It is advisable to encourage development of End-User Comput<strong>in</strong>g <strong>in</strong> view of<br />
the follow<strong>in</strong>g benefits:-<br />
i. Users become self-reliant <strong>and</strong> hence are more responsive to <strong>in</strong>formation<br />
needs <strong>and</strong> requirements.<br />
ii. Application development <strong>and</strong> ma<strong>in</strong>tenance costs are m<strong>in</strong>imal as departmental<br />
present needs <strong>and</strong> future requirements are properly understood.<br />
iii. Back-log of computer applications ate considerably reduced as there is clear<br />
prioritisation of the department's needs.<br />
It is advisable <strong>and</strong> hence recommended to take full advantage of the benefits<br />
of EUC Adequate steps need to be. taken to avoid associated risks <strong>in</strong> EUC The<br />
recommended steps would be. as follows:<br />
i. Set up a dedicated consult<strong>in</strong>g group with<strong>in</strong> the organisation It would be<br />
advisable to have a small plann<strong>in</strong>g cell of competent personnel who would<br />
provide the guidance for the end-users. The type of services they would<br />
provide <strong>in</strong>clude tra<strong>in</strong>ed end-users generally of traditional systems<br />
development as also provid<strong>in</strong>g knowledge of general <strong>controls</strong> <strong>and</strong> application<br />
<strong>controls</strong>.
LOCAL AREA NETWORK (LAN)<br />
Local Area Network (LAN) is def<strong>in</strong>ed as a data communication system that<br />
allows a number of <strong>in</strong>dependent devices to communicate directly with each other<br />
with<strong>in</strong> a moderately sized geographic area <strong>and</strong> offer a physical communications<br />
channel provid<strong>in</strong>g moderate transfer rates.<br />
Network comput<strong>in</strong>g provides the capability for users who are work<strong>in</strong>g on<br />
different personal computers, micro-computers or work stations to communicate with<br />
each other via network It is also possible for users to share network resources <strong>and</strong><br />
also use any of the services that the network provides. Network consists of a complex<br />
of hardware, software <strong>and</strong> communications with a number of components located<br />
over a large area. Major components <strong>in</strong> a network are<br />
i. Network filesemr <strong>and</strong> netware<br />
ii.<br />
iii.<br />
Network workstations<br />
Transmission media.<br />
Network file server <strong>and</strong> netware<br />
A file server is a micro computer. This runs on an operat<strong>in</strong>g system to control<br />
the network resources associated with the file server. Network operat<strong>in</strong>g system coord<strong>in</strong>ates<br />
LAN activities. This decides as to who can access which files, as to who can<br />
make changes to data <strong>and</strong> who can use the network pr<strong>in</strong>ters.
To network, files an stored on a hard disc drive located on the server.<br />
Naturally the hard disc drive capacity is very high.<br />
Network workstations<br />
Work stations are personal computers. Network users do their work on these<br />
computers. These work stations can process their own files <strong>and</strong> run their own<br />
operat<strong>in</strong>g systems. However, the network workstations are capable of access<strong>in</strong>g files<br />
not only from the local drives but h m fles elsewhere <strong>in</strong> the network.<br />
They are:<br />
Workstations use two pieces of software to communicate with the file server.<br />
(a)<br />
@)<br />
The shell<br />
The protocol<br />
The shell redirects the requests from work stations across the network as<br />
necessary. The protocol lays down the rules <strong>and</strong> procedures <strong>and</strong> provides a common<br />
communication mechanism between the workstation <strong>and</strong> the fileserver.<br />
Transmission media<br />
The transmission media can be any of the follow<strong>in</strong>g:<br />
* Twisted pair <strong>and</strong> co-axial cable made of copper<br />
* Fibre optics or fibre plastics<br />
Wireless
Information flows between work stations <strong>and</strong> the servers File server which is<br />
a micro computer operates as a "host computer" with which other entities like pr<strong>in</strong>ter,<br />
other term<strong>in</strong>als etc <strong>in</strong>teract. Hardware <strong>and</strong> software components are put together to<br />
operate as a whole by the operat<strong>in</strong>g system of the network. Workstation <strong>in</strong> a network<br />
can be <strong>and</strong> may be W~ected to one or more file semrs.<br />
It is possible for one network to be connected to several other networks.<br />
Distributed or decentralised comput<strong>in</strong>g facilities can be set up <strong>in</strong> different<br />
geographical areas. However, <strong>in</strong> a distributed <strong>environment</strong> data is exposed to more<br />
threats. However, the risks can be m<strong>in</strong>imised by build<strong>in</strong>g "trusted network comput<strong>in</strong>g<br />
facility".<br />
PROBLEM AREAS<br />
Communication systems have become a vital strategic asset for many<br />
organisations. In the commercial organisations management has realised that<br />
network<strong>in</strong>g, market<strong>in</strong>g, production <strong>and</strong> f<strong>in</strong>ance <strong>and</strong> other vital functional areas gives<br />
them <strong>in</strong>formation power.<br />
With the dynamic market<strong>in</strong>g effort put <strong>in</strong> by vendor of network systems,<br />
coupled with "image creation", amongst others <strong>in</strong> the field has resulted <strong>in</strong><br />
proliferation, more <strong>and</strong> more organisations have started "network<strong>in</strong>g" their computer<br />
<strong>environment</strong>. An effective management of the organisations' telecommunication<br />
resources can no doubt offer substantial benefits, but sound control procedures are<br />
needed to enhance the network's ability to adapt <strong>and</strong> grow with the organisation. The<br />
<strong>in</strong>ternal auditor <strong>in</strong> the normal circumstances should exam<strong>in</strong>e the policies <strong>and</strong>
procedures <strong>and</strong> the tekcommunication function iwlf to evaluate the effectiveness of<br />
the network<strong>in</strong>g function However, the present practices are not as expected There<br />
an no policies <strong>and</strong> procedures which are very essential for manag<strong>in</strong>g network<br />
operations. There an no procedures regard<strong>in</strong>g compatibility of hardware <strong>and</strong><br />
software, protection of confidential <strong>in</strong>formation, procedures regard<strong>in</strong>g procurement<br />
There is no detailed def<strong>in</strong>ition of requirements, detailed evaluation, contract terms<br />
<strong>and</strong> conditions.<br />
Communication network is an area where it is essential to have hardware <strong>and</strong><br />
software compatibility. The <strong>in</strong>troduction of new technology very often changes the<br />
def<strong>in</strong>ition of compatibility <strong>and</strong> hence it is necessary to constantly review the policies<br />
to ensure its currency.<br />
In the present day practices, there are no policies <strong>and</strong> procedures <strong>in</strong> most of<br />
the organisations with the result the question of its be<strong>in</strong>g current does not arise. It<br />
is not uncommon to f<strong>in</strong>d elaborate complicated arrangements which are quite<br />
unsatisfactory, be<strong>in</strong>g made to have the latest version of the software to work on an<br />
outdated hardware. Amongst the other, more important present practices are:<br />
i. Lack of systems development life cycle methodology.<br />
ii.<br />
In most organisations, the concept of SDLC is absent <strong>and</strong> when a network is<br />
implemented, the same culture is cont<strong>in</strong>ued, with the result there is total<br />
absence of established objectives, cost estimates, acceptance criteria, etc.<br />
Change management<br />
There are no welldocumented procedures regard<strong>in</strong>g alterations or<br />
modifications to hardware <strong>and</strong> software.
Security authorisation<br />
Then is no well-established corporate security policies <strong>in</strong> most of the cases<br />
In a few cases where it does exist, though vaguely, procedures for access<strong>in</strong>g network<br />
facilities, ma<strong>in</strong>tenance of audit trails, us<strong>in</strong>g diagnostic hardware are not clear <strong>and</strong><br />
well-laid down<br />
Problem report<strong>in</strong>g <strong>and</strong> anrveillann<br />
There are no well-laid down procedures regard<strong>in</strong>g preparation of reports<br />
connected with security violations or hardware problems. The organisations when an<br />
<strong>in</strong>dividual may be held responsible for follow-up iction on such reports, is also given<br />
other responsibilities. In the circumstances, perform<strong>in</strong>g the duty of system<br />
adm<strong>in</strong>istrator becomes <strong>in</strong>cidental. There is no supervision of the systems<br />
adm<strong>in</strong>istrator's work There has been a reported case of the system adm<strong>in</strong>istrator<br />
himself hav<strong>in</strong>g been a party to security violation.<br />
Cont<strong>in</strong>gency <strong>and</strong> disaster recovery plan<br />
It is absolutely imperative to have well- documented st<strong>and</strong>ards <strong>and</strong> guidel<strong>in</strong>es<br />
regard<strong>in</strong>g the cont<strong>in</strong>gency plann<strong>in</strong>g generally <strong>and</strong> more so when network<strong>in</strong>g is<br />
<strong>in</strong>troduced. A study of the present practices reveals that there is no such welldocumented<br />
st<strong>and</strong>ards or guidel<strong>in</strong>es. It is only a case of crisis management While<br />
segregation of duties is an important element of system of <strong>in</strong>ternal control, <strong>in</strong> not so<br />
big organisations, it becomes difficult to implement this pr<strong>in</strong>ciple. In the<br />
circumstances, it becomes more important to have an effective cont<strong>in</strong>gency plan. In<br />
most of the organisations it is absent.
Five users were selected at r<strong>and</strong>om for study <strong>in</strong> a large public limited company<br />
with a turnover of several cram of rupees <strong>and</strong> a widely dispersed ofice where the<br />
concept of IAN was <strong>in</strong>troduad Discussions with the senior executive of the<br />
company <strong>in</strong>charge of computer operations revealed that users were permitted to<br />
make "sunple changes" to programs which were relevant to their departments <strong>in</strong><br />
violation of the generally accepted discipl<strong>in</strong>e that users should use the program only<br />
<strong>in</strong> the ''Execution Node". The programs were accessed from the file server <strong>and</strong><br />
modifications made at the user end The pr<strong>in</strong>t out at the file server node provided<br />
this <strong>in</strong>formation. It was <strong>in</strong>formed that there is a systems adm<strong>in</strong>istrator who<br />
periodically files the pr<strong>in</strong>tsuts. Further discussions revealed that most of the security<br />
considerations are be<strong>in</strong>g violated on the basis of the trust on the 'loyal staff'. In<br />
another organisation which was also a public limited company, access control<br />
procedures were <strong>in</strong>adequate. A member of the staff made an unauthorised access<br />
to a confidential file <strong>and</strong> obta<strong>in</strong>ed the <strong>in</strong>formation to use aga<strong>in</strong>st the organisation.<br />
This <strong>in</strong>stance was discovered after the <strong>in</strong>cident by a casual view<strong>in</strong>g of the pr<strong>in</strong>t-out<br />
at node which had an important file. Subsequently, steps were taken to review<br />
"Access Procedures".<br />
In a nationalid bank, the manager was provided with a Node to facilitate his<br />
giv<strong>in</strong>g the passward at appropriate situations, like "permitt<strong>in</strong>g overdraft to certa<strong>in</strong><br />
customers". It was found that us<strong>in</strong>g manager's password had been converted <strong>in</strong>to part<br />
of operat<strong>in</strong>g <strong>in</strong>structions. Discussion with the manager revealed that these<br />
procedures were violated aga<strong>in</strong> <strong>in</strong> view of the trust they have on the staff. A<br />
programmer <strong>in</strong> a foreign country who opened an Account <strong>in</strong> the Bank <strong>and</strong> took<br />
advantage of the vulnerabilities <strong>in</strong> the procedures had absconded with a large sum
of money befoxc the same was discovered. In all the fivc cases, the auditors were<br />
blissfully ignorant of the risks <strong>and</strong> exposures<br />
STANDARD ACCEPTJD PROCEDURES<br />
The ma<strong>in</strong> purpose of hav<strong>in</strong>g <strong>controls</strong> is to m<strong>in</strong>imise the exposures. The<br />
additional <strong>controls</strong> that arc needed <strong>in</strong> an onl<strong>in</strong>e system are:<br />
k Security control<br />
Access<br />
Authentication<br />
Authorisation<br />
* Privacy<br />
* Process <strong>environment</strong><br />
Program changes<br />
Authoris<strong>in</strong>g execution of program<br />
Operat<strong>in</strong>g systems<br />
B. New components control<br />
Data communication<br />
Term<strong>in</strong>als<br />
C Controls to provide adequate trails<br />
Audit trail<br />
Documentation of magnetic medium<br />
Audit trails from transactional loss to create recovery <strong>controls</strong><br />
Figure given below highlights the. new <strong>controls</strong> that are needed.'<br />
' Adopted from Javier EKuong, "Controls for Advanced On-l<strong>in</strong>e Data Bue<br />
Systemsn, Management Advisory Publications.
ON-LINE SYSTEM CONTROLS AND AUDIT PROBLEMS<br />
lnpS Phase<br />
Process Phase<br />
Wu( Ph8e.e<br />
Onl<strong>in</strong>e<br />
User Repom<br />
;zl<br />
ONLINE<br />
Consde<br />
/"<br />
SYSTEM<br />
DB Dumps<br />
BACK UP 6 RECOVERY<br />
I Integrtty<br />
A Accuracy<br />
C Conbnuw<br />
Adopted from W s b On-L,ne WbSase Sjdmns by Jawr F Kuonp,<br />
MaruOemsnl Adnsoly Wbons. Mass
Prwid<strong>in</strong>g on-l<strong>in</strong>e qstcrns <strong>controls</strong><br />
Generally systems are designed to provide built <strong>in</strong> <strong>controls</strong> to enswe the<br />
follow<strong>in</strong>g:<br />
Accuracy<br />
Security<br />
Cont<strong>in</strong>uity<br />
In order to design appropriate <strong>in</strong>ternal <strong>controls</strong> an oveniew of the design<strong>in</strong>g<br />
of the <strong>controls</strong> needs to be made. The control po<strong>in</strong>ts could be considered under the<br />
follow<strong>in</strong>g heads:<br />
i. Data entry<br />
ii. Data communication<br />
At the po<strong>in</strong>t of data ently control mechanisms are built <strong>in</strong> to m<strong>in</strong>imise<br />
consequences of the follow<strong>in</strong>g threats :<br />
Enter<strong>in</strong>g wrong transactions<br />
Enter<strong>in</strong>g unauthorised practices<br />
Improper adjustments by misus<strong>in</strong>g error matior, practices<br />
Absence of audit trails<br />
Loss of transactions<br />
To ma<strong>in</strong>ta<strong>in</strong> Access control, security <strong>and</strong> privacy, st<strong>and</strong>ard practices to be<br />
followed are as follows :
Then should be automatic sign off of all operaton when a major system<br />
failure is detected<br />
There should be restricted menu display for each user.<br />
Then should k specific passwords for users.<br />
There should be supervisory passwords for special functions.<br />
Automatic disabl<strong>in</strong>g of term<strong>in</strong>als after trials.<br />
Logg<strong>in</strong>g of unsuccessful trials <strong>and</strong> keep<strong>in</strong>g count of the same.<br />
Disabl<strong>in</strong>g of term<strong>in</strong>als after work<strong>in</strong>g houn.<br />
Then should be logg<strong>in</strong>g after oftlour use of term<strong>in</strong>als <strong>and</strong> importance should<br />
be attahced to accountability of entries.<br />
There should be effective security surveillance procedures.<br />
Password control<br />
Password display on term<strong>in</strong>als should be suppressed.<br />
There should be separate password for identification <strong>and</strong> authentication<br />
Establish an effective adm<strong>in</strong>istrative procedures for password change <strong>and</strong><br />
ma<strong>in</strong>tenance as follows :<br />
All password changes should be reviewed <strong>and</strong> there should be a security<br />
surveillance.<br />
For sensitive positions there should be tightly accounted procedures for<br />
changes <strong>in</strong> passwords when there is change <strong>in</strong> the personnel.
Pawords should be <strong>in</strong>validated automatically after the lapse of a certa<strong>in</strong><br />
pn-determ<strong>in</strong>ed time.<br />
Paword tabks should be <strong>in</strong>accessible other than to the super user.<br />
objectives:<br />
Control procedures should be adequate to specify the follow<strong>in</strong>g contml<br />
The term<strong>in</strong>al should always be capable of be<strong>in</strong>g identified.<br />
* The user should be identified <strong>and</strong> authenticated.<br />
The user should be capable of only operat<strong>in</strong>g with<strong>in</strong> limits that he is<br />
authorised to do.<br />
The term<strong>in</strong>al should be capable of logg<strong>in</strong>g all deviations from normal<br />
operations.<br />
The operation at any term<strong>in</strong>al should be so designed to provide<br />
cont<strong>in</strong>uity of operations <strong>in</strong> case of breakdown or <strong>in</strong>terruption<br />
St<strong>and</strong>ard prnctica - Audit procedures<br />
On l<strong>in</strong>e computer systems have an impact on the audit procedures. The matter<br />
is of particular importance to auditors <strong>in</strong> an onl<strong>in</strong>e system which are:<br />
Authorisation<br />
Completeness<br />
* Accuracy of onl<strong>in</strong>e transactions
Integrity of records <strong>and</strong> process<strong>in</strong>g specially <strong>in</strong> view of the fact that <strong>in</strong><br />
a networked system, the system is accessible to many users <strong>and</strong><br />
programmers.<br />
Chnpr <strong>in</strong> the performance of audit procedures due to the follow<strong>in</strong>g:<br />
Transaction trails becom<strong>in</strong>g <strong>in</strong>visible<br />
The necessity for the auditon who have proper skills <strong>in</strong> an onl<strong>in</strong>e<br />
system.<br />
Adequate knowledge of procedures dur<strong>in</strong>g<br />
(i)<br />
(ii)<br />
(iii)<br />
Audit plann<strong>in</strong>g stage<br />
Concurrently with onl<strong>in</strong>e process<strong>in</strong>g<br />
After process<strong>in</strong>g has taken place.<br />
Generally <strong>in</strong> a well designed onl<strong>in</strong>e computer system, the auditor would rely<br />
more on <strong>in</strong>ternal <strong>controls</strong>. It is accepted that the auditor would have adequate<br />
knowledge of <strong>in</strong>ternal <strong>controls</strong> <strong>in</strong> an onl<strong>in</strong>e system so that he will follow the<br />
appropriate audit procedures.<br />
Audit procedures performed concurrently with onl<strong>in</strong>e process<strong>in</strong>g would require<br />
test<strong>in</strong>g of <strong>controls</strong> on the l<strong>in</strong>e applications.<br />
<strong>in</strong>clude:<br />
Procedures associated with audit after process<strong>in</strong>g has been completed would<br />
Compliance test<strong>in</strong>g of <strong>controls</strong> for transactions already logged <strong>in</strong> for<br />
(a)<br />
(b)<br />
Authorisation<br />
Completeness <strong>and</strong>
(c) Accuracy<br />
* Substantive test<strong>in</strong>g of transactions <strong>and</strong> process<strong>in</strong>g results<br />
Reprocess<strong>in</strong>g of certa<strong>in</strong> transactions where necessary.<br />
It is generally recommended <strong>and</strong> found more effective for an auditor to<br />
perform a pre- implementation review of new onl<strong>in</strong>e applications.<br />
Audit<br />
Information was gathered from a sample of 30 auditors regard<strong>in</strong>g the<br />
procedures they would adopt <strong>in</strong> organisations where computers were net-worked<br />
us<strong>in</strong>g LAN utilised for important areas of operations.<br />
The auditors neither <strong>in</strong>ternal nor external were aware of the risks associated<br />
with LAN <strong>environment</strong>. There was no audit be<strong>in</strong>g performed. The auditors <strong>in</strong> spite<br />
of be<strong>in</strong>g aware that computers were <strong>in</strong>stalled <strong>in</strong> all the functional departments <strong>and</strong><br />
networked, they were ignorant of the type of applications. The audit <strong>in</strong> that area was<br />
totally absenr Counter-check<strong>in</strong>g of this fact was made with organisations hav<strong>in</strong>g LAN<br />
who confirmed the fact that no audit was performed.<br />
Controls<br />
A r<strong>and</strong>om sample of 5 organisations which had <strong>in</strong>stalled LAN was taken to<br />
study the control aspects.
ANALYSIS AND FINDINGS<br />
Role of the auditor<br />
In the sample number of organisations chosen for sutvey of control <strong>and</strong> audit<br />
procedures, it was found neither the <strong>in</strong>ternal auditor nor the external auditor was<br />
perform<strong>in</strong>g an audit of the LAN <strong>environment</strong> As a matter of fact, the audit<br />
operations did not <strong>in</strong>clude evaluation of <strong>in</strong>ternal <strong>controls</strong> <strong>in</strong> a wmputerised<br />
<strong>environment</strong> generally. The auditors are totally unaware of the risks associated with<br />
a LAN <strong>environment</strong> <strong>and</strong> the accepted well established <strong>controls</strong> which needs to be<br />
implemented to m<strong>in</strong>imise those risks. This fact of the auditors <strong>in</strong> evaluat<strong>in</strong>g the<br />
<strong>controls</strong> <strong>in</strong> a LAN <strong>environment</strong> was <strong>in</strong>dependently confirmed by the organisations<br />
which had a LAN <strong>environment</strong>.<br />
CONTROLS<br />
In none of the organisations, there were any documented procedures <strong>and</strong><br />
guidel<strong>in</strong>es regard<strong>in</strong>g implementation of LAN. While <strong>in</strong> some of the organisations,<br />
there was a network diagram <strong>in</strong> other organisations, there was no network diagram.<br />
Even <strong>in</strong> the organisations which had the network diagram it was not updated <strong>and</strong><br />
hence <strong>in</strong>coned There was no specific term<strong>in</strong>al designated to monitor activity with<strong>in</strong><br />
the onl<strong>in</strong>e system. In one of the organisations, a user department was permitted to<br />
have access of program from his node make a change <strong>in</strong> the program <strong>and</strong> executed<br />
at its term<strong>in</strong>al. Though this situation was reflected <strong>in</strong> the pr<strong>in</strong>t out at the network<br />
adm<strong>in</strong>istrator's term<strong>in</strong>al, apart from the fact that the pr<strong>in</strong>t out was filed no further<br />
action was taken.
In most of the cases, no review of <strong>controls</strong> or procedures are undertaken. In<br />
one other organisation, it was discovered later that important management<br />
<strong>in</strong>formation which should be available only at one term<strong>in</strong>al was accessed at another<br />
term<strong>in</strong>al dur<strong>in</strong>g luch time. Much after the event, it was discwered <strong>and</strong> corrective<br />
action taken.<br />
The discipl<strong>in</strong>e associated with the password is not generally be<strong>in</strong>g adhered to.<br />
Passwords <strong>in</strong> many <strong>in</strong>stances have become part of operat<strong>in</strong>g <strong>in</strong>structions <strong>and</strong><br />
passwords <strong>in</strong> some cases are known to more than one person.<br />
In all the cases, there have been <strong>in</strong>stances of violation of security, lack of<br />
<strong>in</strong>tegrity, loss of data. Corrective action has been taken subsequent to its occurence.<br />
Even <strong>in</strong> organisations with LAN <strong>environment</strong> like other organisations, the<br />
Disaster Recovery Plann<strong>in</strong>g is totally <strong>in</strong>adequate. Othcr than hav<strong>in</strong>g a copy of the<br />
program <strong>and</strong> copy of important data stored <strong>in</strong> the same <strong>in</strong>stallation, there was no<br />
other evidence of an effective DRP. Diasten have occured <strong>and</strong> recovery had been<br />
made with much difficulty.<br />
SUGGESTIONS<br />
In view of the operations of an organisation be<strong>in</strong>g distributed, it becomes<br />
necessary to have computer operations located at the place of the operation.<br />
However, to have an overall control of the organisation, <strong>in</strong>formation <strong>and</strong> at the same
timc dow<strong>in</strong>g each of the usen to haw a m for such <strong>in</strong>formation as may be<br />
neceuary it bewms imperative to have networbk<br />
Local Area Networks (LANS) have designed a new doma<strong>in</strong> of networks that<br />
can be <strong>in</strong>stalled <strong>and</strong> managed by user groups The dynamic nature of the<br />
tekmmmunication envimnrncnt along with the strategic importance of networks<br />
ghs tekmmmunications high visibility. This necessitates the need for an effective<br />
control.<br />
In view of the importance of mntrols <strong>in</strong> LANS <strong>in</strong> ensur<strong>in</strong>g <strong>in</strong>tegrity, security,<br />
coddentiality <strong>and</strong> cont<strong>in</strong>uity of <strong>in</strong>formations effective <strong>audit<strong>in</strong>g</strong> of such system is very<br />
irnpottanL<br />
A study of st<strong>and</strong>ard accepted procedures for mntrols <strong>and</strong> audit <strong>in</strong> comparison<br />
to the actual practice as revealed by the survey conducted showed up a big gap.<br />
Tak<strong>in</strong>g <strong>in</strong>to consideration the <strong>environment</strong> <strong>in</strong> India the follow<strong>in</strong>g suggestions<br />
need to be considered <strong>in</strong> the areas of control <strong>and</strong> audit <strong>in</strong> a LAN.<br />
Contml of completeness <strong>and</strong> accuracy<br />
There should be clear guidel<strong>in</strong>es <strong>and</strong> procedures laid down by the<br />
Management regard<strong>in</strong>g usage of network additions of nodes, job responsibilities,<br />
security etc<br />
There should be corporate policy laiddown regard<strong>in</strong>g procedures to be<br />
followed <strong>in</strong> the communication systems to ensue data <strong>in</strong>kpity <strong>and</strong> completeness.
The procedure at its least should <strong>in</strong>clude <strong>controls</strong> regard<strong>in</strong>g<br />
* Time <strong>and</strong> date stamp<br />
Sequence number check<strong>in</strong>g<br />
* Transaction term<strong>in</strong>al<br />
Periodic message reconciliation<br />
* Back up equipments <strong>and</strong> facilities<br />
Recovery procedures<br />
Network recurily<br />
Clear guidel<strong>in</strong>es should be provided regard<strong>in</strong>g classification of critical<br />
<strong>in</strong>formation.<br />
There should be well documented security policies st<strong>and</strong>ards <strong>and</strong> procedures.<br />
Audit <strong>and</strong> legal department should be associated <strong>in</strong> security plann<strong>in</strong>g.<br />
Acquisition of equipment sonware <strong>and</strong> semces<br />
There should be a central department who should have the knowledge of<br />
organisational <strong>in</strong>teresq who would be able to establish product specification <strong>and</strong><br />
bench marks.<br />
Auditors <strong>and</strong> users should have an important role <strong>in</strong> product acquisition.<br />
Change management<br />
There should be an authorised procedure for any tele communication change.<br />
The prwdure should <strong>in</strong>clude documentation requirements <strong>and</strong> approval. There<br />
should be a post implementation review of telecommunication changes.
Suggestions for audit procedum<br />
Analysis of the procedures <strong>in</strong> a sample of sumy of organisations hav<strong>in</strong>g a<br />
LAN <strong>environment</strong> revealed that there is no role performed by either the <strong>in</strong>ternal<br />
auditor or an external auditor. While an external auditor as of now aay claim that<br />
EDP Audit is not part of the statutory audit, <strong>in</strong>ternal auditor would be fa~:.ng <strong>in</strong> his<br />
duty if he does not evaluate the <strong>in</strong>ternal <strong>controls</strong> <strong>in</strong> the LAN <strong>environment</strong> of his<br />
organisation. Broadly the audit program should <strong>in</strong>clude the follow<strong>in</strong>g at its m<strong>in</strong>imum<br />
* Check the existence of policies <strong>and</strong> procedures from the management<br />
regard<strong>in</strong>g implementation <strong>and</strong> ma<strong>in</strong>tenance of LAN.<br />
* Check an <strong>in</strong>ventory of data communication equipment<br />
Verify whether there lr a network diagram which will clearly denote the<br />
physical <strong>and</strong> logical action between various communication equipment.<br />
Verily<strong>in</strong>g <strong>in</strong>tegrity<br />
Is any particular term<strong>in</strong>al designated specifically to monltor activity with<strong>in</strong> the<br />
Onl<strong>in</strong>e system?<br />
Is there any documentation of hardware failures <strong>and</strong> software failures?<br />
Are there any procedures to ensure that all transactions are received?<br />
What is the procedure regard<strong>in</strong>g transactions messages that may be deplicated<br />
unaccounted or lost? Thus, the software log of errors <strong>and</strong> re- transmission.<br />
Is there any review of such error logs?<br />
Physical security<br />
Is physical security for communication equipment adequate?
Access to test equipment restricted only to authorised personnel?<br />
Are cables adequately scheduled to prevent physical tamper<strong>in</strong>g?<br />
hgical security<br />
Are password systems <strong>in</strong> use?<br />
Are only authorised persons permitted to access communication software?<br />
Are the users prevented from mak<strong>in</strong>g unlimited number of unsuccessful<br />
attempts?
QUESTIONNAIRE - AUDIT<br />
CHECKLIST FOR AUDIT OF TELECOMhlUNICATION SYSTEM<br />
Yes i No<br />
GENERAL<br />
Have you checked whether there is any <strong>in</strong>ventory<br />
of audit communication equipmenf term<strong>in</strong>als,<br />
modems, etc?<br />
Have you checked network diagram <strong>in</strong> connection<br />
with physical <strong>and</strong> logical connections of<br />
communication equipment?<br />
Are there any written authorisations regard<strong>in</strong>g<br />
connected physical <strong>and</strong> logical connections, the<br />
term<strong>in</strong>als?<br />
Is supenisor approval needed to use<br />
term<strong>in</strong>als outside authorised usage hours?<br />
Are there written guidel<strong>in</strong>es to determ<strong>in</strong>e any<br />
errors <strong>in</strong> the communication equipment?<br />
Are there established procedures that all<br />
transactions are recorded?<br />
Is there a review procedure for transaction which<br />
may not be accounted or corrupted?<br />
Is there accountability for review<strong>in</strong>g error logs?<br />
Is there a journal of messages <strong>and</strong> does the<br />
message have the follow<strong>in</strong>g?
139<br />
Yes I No<br />
Term<strong>in</strong>al, User, Data, Message No. end of<br />
message, end of Transmission<br />
Have you satisfied yourself with back-up facilities<br />
for the onl<strong>in</strong>e system is adequate?<br />
Have you verified the restart recovery procedure <strong>in</strong><br />
case of hardware, software failure?<br />
PHYSICAL SECURITY<br />
Are there policies <strong>and</strong> guidel<strong>in</strong>es regard<strong>in</strong>g<br />
provid<strong>in</strong>g physical security for term<strong>in</strong>als?<br />
Are the cables electrically shielded to protect from<br />
physical tamper<strong>in</strong>g of other damage?<br />
Is test equipment <strong>and</strong> diagnostic software used only<br />
by authorised people?<br />
LOGICAL SECURITY<br />
Are only authorised personnel permitted to access<br />
communication software?<br />
Are users prevented from mak<strong>in</strong>g unlimited<br />
number of unsuccessful attempts?<br />
If sensntive <strong>in</strong>formation is be<strong>in</strong>g processed, are<br />
there adequate <strong>controls</strong> that they can be accessed<br />
only by authorised personnel?<br />
When was the last audit conducted?<br />
With<strong>in</strong> one year? With<strong>in</strong> two years?
QUESTIONNAIRE - GENERAL<br />
Yes I<br />
No<br />
Does your department have any policies <strong>and</strong><br />
guidel<strong>in</strong>es regard<strong>in</strong>g <strong>in</strong>stallation of network, add<strong>in</strong>g<br />
nodes, job responsibility, report<strong>in</strong>g structures etc?<br />
Has an audit been ever conducted of the<br />
network<strong>in</strong>g configuration <strong>and</strong> the applications?<br />
COMPLETENESS AND ACCURACY<br />
Do you employ built-<strong>in</strong> <strong>controls</strong> <strong>in</strong> your<br />
communication systems to ensure completeness<br />
<strong>and</strong> accuracy?<br />
NGIWORK SECURITY<br />
Do you have any well-laid out policies <strong>and</strong><br />
procedures regard<strong>in</strong>g the network security?<br />
Is the <strong>in</strong>formation classified accord<strong>in</strong>g to its<br />
criticality <strong>and</strong> sensitiveness?<br />
Has the auditor or the legal advisor been<br />
associated <strong>in</strong> security plann<strong>in</strong>g?<br />
In the last two years have there been any security<br />
lapses?<br />
ACCESS CONTROL<br />
Are all your term<strong>in</strong>als physically protected from<br />
unauthorised access?<br />
Do you have logg<strong>in</strong>g facilities?<br />
Do you have surveillance facilities?<br />
Is there a review of violation reports?
141<br />
Yes 1 No<br />
Have there been any violation <strong>in</strong> the<br />
years regard<strong>in</strong>g acocu?<br />
last two<br />
ACQUISITION OF EQUIPMENT<br />
Are there any established Benchmarks?<br />
Does the user have any role?<br />
Does the auditor have a role?<br />
CHANGES IN NEIWORK<br />
Are there any written procedures <strong>and</strong> guidel<strong>in</strong>es<br />
regard<strong>in</strong>g change management?<br />
Are there any check lists, documentation request <strong>in</strong><br />
the change management procedure?<br />
Are there any post-implementation renew of the<br />
changes?
CHAPTER V<br />
DATA BASE MANAGEMENT SYSTEM<br />
Overview<br />
Objectives of data basc management: The professional approach to<br />
application system development had a strong focus on application programmes <strong>and</strong><br />
processes. When the primary focus is on process naturally application systems<br />
develop separately <strong>and</strong> operate <strong>in</strong>dependently. Data files are established as a by<br />
product of application development. As a consequence, if two applications require<br />
same items of data they are duplicated result<strong>in</strong>g <strong>in</strong> redundancy.<br />
To retrieve data that is stored urgently, the user has to decide as to which<br />
application to use to obta<strong>in</strong> the necessary data. This necessitates the coord<strong>in</strong>ation of<br />
data updat<strong>in</strong>g as regards the application systems. This is necessary to ensure that the<br />
same data is updated <strong>in</strong> the same way at the same time irrespective of the fact <strong>in</strong><br />
which file the data exists. To be able to obta<strong>in</strong> at all times <strong>in</strong>formation based on the<br />
latest version of data would <strong>in</strong>volve us<strong>in</strong>g additional programm<strong>in</strong>g which would<br />
periodically be similar data <strong>in</strong> different files so that all the files have the latest<br />
version of the data. This would delay obta<strong>in</strong><strong>in</strong>g <strong>in</strong>formation at request as a great deal<br />
of process<strong>in</strong>g is necessary before correct <strong>and</strong> latest <strong>in</strong>formation could be given. In the<br />
1960s, usage of a magnetic tape as a computer medium was prevalent which<br />
imposed a sequential structure of the file. In the early 1970s <strong>in</strong> countries like USA<br />
<strong>and</strong> Australia, the concept of data basc management systems emerged. In our own<br />
country only <strong>in</strong> the hst two or three years, that is from the 1990s the concept of data
ase management system has been catch<strong>in</strong>g on. Till recently, that is bcfon 1990s<br />
the high cost of equipment <strong>and</strong> the non-availability of skilled personnel necessitated<br />
centralised execution <strong>and</strong> control of system denloprnent This resulted <strong>in</strong> end-users<br />
ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g privately data manually so that at any po<strong>in</strong>t of time they would have<br />
upto date <strong>in</strong>formation.<br />
The emergence of micro computers has made end-users ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g this<br />
<strong>in</strong>formation on the computers <strong>in</strong>stead of manually.<br />
Hav<strong>in</strong>g micro-computers at the users end did not solve the problems but only<br />
ended up <strong>in</strong> the <strong>in</strong>formation problems be<strong>in</strong>g transferred also to the end-users.<br />
The need for gett<strong>in</strong>g over these problems motivated organisations to seek for<br />
new solutions.<br />
MOTIVATION TOWARDS DATA BASE MANAGEMENT SYSTEM<br />
The major problems which motivate data base management are:<br />
(i)<br />
Quick answers were not available for 'simple' adhoc questions<br />
(ii)<br />
High development costs as the efforts were duplicated both at the<br />
central process<strong>in</strong>g department as also the user department<br />
iii)<br />
Low responsiveness to change<br />
Once an application is developed <strong>and</strong> h<strong>and</strong>ed over to the user many th<strong>in</strong>gs<br />
happen. Application system may require change either due to the changes<br />
<strong>in</strong>
statutory requirements or users own views for a different approach -after the system<br />
has been <strong>in</strong> use for some time. Mak<strong>in</strong>g changes to the system after the application<br />
has been developed requires great deal of costs <strong>and</strong> time by way of additional<br />
programm<strong>in</strong>g effon <strong>and</strong> computer time.<br />
It is reported that ma<strong>in</strong>tenance of exist<strong>in</strong>g programmes consumes 75% of the<br />
time of Systems Analysts <strong>and</strong> Programmers. This leads naturally to the management<br />
to study ways of reduc<strong>in</strong>g people - <strong>in</strong>tensive activities. Such reduction can be<br />
achieved only if a special effon is put <strong>in</strong> to develop a ... discipl<strong>in</strong>ed system.<br />
LOW DATA INTEGRITY AND QUALITY<br />
Incomplete <strong>and</strong> <strong>in</strong>accurate data leads to lack of confidence <strong>in</strong> such data.<br />
However, should such data be used for mak<strong>in</strong>g important decisions, it would be<br />
detrimental to the <strong>in</strong>terests of the organisation. This leads to a situation when<br />
managers are constra<strong>in</strong>ed to ma<strong>in</strong>ta<strong>in</strong> their own files <strong>and</strong> of good quality <strong>in</strong>formation<br />
<strong>and</strong> unquestionable <strong>in</strong>tegrity.<br />
INADEQUATE DATA MODEL<br />
Complex data <strong>and</strong> <strong>in</strong>ter-file relationship make it difficult provide a formal<br />
def<strong>in</strong>ition to the system. There are limited tools<br />
for def<strong>in</strong><strong>in</strong>g data structures<br />
importance be<strong>in</strong>g given to the programm<strong>in</strong>g <strong>in</strong> data structure be<strong>in</strong>g modified to suit<br />
the language. This necessitates a richer <strong>and</strong> better data structure writ<strong>in</strong>g capabilities.
While the problems discussed motivate a data base approach one should not<br />
lose sight of the fact that then an certa<strong>in</strong> anas to be borne <strong>in</strong> m<strong>in</strong>d which would<br />
restra<strong>in</strong> the <strong>in</strong>troduction of a data base management system.<br />
OBJEClWES OF DATA BASE MANAGEMENT<br />
The ma<strong>in</strong> objeaives of the data base management are:<br />
a) Sharability<br />
b) Availability<br />
c) Evolvability <strong>and</strong> <strong>in</strong>tegrity<br />
a) Sharability<br />
The concept of sharability means that the same data would be used at the<br />
same time not only by different people but also <strong>in</strong> different processes. Data belongs<br />
to the whole organisation <strong>and</strong> not to any s<strong>in</strong>gle <strong>in</strong>dividual. When data base is shared<br />
by several people it is necessary to have a central body to control the collection <strong>and</strong><br />
use of all data. When this is achieved the follow<strong>in</strong>g would result:<br />
a) Consistency of data<br />
b) Reduce redundancy of data<br />
c) Reduction <strong>in</strong> the effort needed<br />
d) Capture <strong>and</strong> ma<strong>in</strong>tenance of data<br />
Shar<strong>in</strong>g of data has its own ramifications <strong>and</strong> it would become necessary to<br />
arrive at a compromise between conflict<strong>in</strong>g needs of different users.
By the concept of availability we mean that data should be made available<br />
when <strong>and</strong> where it is needed <strong>and</strong> also <strong>in</strong> a form <strong>and</strong> manner <strong>in</strong> which it is needed.<br />
Then are two dimensions to the concept of availability objective <strong>and</strong> they an:<br />
i) Function <strong>and</strong> ii) Form<br />
i. Function<br />
The function of data base is to def<strong>in</strong>e <strong>and</strong> create a data base <strong>and</strong> gett<strong>in</strong>g the<br />
relevant data <strong>in</strong> <strong>and</strong> out of the data base as per the requirements of users.<br />
ii.<br />
Form<br />
The DBMS system should be <strong>in</strong> a position to economically <strong>and</strong> effectively.<br />
a) Store diverse data<br />
b) In an <strong>environment</strong> of diverse users<br />
c) Operat<strong>in</strong>g <strong>in</strong> diverse modes<br />
d) Us<strong>in</strong>g diverse language<br />
e) Satisfy<strong>in</strong>g diverse patterns of usage.<br />
If DBMS were to h<strong>and</strong>le only a very narrow range of diversity users could feel<br />
disillusioned as it has fallen short of expectations or has not become as responsive<br />
as was anticipated.
c) Evolvability <strong>and</strong> <strong>in</strong>tegrity<br />
The characteristic of evolvability of DBMS is its ability to change <strong>in</strong> response<br />
to the usen needs as also the advanc<strong>in</strong>g technology. Evolvability is dist<strong>in</strong>ct from<br />
exp<strong>and</strong>ability or extensibility. Evolvability <strong>in</strong>creases the possibility of the future<br />
availability of data resources.<br />
PROBLEM AREAS<br />
The technological developments <strong>in</strong> the Information Technology field have<br />
been grow<strong>in</strong>g very fast. The software <strong>and</strong> the hardware have been y<strong>in</strong>g with each<br />
other <strong>in</strong> their growth. There has been the realisation that <strong>in</strong>formation is power. As<br />
the organisations grow larger the need to have an effective <strong>in</strong>formation system has<br />
been greatly appreciated.<br />
The concepts of data base has been spoken of <strong>in</strong> many sem<strong>in</strong>ars <strong>and</strong><br />
workshops. Hence it has become an "<strong>in</strong> th<strong>in</strong>g" <strong>in</strong> larger organisations to try <strong>and</strong><br />
implement a data base management system. There have been products like<br />
ORACLE, SYBASE, INGRESS etc. There have been tremendous market<strong>in</strong>g efforts<br />
with each vendor claim<strong>in</strong>g that theirs is the product Organisations have had to make<br />
a study of their user needs <strong>and</strong> the appropriate DBMS package. However, <strong>in</strong> view<br />
of the concept not be<strong>in</strong>g very old there has not been enough experience, the<br />
organisations have had to depend upon their senior data process<strong>in</strong>g staff <strong>and</strong> outside<br />
consultants. In the present context, executive turnover is very high generally <strong>and</strong> more<br />
so <strong>in</strong> the <strong>in</strong>formation<br />
technology field. This has resulted <strong>in</strong> the organisations<br />
depend<strong>in</strong>g more on outside help from consultants. In most organisations there is no
<strong>in</strong>dividual specifically designated as a data base adm<strong>in</strong>istrator or data adm<strong>in</strong>istrator.<br />
It is absolutely necessary that one <strong>in</strong>dividual should be responsible for data base<br />
design, defmition <strong>and</strong> ma<strong>in</strong>tenance. However, this aspect is not present <strong>in</strong> most of<br />
the organisations as a group of two or three people have to play this role of DBA<br />
In the circumstances, determ<strong>in</strong><strong>in</strong>g proper access permissions for application<br />
programs <strong>and</strong> users <strong>and</strong> result<strong>in</strong>g <strong>in</strong> conflict among users oi the data does create<br />
contradictions.<br />
Creation of data dictionary <strong>in</strong> many <strong>in</strong>stances is not comprehensive. Most<br />
importantly back-up <strong>and</strong> recovery procedures are not satisfactory. There are no<br />
well-settled policies <strong>and</strong> procedures. Each of the data base products like ORACLE,<br />
SYBASE <strong>and</strong> INGRESS have their own functions <strong>and</strong> security aspects. Unless the<br />
security aspects of each of the data base packages are completely understood <strong>and</strong><br />
implemented, the possibility of the system be<strong>in</strong>g exposed to security violations is<br />
immense. Lack of knowledge to implement the concept without the associated<br />
adm<strong>in</strong>istrative <strong>and</strong> organisational support is lead<strong>in</strong>g to a situation <strong>in</strong> many<br />
organisations spend<strong>in</strong>g the whole time <strong>in</strong> unravell<strong>in</strong>g the mysteries of the data base<br />
management system package which they have implemented. The benefits that were<br />
expected to be reaped have not yet been completely achieved. In most of the cases,<br />
the cost benefit analysis after the project has been implemented would never have<br />
justified the implementation of the DBMS <strong>in</strong> the first place. The situation is not due<br />
to the fact that the concept is not implementable. The DBMS is an extremely useful<br />
<strong>and</strong> effective tool. Special efforts necd to be put <strong>in</strong>, for the creation of a perfect data<br />
dictionary allocat<strong>in</strong>g specific responsibility for data base adm<strong>in</strong>istration. In the<br />
absence of such a foundation, the data base system gets rocked. Users access needs
to be controlled which is achieved by grant<strong>in</strong>g them the privilege or by select<strong>in</strong>g<br />
comm<strong>and</strong>s that they can use. As these procedures are not streaml<strong>in</strong>ed the <strong>in</strong>creased<br />
<strong>and</strong> important advantages of DBMS is not achieved.<br />
Three large public limited companies were selected at r<strong>and</strong>om. A popular<br />
DBMS package was <strong>in</strong>troduced. While the package was ~ntroduced no precautions<br />
have been taken about ensur<strong>in</strong>g that a specific <strong>in</strong>dividual was designated as the data<br />
base adm<strong>in</strong>istrator who would take total responsibility for creat<strong>in</strong>g a data dictionary<br />
<strong>and</strong> ensure that discipl<strong>in</strong>e associated with the implementation of D.B.M.S. package<br />
is followed. The organisations concurred with me that they are not violat<strong>in</strong>g the<br />
required discipl<strong>in</strong>es associated with implement<strong>in</strong>g security considerations <strong>in</strong> a<br />
D.B.M.S. <strong>environment</strong>. The organ~sations were still struggl<strong>in</strong>g with problems of<br />
deadlock <strong>and</strong> relational <strong>in</strong>tegrity which was of grcater concern. The data was not<br />
gett<strong>in</strong>g updated <strong>in</strong> all the files which is a basic pr<strong>in</strong>ciple <strong>in</strong> a D.B.M.S. <strong>environment</strong>.<br />
PRESENT PRACTICES<br />
AUDIT<br />
As <strong>in</strong> all other areas of <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>, the present<br />
day presence of the audit function is totally absent. Verify<strong>in</strong>g the <strong>in</strong>formati011<br />
technology control <strong>in</strong> a data base <strong>environment</strong> does not figure <strong>in</strong> the <strong>in</strong>ternal<br />
auditors audit programme of the organisation. Procedures associated with data access,<br />
passwords system <strong>and</strong> term<strong>in</strong>al security are never audited for the senior management<br />
of the organisation to know whether the <strong>controls</strong> are <strong>in</strong> place <strong>and</strong> effective.
SMNDARD ACCEPTED PROCEDURES<br />
Controls<br />
There an three ma<strong>in</strong> data base structures, viz hierarchical network <strong>and</strong><br />
relationat The figures given below represent the pictorial representation of the<br />
structure of the different data bases. The more popular <strong>and</strong> useful data base<br />
structure is the relational data base. Relational data base are <strong>in</strong> the structure of a<br />
table. As mentioned earlier, relational data bases are more popular because they are<br />
easier to set up <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong>. The data base concept seperates the data requirements<br />
from the application requirements. Both the requirements of data <strong>and</strong> application are<br />
a constantly evolv<strong>in</strong>g process. But these requirements need not necessarily be<br />
compatible. In a data base approach <strong>in</strong>tegration is provided by shar<strong>in</strong>g of common<br />
data among different programs. The data elements are stored with very litt'c<br />
redundancy. The physical file structure may not have resemblance to logical records<br />
<strong>and</strong> files. Data base system helps <strong>in</strong> ga<strong>in</strong><strong>in</strong>g flexibility by creat<strong>in</strong>g <strong>in</strong>dependent data<br />
<strong>and</strong> application programs. A data base management system satisfies the needs of an<br />
organisation by a shared collection of <strong>in</strong>formation. The data base management system<br />
executes functions on behalf of application programs. St<strong>and</strong>ard accepted procedures<br />
<strong>in</strong> a data base management system <strong>in</strong>clude the follow<strong>in</strong>g:<br />
* Creation of a data dictionary<br />
* Creation of a post of data base adm<strong>in</strong>istrator<br />
* Lay<strong>in</strong>g down procedures<br />
File consistency<br />
Avoid<strong>in</strong>g deadlock<br />
* Enor recovery <strong>and</strong> reliability
Data dictionary describes the various attniutes of data ekment. In many data<br />
base packages, <strong>in</strong>formation regard<strong>in</strong>g physical location of the data is also <strong>in</strong>cluded<br />
The other details <strong>in</strong>cluded would be the data name, the segment on which it occurs,<br />
the programs us<strong>in</strong>g the file. The ma<strong>in</strong> advantage of hav<strong>in</strong>g a data dictionary is that<br />
data is def<strong>in</strong>ed uniformly. Information as to what data is available <strong>and</strong> <strong>in</strong> which data<br />
base it is located is also furnished by the data dictionary. In an active data base, data<br />
dictionaries are updated automatically when there is a change. In a passive data<br />
dictionary it does not happen automatically.<br />
Data base adm<strong>in</strong>istrator as its very name <strong>in</strong>dicates is the manager of the data<br />
base. The ma<strong>in</strong> responsibilities of the data base adm<strong>in</strong>istrator are data base design,<br />
def<strong>in</strong>ition <strong>and</strong> ma<strong>in</strong>tenance. He is also responsible for sett<strong>in</strong>g up policies <strong>and</strong><br />
procedures for back up <strong>and</strong> recovery. He determ<strong>in</strong>es appropriate access permissions<br />
for users as also applications programs. Whenever any conflict arises among the<br />
users of the data, the responsibility for resolv<strong>in</strong>g the conflict devolves on the data<br />
base adm<strong>in</strong>istrator.<br />
Lay<strong>in</strong>g down procedures<br />
It is possible that an application may be updat<strong>in</strong>g at more than one node.<br />
Also it is possible that a file at one Node may be updated by more than one<br />
application. In the absence of procedures it is very likely that data consistency will<br />
be lost. There should be procedures to void <strong>in</strong>consistencies. This could be done to<br />
locate a record when it is be<strong>in</strong>g updated. However, if the file action is to "read only",<br />
there is no possibility of an update <strong>and</strong> hence the record need not be located for
such purpose% Yet another method is to allow files to be updated only by<br />
processors located at the Node where the file rests.<br />
Deadlock<br />
A deadlock situation arises if two or more processes bid for the same<br />
resources <strong>in</strong> a mutually exclusive manner. In such a situation, the file may not be<br />
released as none of the processes would be completed. This would naturally cause<br />
an <strong>in</strong>def<strong>in</strong>ite impasse. This situation is called deadlock It is necessary to ensure that<br />
DBMS packages provided for such a situation be identified <strong>and</strong> controlled. There<br />
should be a wellestablished machanism for the recovery of lost files <strong>and</strong> for<br />
cont<strong>in</strong>uation of operations even though certa<strong>in</strong> nodes are unavailable. It is necessary<br />
to ensure that there is cont<strong>in</strong>uous availability of files. This can be achieved by<br />
duplicat<strong>in</strong>g such of the files that are critical to system operation.<br />
AUDITINCPROCEDURES<br />
The auditor is to have a clear underst<strong>and</strong><strong>in</strong>g of the situation, identify <strong>controls</strong><br />
<strong>and</strong> design proper tests.<br />
The auditor should review exist<strong>in</strong>g procedures <strong>and</strong> policy manuals. He should<br />
identify data elements which are significant from the <strong>audit<strong>in</strong>g</strong> angle <strong>and</strong> determ<strong>in</strong>e<br />
their relationship with<strong>in</strong> the data structure.<br />
The auditor should refer to the audit dictionary <strong>and</strong> with support from data<br />
base adm<strong>in</strong>istrator underst<strong>and</strong> logically relationship between important data elements,
programs <strong>and</strong> transaction types. The auditor should underst<strong>and</strong> the <strong>in</strong>ternal control<br />
system of the DBMS package with special reference to the follow<strong>in</strong>g :<br />
Who can access data elements?<br />
Who can add, change or delete?<br />
The auditor should establish as to who are identified as authorised usen <strong>and</strong><br />
as to what are their capabilities.<br />
The auditor should have a detailed discussion with the data base adm<strong>in</strong>istrator<br />
to ga<strong>in</strong> the follow<strong>in</strong>g <strong>in</strong>formation :<br />
As to how the data base is used <strong>and</strong> what <strong>controls</strong> are employed for different<br />
purposes?<br />
In a data base envirorlnent absence of an <strong>in</strong>dividual by whatever name he is<br />
called who performs the duties of a DBA would amount to a serious control<br />
weakness?<br />
The auditor's concern for access control should be under the follow<strong>in</strong>g heads:<br />
* Data element access<br />
* Pass word systems<br />
Term<strong>in</strong>al security<br />
The auditor should ensure that programs access only such data elements which<br />
they are authorised to access while execut<strong>in</strong>g their process<strong>in</strong>g tasks. Unnecessary or<br />
uncontrolled access would expose sensitive data to exposure. He should ensure that<br />
there is a dist<strong>in</strong>ction between test data base <strong>and</strong> production data base.
While develop<strong>in</strong>g applications access may not be restricted to, but then should<br />
be built-<strong>in</strong> mntrols to amid unauthorised access to production data base.<br />
Password systems<br />
Auditors should study the password system to evaluate its adequacy. Tk pass<br />
word system should be effective <strong>and</strong> should be monitored on an on-go<strong>in</strong>g basis. This<br />
<strong>in</strong>volves ma<strong>in</strong>tenance of accurate <strong>and</strong> secure records \~f users <strong>and</strong> their associated<br />
problems. Deletion of pass words allocated to employees who have s<strong>in</strong>ce left service<br />
is an important audit concern.<br />
Term<strong>in</strong>al security<br />
The term<strong>in</strong>al should not only be physically secure but also logically secure.<br />
Effective term<strong>in</strong>al security st<strong>and</strong>ards will ensure that only authorised trans~ctions can<br />
be entered only through authorised term<strong>in</strong>als.<br />
Test<strong>in</strong>g<br />
An audit should test the <strong>in</strong>tegrity of security aspects of data bases by verify<strong>in</strong>g<br />
<strong>and</strong> how concurrent update references are h<strong>and</strong>led, how the DBMS is ma<strong>in</strong>ta<strong>in</strong>ed,<br />
how the DBA functions <strong>and</strong> what are the disaster recovery <strong>and</strong> cont<strong>in</strong>gency<br />
procedures thought of.<br />
ANALYSIS AND FINDINGS<br />
The specimen audit program questionnaire which is enclosed was utilised for<br />
gather<strong>in</strong>g <strong>in</strong>formation regard<strong>in</strong>g audit procedures followed <strong>in</strong> a DBMS <strong>environment</strong>.
Neither the <strong>in</strong>ternal auditors nor the external auditors had a positive answer for any<br />
of the questions <strong>in</strong> the specimen audit programme. The auditors were not even aware<br />
of the name of the DBMS package be<strong>in</strong>g utiliscd <strong>in</strong> the organisation. The auditors<br />
<strong>in</strong> the organisation <strong>in</strong> the sample survey were blissfully ignorant of the audit concern<br />
<strong>in</strong> a DBMS <strong>environment</strong>, viz security <strong>and</strong> <strong>in</strong>tegrity.<br />
There were no well laid out policies <strong>and</strong> procedures regard<strong>in</strong>g the file<br />
consistency, deadlock, error recovery or reliability. The documentation was<br />
unsatisfactory. The systems are function<strong>in</strong>g <strong>in</strong> the organisation, though not<br />
satisfactorily, only due to the dedication <strong>and</strong> <strong>in</strong>tegrity of a couple of members of the<br />
staff of the data process<strong>in</strong>g team. Accidental <strong>and</strong> <strong>in</strong>tentional access to unauthorised<br />
data, usage of comm<strong>and</strong>s associated with logical term<strong>in</strong>als were not<br />
<strong>in</strong> order.<br />
However, by a process of development <strong>and</strong> by trial <strong>and</strong> error procedures are be<strong>in</strong>g<br />
developed.<br />
Audit<br />
Information was gathered from a sample of 30 auditors regard<strong>in</strong>g the<br />
procedures they adopt <strong>in</strong> organisations where End-User comput<strong>in</strong>g was <strong>in</strong> existence<br />
<strong>and</strong> utilised for important areas of operation.<br />
The auditors either <strong>in</strong>ternal or external were aware of the risks associated with<br />
End-User comput<strong>in</strong>g <strong>environment</strong>. There was no audit be<strong>in</strong>g performed. The auditors<br />
<strong>in</strong> spite of be<strong>in</strong>g aware that Personal Computers were <strong>in</strong>stalled <strong>in</strong> all the functional<br />
departments, they were ignorant of the type of applications. The audit <strong>in</strong> that area
was totally absent Counter-check<strong>in</strong>g of this fact was made with the End-users who<br />
confirmed the same.<br />
SUGGESTIONS<br />
CONTROLS<br />
Even though a data base management system package might have already<br />
been <strong>in</strong>troduced <strong>in</strong> an organiso:ion, 11 would be necessary to issue policies <strong>and</strong><br />
guidel<strong>in</strong>es for the follow<strong>in</strong>g aspects:<br />
Creation of data dictionary<br />
Duties <strong>and</strong> responsibilities of data base adm<strong>in</strong>istrator with a specific<br />
<strong>in</strong>dividual or <strong>in</strong>dividuals be<strong>in</strong>g held responsible.<br />
File consistency<br />
Deadlock<br />
Enor recovery<br />
Control over access<br />
Password systems<br />
Tenn<strong>in</strong>al security.<br />
AUDIT<br />
Even though the <strong>in</strong>ternal auditor might not have been associated <strong>in</strong> the<br />
earlier stages, it would be advisable to have the <strong>in</strong>ternal auditorlaudit depanment<br />
review the <strong>controls</strong> to satisfy themselves that they are adequate. The present state<br />
of knowledge of the auditors is not adequate to discharge his duty. However, lack<br />
of knowledge would not be an excuse for not perform<strong>in</strong>g a duty <strong>and</strong> discharg<strong>in</strong>g
their responsibilities. In the circumstances, it would be necessary for the auditor to<br />
set out the control objectives <strong>and</strong> have an <strong>in</strong>dependent authority (not part of the<br />
computer department) to help them. The auditors have to satisfy themselves<br />
regard<strong>in</strong>g the data base, security <strong>and</strong> <strong>in</strong>tegrity. He should be able to assure himself:<br />
Tile users can only access data that they are authorised to access on a need<br />
to know basis.<br />
Log on IDS <strong>and</strong> password procedures should be evaluated.<br />
Are the concurrent updates h<strong>and</strong>led properly?<br />
Are there proper procedures for the ma<strong>in</strong>tenance of DBMS?
QUESTIONNAIRE FOR AUDIT PROCEDURE<br />
Yes 1 No<br />
Do you identify data elements that are of<br />
particular significance to the data?<br />
Do you f<strong>in</strong>d out whether there is a DBA?<br />
Do )ou discuss with the DBA the follow<strong>in</strong>g :<br />
To satisfy yourself about adequacy of security -<br />
security <strong>in</strong>tegrity, Have you verified ?<br />
The segments where data of f<strong>in</strong>ancial significance<br />
is located.<br />
The users who have access to identified<br />
transactions<br />
The specific term<strong>in</strong>als from which these<br />
transactions can be executed<br />
The users who have direct access to the<br />
segments <strong>and</strong> the type of access they have<br />
11. Have you tested the <strong>controls</strong> for its<br />
effectiveness?<br />
Have you reviewed the ma<strong>in</strong>tenance<br />
<strong>controls</strong> for DBMS?<br />
Have you exam<strong>in</strong>ed the procedures to<br />
ensure that any changes to DBMS are<br />
appropriate <strong>and</strong> function<strong>in</strong>g as expected?<br />
Have you checked whether logg<strong>in</strong>g facilities<br />
are <strong>in</strong> place to facilitate to DBA to recover<br />
lost or corrupted data?<br />
Do you analyse the results of test<strong>in</strong>g <strong>and</strong><br />
form your op<strong>in</strong>ion regard<strong>in</strong>g adequacy of<br />
<strong>controls</strong>?<br />
Have you ever presented a report to the<br />
Management regard<strong>in</strong>g audit <strong>and</strong> <strong>controls</strong>?
CONTROLS IN UNIX ENVIRONMENT<br />
Overview<br />
Unix operat<strong>in</strong>g system has developed over the last twenty years. It was<br />
developed at BELL laboratories <strong>in</strong> Ne jersy by Ken Thomson <strong>and</strong> others. .l'homson<br />
had just left a research project on operat<strong>in</strong>g systems design which implemented an<br />
operat<strong>in</strong>g system called Multics-(Multiplex Information <strong>and</strong> Comput<strong>in</strong>g System).<br />
After a certa<strong>in</strong> time, Bell laboratories pulled out of Multics project Thomson <strong>and</strong><br />
D:nis Richie vaguely sketched the operat<strong>in</strong>g system Multics. Thomson actually<br />
formed the system, PDP-VII Computer. He realised that the operat<strong>in</strong>g system did<br />
not follow any design but seemed to just grow. It permitted the users to work <strong>in</strong> an<br />
<strong>in</strong>teractive utilisation manner which resulted <strong>in</strong> a more effective utilisation of the<br />
resources. This operat<strong>in</strong>g system was called UNIX by Brian Kernigham as a pun on<br />
the Multics name. The expansion for UNIX is UNIPLEX INFORMATION AND<br />
COMPUTING SYSTEM-UNICS. It is reported that due to a typographical enor<br />
it was further shortened to UNIX<br />
Unix Operat<strong>in</strong>g system when orig<strong>in</strong>ally designed had no security as it was felt<br />
it would be an impediment to efficient production.<br />
Thereafter there have been various editions of UNIX with many people<br />
mak<strong>in</strong>g modifications as it was very easy to do so. F<strong>in</strong>ally <strong>in</strong> the market place, there<br />
are many many versions, editions <strong>and</strong> variations of UNIX.
The objectives to be achieved <strong>in</strong> the further development <strong>and</strong> modification<br />
of Unix have been :<br />
(1) Real time operation;<br />
(2) Parallel CPU operation <strong>and</strong><br />
(3) Secure operat<strong>in</strong>g system.<br />
There were many major computer security violations <strong>and</strong> quite a few of them<br />
were published This led to the Department of Defence of USA to create a set of<br />
guidel<strong>in</strong>es <strong>and</strong> categories to evaluate the systems for computer security. The criteria<br />
for evaluation was published <strong>in</strong> "department of Defence Trusted Computer System<br />
Evaluation Criteria". This was orig<strong>in</strong>ally called Orange Book because of the colour<br />
of the cover of the Publication <strong>and</strong> subsequently there have been many other capital<br />
Department or Defence publications each with a different colour. These are known<br />
as the Ra<strong>in</strong>bow books. The categories of security are based on both hardware <strong>and</strong><br />
software. They have been classified as A, B, C, D -A is the highest rank<strong>in</strong>g with D<br />
be<strong>in</strong>g the lowest.<br />
Orange Book def<strong>in</strong>es D-rat<strong>in</strong>g as "that resources for these systems that have<br />
been evaluated but have failed to meet the requirements for a higher evaluation<br />
clause". It is reported that general manufacturers do not submit their products for<br />
this classification which is the lowest. It is always presumed that no rat<strong>in</strong>g is D.<br />
rat<strong>in</strong>g.
Division-C<br />
, Discretionary protection to quote the Orange book "clauses <strong>in</strong> this Division<br />
provide for discretionary (need to know) protection <strong>and</strong>, therefore the <strong>in</strong>clusion of<br />
added capabilities for accountability of subjects <strong>and</strong> action they <strong>in</strong>itiated.<br />
Orange Book states as follows: "systems <strong>in</strong> this division must carry sensitivity<br />
labels that measure data structures <strong>in</strong> the system. The system developer also<br />
provides the security policy model on which the TCB (Trusted Computer Base) is<br />
based <strong>and</strong> furnishes a specification of the TCB. Evidence must be provided to<br />
demonstrate that the reference monitor concept has been implemented<br />
Certa<strong>in</strong> criteria <strong>in</strong> addition to those required for rat<strong>in</strong>g C <strong>and</strong> B are added.<br />
The Orange Book states<br />
'This division is characterised by the use of formal security vtrification<br />
methods to assure that the m<strong>and</strong>atory <strong>and</strong> discretionary security <strong>controls</strong> employed<br />
<strong>in</strong> the system can effectively protect the classified or other sensitive <strong>in</strong>formation<br />
stored are processed by the system", extensive documentation is required to<br />
demonstrate that the 'TCB" meets the security requirements <strong>in</strong> all aspects of design<br />
development <strong>and</strong> implementation.
Hardly one or two computer systems have earned the A-l security<br />
classification.<br />
Some developers haw released certa<strong>in</strong> versions of UNIX that do not have<br />
a super user; their contention has been that all of the powen of the super-user<br />
should not be put <strong>in</strong>to one basket <strong>and</strong> it would be some hir. ,~rchical group authority<br />
has been developed, as Mr.Derek N. Arnold has mentioned. Their powers will still<br />
be powerful, 'abuseable <strong>and</strong> mis'useable'. Attempts have been made to have the<br />
password file hidden <strong>and</strong> not be available to all the users.<br />
Proprietary versions of UNIX are be<strong>in</strong>g marketed by different hardware<br />
manufacturers, each one mak<strong>in</strong>g thelr own claim. It is necessary to underst<strong>and</strong> one's<br />
system <strong>and</strong> design proper security <strong>controls</strong>. It is necessary that after such <strong>controls</strong><br />
are developed they should be meticulously enforced.<br />
PROBLEM AREAS<br />
It is a well known fact that most security violations are not from outside<br />
sources. It is generally from users of the system who exceed their authorisation.<br />
Security has many dist<strong>in</strong>ct pans. There has to be security for :<br />
a) Hardware<br />
b) Software<br />
c) Data<br />
Hardware requires to be protected from destruction, unauthorised changes<br />
<strong>and</strong> unauthorised use. Software needs to be protected so that valuable programmes<br />
are not destroyed. Software also needs to be protected from unauthorised changes
<strong>and</strong> use. Data - specially valuable data should be protected from destruction,<br />
unauthorised changes <strong>and</strong> un-use.<br />
UNIX operat<strong>in</strong>g system has three "Doma<strong>in</strong>s Security". They are:<br />
i) Owner of the file or i'\er (U)<br />
ii) The group that owns the fil- (G)<br />
iii) The general public or others (0)<br />
Each of these doma<strong>in</strong>s has a Unix permission set associated with it. UNIX<br />
permits three functions of all file operations as :<br />
i) Read permission<br />
ii)<br />
iii)<br />
Write permission<br />
Execute or search permission<br />
The permissions <strong>and</strong> the file type are the stored "Mode" word of the <strong>in</strong>itial<br />
record. This <strong>in</strong>itial record holds the attributes of the file. The permissions can be<br />
"altered us<strong>in</strong>g the comm<strong>and</strong> called "CH MOD"--Change-MOD.<br />
Each of the permissions has an octol value as follows:<br />
Read permission 4<br />
Write permission 2<br />
Execute 1<br />
The comm<strong>and</strong> Is--1 would display the permissions of a file. The first set of<br />
"w" permission is for the owner of the file. The second set of "M" permission is<br />
for the group that owns the file. The f<strong>in</strong>al set is for all other users.
Each of these domans is exclusive of the others. 'The fact that a user is part<br />
of a group would not permit him to have all permissions that the group has got<br />
though he may be a pan of the group. Only if as a user or owner he is permitted<br />
he would be able to exercise his right.<br />
It should be noted that the permissions are tested <strong>in</strong> a hierarchy. To prevent<br />
accidental erasure of files, it is necessary to remove owner - write permission.<br />
The implications of doma<strong>in</strong> permissions<br />
It is necessary to exam<strong>in</strong>e all types of operations <strong>and</strong> comm<strong>and</strong> <strong>and</strong><br />
underst<strong>and</strong> the associated problems which would enable or display them. It is<br />
necessary to protect the system aga<strong>in</strong>st any mis- user, yet permit the legitimate user<br />
of authorised access. It is necessary to put a great deal of effort to achieve this.<br />
DEFAULT PERMISSIONS<br />
Normally LJNIX creates a test with default permissions of 66-6 (I-nv-nv-nv)<br />
<strong>and</strong> executable programmes with default permission of 7-7-7 (rwx, % rwx).<br />
Directories are created with a default permission of 7-7-7 (drwx, rwx, rwx)<br />
"UNMASK is a comm<strong>and</strong> which could alter the default permissions already used<br />
<strong>in</strong> the creation of files. The system adm<strong>in</strong>istrator normally sets up the "UNMASK<br />
comm<strong>and</strong> <strong>in</strong> the Start up shell script.<br />
It should be noted that the "UNMASK affects only new files <strong>and</strong> not exist<strong>in</strong>g<br />
one. Thus, however, UNMASK comm<strong>and</strong> is specified before a copy comm<strong>and</strong> is
executed. The orig<strong>in</strong>al permissions of the file will not change. Hence, it is necessary<br />
to use CH MOD comm<strong>and</strong> to change the permissions of an exist<strong>in</strong>g file.<br />
Under UNIX then an three special permission bits. They are:<br />
Set User ID (SU ID)<br />
Set Group ID (SG ID).<br />
STICKY BIT.<br />
There are different versions of UNIX. In some cases, the permissions are<br />
coupled with executable programmes. This could lead to<br />
violations.<br />
vulnerable security<br />
SET-USER ID (SU ID)<br />
This permission bit is used to allow one user to temporarily take on the use1<br />
identify of another person. This enables another user to utilise file <strong>and</strong> directory<br />
permissions <strong>in</strong> the same manner as the orig<strong>in</strong>al owner of the comm<strong>and</strong>.<br />
This permission bit allows the user to temporarily take on the group identify<br />
of another group. It is reported that there is a common UNIX bug which allows an<br />
<strong>in</strong>dividual to become pan of any group. Hence care should be taken that the current<br />
operat<strong>in</strong>g system does not have this bug.
STICKY BIT (COMPUED PROGRAMS)<br />
The sticky bit causes a compiled program to stick <strong>in</strong> the swap area of the disc<br />
It has the advantage of load<strong>in</strong>g the program faster while there is the disadvantage<br />
of permanently us<strong>in</strong>g up space <strong>in</strong> the swap area. In System V UNIX sticky bit has<br />
been given an additional facility by which files <strong>in</strong> a public directory cannot be<br />
removed except by the owner himself or the super user.<br />
Audit<br />
Information was gathered from a sample of 30 auditors regard<strong>in</strong>g the<br />
procedures they adopt <strong>in</strong> organisations where End-User comput<strong>in</strong>g was <strong>in</strong> L,xistence<br />
<strong>and</strong> utilised for important areas of operation.<br />
The auditors either <strong>in</strong>ternal or external were aware of the risks associated<br />
with End-User comput<strong>in</strong>g <strong>environment</strong>. There was no audit be<strong>in</strong>g performed. The<br />
auditors <strong>in</strong> spite of be<strong>in</strong>g aware that Personal Computers were <strong>in</strong>stalled <strong>in</strong> all the<br />
functional departments, they were ignorant of the type of applications. The audit <strong>in</strong><br />
that area was totally absent. Counter-check<strong>in</strong>g of this fact was made with the<br />
End-Users who confirmed the same.<br />
STANDARD ACCEPTED PRACTICES<br />
System adm<strong>in</strong>istrators should provide users with security <strong>in</strong>formation which will<br />
assist them <strong>in</strong> secur<strong>in</strong>g their directories <strong>and</strong> files. The earlier versions of UNIX have<br />
been hav<strong>in</strong>g a number of security holes. Hence it is necessary to have latest versions<br />
from vendors The management should issue policies <strong>and</strong> guidel<strong>in</strong>es regard<strong>in</strong>g the
procedures to be followed <strong>in</strong> a UNIX <strong>environment</strong> It should make the system<br />
adm<strong>in</strong>istrator responsible for assign<strong>in</strong>g such guidel<strong>in</strong>es with their approval. The<br />
system adm<strong>in</strong>istrator's functions should be considered under the follow<strong>in</strong>g heads:<br />
Access<br />
Log <strong>in</strong>s<br />
Passwords<br />
* Loy <strong>in</strong> <strong>environment</strong> from the access<br />
* File protection<br />
* System monitor<strong>in</strong>g<br />
* Firmware keys<br />
Backup <strong>and</strong> recovery<br />
* Physical security<br />
Access<br />
A shell should be designed such that it will control the user access to specific<br />
directories <strong>and</strong> comm<strong>and</strong>s. All shells should be. checked to identify exits.<br />
Every log <strong>in</strong> must necessarily have a password. All log <strong>in</strong>s should be verified<br />
at reasonably periodic <strong>in</strong>tervals. Users such as consultants etc. should be identified<br />
by a unique log <strong>in</strong> assignment. Unattended term<strong>in</strong>als should be logged off soon after<br />
a pre-determ<strong>in</strong>ed period of <strong>in</strong>activity.
All log <strong>in</strong>s should have a password. All system based passwords should either<br />
be removed or changed. System adm<strong>in</strong>istrators should use different passwords on<br />
systems which are ~ttached to their <strong>controls</strong>.<br />
Super user passwords should be known only on a "need-to-know basis" <strong>and</strong><br />
only by the system adm<strong>in</strong>istrator. Super user passwords should be changed frequently.<br />
Log <strong>in</strong> <strong>environment</strong><br />
Home directory of a user should not be readable by others. User profile<br />
should not be readable, writeable or executable by others.<br />
The m<strong>in</strong>imum un-mask sett<strong>in</strong>g for general purpose users should be set at 022.<br />
The use of read, log<strong>in</strong> should be limited to the console only.<br />
Remote access<br />
A default should be such to allow least privilege. UUCP system should be<br />
def<strong>in</strong>ed to restrict access to remote users.<br />
File protection<br />
Important system directories <strong>and</strong> files should be provided with highest level<br />
of protection. A directory should not have <strong>in</strong>secure read permissions.<br />
Privilege comm<strong>and</strong>s such as Mount, FSCK, should have only restricted use.
System monitor<strong>in</strong>g<br />
System should be monitored for unauthorised LOGINS or LOGINS with no<br />
passwords. System like files which conta<strong>in</strong> <strong>in</strong>formation about system activity need to<br />
he reviewed periodically. Other than the owner of LOGFILE nobody else should<br />
have ,;ad <strong>and</strong> write capabilities.<br />
The "F<strong>in</strong>d" "S.F<strong>in</strong>dU or "N.CheckU comm<strong>and</strong><br />
should be executed daily to<br />
ensure that all 'UTD' <strong>and</strong> 'GID' programs are protected adequately.<br />
A system log should be record<strong>in</strong>g of sensitive comm<strong>and</strong>s for review <strong>and</strong><br />
monitor<strong>in</strong>g of unusual activity. There should be documentation of all system updates<br />
<strong>and</strong> such updates should be compared with authorisations.<br />
Firmwear keys - (3-B-2 Computer family)<br />
Many 3-B-<br />
2 computers, it is reported, were given the same firmwear<br />
password at the factory as acceu to the computer is through the computer firmwear.<br />
The firmwear should be changed soon after <strong>in</strong>stallation. The firmwear password<br />
facilities change of Roots password.<br />
Back-up <strong>and</strong> recovery<br />
Like all other systems, but more particularly <strong>in</strong> an organisation with UNIX<br />
operat<strong>in</strong>g system back up <strong>and</strong> recovery procedures are very important. They should<br />
be well- documented; applications should be prioritised <strong>and</strong> offsite storage should<br />
be adequate.
ANALYSIS AND FINDINGS<br />
AUDIT<br />
Auditors both external <strong>and</strong> <strong>in</strong>ternal of the organisations which had the<br />
operat<strong>in</strong>g system UNIX were blissfully ignorant of the special features of the<br />
operat<strong>in</strong>g SYSTEM. They were not aware <strong>in</strong> most cases of the concept of operat<strong>in</strong>g<br />
system, let alone the UNIX operat<strong>in</strong>g system. Hence there was no awareness of the<br />
<strong>controls</strong> <strong>and</strong> weaknesses associated with the operat<strong>in</strong>g system UNIX<br />
Controls from the organisations' po<strong>in</strong>t of view<br />
There were no security policies or guidel<strong>in</strong>es issued either by the<br />
Management or the Data Process<strong>in</strong>g Department. There was no identifi~ation of<br />
any <strong>in</strong>dividual specifically as the Security Adm<strong>in</strong>istrator.<br />
The US Department of Defence had issued through the National Computer<br />
Security Centre six key regulations for security as follows :<br />
i. The system must enforce a precise <strong>and</strong> explicit security policy<br />
ii.<br />
iii.<br />
iv.<br />
Every object associated with that policy must be marked with an Access<br />
Control Label.<br />
Individual users must be identified.<br />
The system must ma<strong>in</strong>ta<strong>in</strong> a protected audit control of action relat<strong>in</strong>g to<br />
security.<br />
v. The system must be open to <strong>in</strong>dependent security evaluation.<br />
vi.<br />
The system must be permanently protected aga<strong>in</strong>st re-configuration from any<br />
other method of alteration.
In practice atleast four out of the six factors were absent <strong>in</strong> all the cases. In<br />
many organisations the logg<strong>in</strong>g <strong>in</strong> "USR/ADM/LOG IN LOG is not turned on with<br />
the result the facility for monitor<strong>in</strong>g unauthorised logg<strong>in</strong>g attempts is disabled<br />
In a UNIX system the "root" is most important <strong>and</strong> all powerful. Only the<br />
super user should normally have this privilege as the facility will enable bypass<strong>in</strong>g of<br />
all security <strong>controls</strong>. No special efforts have been put <strong>in</strong> for decid<strong>in</strong>g on the access<br />
privileges of read, write <strong>and</strong> execute for the owner group or other users. Only <strong>in</strong> a<br />
few cases, the facility of "UNMASK' has been used.<br />
The comm<strong>and</strong>s of SET UID <strong>and</strong> SET GID <strong>in</strong> a UNIX operat<strong>in</strong>g system<br />
allows normal users to access restricted files. This is done on a temporary basis for<br />
a specific purpose. These comm<strong>and</strong>s are not strictly controlled. Absence or violation<br />
of security hav<strong>in</strong>g taken place is primarily due to lack of knowledge on the part of<br />
dishonest staff. The Security has been ma<strong>in</strong>ta<strong>in</strong>ed due to the loyalty of the concerned<br />
staff. There was a reported case of a member of staff access<strong>in</strong>g unauthorised<br />
<strong>in</strong>formation for use by union members. A casual exam<strong>in</strong>ation of the console log<br />
revealed this <strong>in</strong>cident Corrective <strong>and</strong> preventive action was taken thereafter.<br />
"UNIX SECURITr"' as has been said several times is a contradiction <strong>in</strong> terms,<br />
unless special efforts are taken to build security shell. Great deal of efforts are be<strong>in</strong>g<br />
put <strong>in</strong> on a "crisis management basis" by the more responsible staff of the data<br />
process<strong>in</strong>g department. Neither the senior management nor the auditors are aware<br />
of the implications of hav<strong>in</strong>g a UNIX operat<strong>in</strong>g system with appropriate <strong>controls</strong>.
Though subsequent versions of UNIX have been made available,<br />
organisations which had implemented UNIX with earlier versions with great diEticulty<br />
have not been able to implement the latest version <strong>in</strong> view of hav<strong>in</strong>g to make fast<br />
changes <strong>in</strong> the runn<strong>in</strong>g programs with the already a great detail of backlog for<br />
tak<strong>in</strong>g up new applications. In many of the organisations mask<strong>in</strong>g has not been<br />
properly implemented. The users were totally unaware of the exposure that their<br />
sensitive files were fac<strong>in</strong>g. There have been reported <strong>in</strong>stances when unauthorised<br />
access has been easily available to files to which there should have been no access<br />
specially <strong>in</strong> a multi user <strong>environment</strong> the situation has been very volatile with no<br />
<strong>controls</strong> to access on a "need to know basis".<br />
SUGGESTIONS<br />
It is often said that UNIX security is a contradiction <strong>in</strong> terms. From the<br />
organisation's po<strong>in</strong>t of view<br />
- All other passwords should be changed periodically without fail<br />
- Access to file should not be permitted without owner's permission<br />
- Depend<strong>in</strong>g upon the particular version of UNIX, the follow<strong>in</strong>g should<br />
be <strong>in</strong>cluded:<br />
Unmask 007<br />
to the file.<br />
This will ensure only the file owner will have read, write <strong>and</strong> execute access<br />
A network file system (NFS): In most cases it is <strong>in</strong>stalled without any security<br />
features be<strong>in</strong>g enabled. As NFS enables several UNIX hosts to share files on the
network <strong>and</strong> if NFS is <strong>in</strong>stalled without adequate security features <strong>in</strong> any UNIX host<br />
can access the network <strong>and</strong> through the network any of the files. The best method<br />
to avoid such a situation would be that for each file listed <strong>in</strong>/etc.lexperts, it is<br />
necessary to use the option access-keyword. The keyword should conta<strong>in</strong> the list of<br />
hosts that may access the particular file. It is necessary that all files should have a<br />
pre-determ<strong>in</strong>ed list of hosts that may access it. The organisation should issue policy<br />
<strong>and</strong> guidel<strong>in</strong>es for protection of <strong>in</strong>formation.<br />
From the <strong>audit<strong>in</strong>g</strong> po<strong>in</strong>t of view<br />
For an auditor to perform an effective audit <strong>in</strong> a UNIX operat<strong>in</strong>g system, it<br />
is necessaly for him to be UNIX literate. A few basic steps that the auditor should<br />
perform while <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a UNIX <strong>environment</strong> would be :<br />
- F<strong>in</strong>d out which version of the UNIX operat<strong>in</strong>g system is <strong>in</strong> use<br />
- Make out a list of the known loopholes <strong>in</strong> the particular version<br />
- Check whether the procedures to plug loopholes have been followed<br />
<strong>and</strong> implemented.<br />
- Check whether the default sett<strong>in</strong>g of the UNIX which permits Read<br />
<strong>and</strong> Execute access by all users has been changed to facilitate access<br />
to the file by the owner only.<br />
- Test whether <strong>controls</strong> <strong>and</strong> procedures which are supposed to be <strong>in</strong> use<br />
are really <strong>in</strong> existence.<br />
- Report to management on the state of the <strong>controls</strong> as exist<strong>in</strong>g, the<br />
loopholes if any <strong>and</strong> the possible impact of the weaknesses on the<br />
organisation <strong>and</strong> suggest remedial measures for implementation.
CHAPTER VII<br />
DISASTER RECOVERY PLANNING<br />
Most organisations who have <strong>computerised</strong> their operations are no longer<br />
mere users of computers. They have become dependent on it <strong>and</strong> the failure of the<br />
computer operation would result <strong>in</strong> bus<strong>in</strong>ess <strong>in</strong>terruption. It is always generally<br />
believed that catastrophies <strong>and</strong> disasters will affect other enterprises <strong>and</strong> not us!<br />
There are any number of <strong>in</strong>stances where unanticipated crmt<strong>in</strong>gencies have<br />
occurred <strong>and</strong> bus<strong>in</strong>esses have got <strong>in</strong>terrupted. The importance of disaster recovery<br />
plan <strong>and</strong> cont<strong>in</strong>gency plann<strong>in</strong>~ can never be over-emphasised. To take the example<br />
nearer home, <strong>in</strong> February 1994, the Reserve Bank of India's National Clear<strong>in</strong>g Centre<br />
at Nariman Po<strong>in</strong>t had a breakdown of the computer system. The press report stated<br />
that "accord<strong>in</strong>g to sources, the breakdm <strong>in</strong> IBM's micm-process<strong>in</strong>g-stated to be<br />
major <strong>in</strong> nature, was reported on Wednesday afternoon <strong>and</strong> necessitated a total<br />
shutdown of the sophisticated system. S<strong>in</strong>ce the system cannot be said to be set right<br />
tiIl Thursday, Banks all over Bombay were advkd aga<strong>in</strong>st send<strong>in</strong>g more cheques for<br />
Clear<strong>in</strong>g of cheques of more than Rs.1500 crores came to a st<strong>and</strong>still follow<strong>in</strong>g<br />
a two-day old breakdown <strong>in</strong> the computer system. Oral requests were made to<br />
representatives of various banks <strong>in</strong> the city arriv<strong>in</strong>g with bundles of more than<br />
10,00000 of cheques to take them back but without sett<strong>in</strong>g any reason for the same,
mystify<strong>in</strong>g the bank<strong>in</strong>g circk <strong>in</strong> the city. It was reported that a team of eng<strong>in</strong>eers<br />
were be<strong>in</strong>g flown from Calcutta. Till Friday even<strong>in</strong>g, no progress was made other<br />
than detect<strong>in</strong>g thc fault While other matters of detail are of no relevance, it is of<br />
significance to note that even an <strong>in</strong>stitution like Reserve Bank of India had no<br />
disaster recovery plann<strong>in</strong>g!<br />
Whether a disaster is natural such as earth- quake or a humcane or unnatural<br />
event such as an electrical overload<strong>in</strong>g spark<strong>in</strong>g a fire or normally anticipated<br />
situations of failure of hardware or failure of <strong>environment</strong>al support services.<br />
Management of those who have the responsibility for process<strong>in</strong>g <strong>in</strong>formation on<br />
computers should have a well-tested plan for meet<strong>in</strong>g such emergencies.<br />
PROBLEM AREAS<br />
The <strong>in</strong>formation technology at tremendous pace <strong>and</strong> the awareness of the<br />
advantages of utilis<strong>in</strong>g <strong>in</strong>formation technology for decision mak<strong>in</strong>g purpose, apart<br />
from obta<strong>in</strong><strong>in</strong>g <strong>in</strong>formation from vast volume of data, all organisations have gone <strong>in</strong><br />
for computerisation of different types. This has made organisations dependent on<br />
computers with the result, that such organisations would be h<strong>and</strong>icapped <strong>in</strong> some way<br />
or the other, should a disaster occur.<br />
In our country also the job opportunities <strong>and</strong> career possibilities <strong>in</strong> the<br />
<strong>in</strong>formation technology is occur<strong>in</strong>g so rapidly with the result, turnover of personnel<br />
has become more a rule than an exception.<br />
A study of the present scenario <strong>in</strong> general rebeak that white oqpukhm ltad<br />
realised that disasters can occur, there is a certa<strong>in</strong> sense of complacency, aris<strong>in</strong>g out
of the illusion that calamities will strike only their neighbours. The documentation<br />
st<strong>and</strong>ards for systems <strong>and</strong> programmes an generally <strong>in</strong>complete if not outdated. With<br />
the documentation st<strong>and</strong>ards, be<strong>in</strong>g unsatisfactory <strong>and</strong> the peronnel turnover factor<br />
be<strong>in</strong>g high, organisations do face problems. It is due to a few dedicated old h<strong>and</strong>s<br />
that the systems are runn<strong>in</strong>g. Added to this common problem, there is no attempt<br />
made to plan for a cont<strong>in</strong>gency. There are no studies made as to how long an<br />
crganisation can cont<strong>in</strong>ue without a computer before bus<strong>in</strong>ess <strong>in</strong>terruption occurs.<br />
Should the problem persist longer than organisations can withst<strong>and</strong>, what are the<br />
arrangements to be made. There have been no attempts made to prioritise critical<br />
applications. The utmost recovery plan that is <strong>in</strong> existence is copies of most of the<br />
programmes are made <strong>and</strong> that too stored <strong>in</strong> a separate cupboard. The cupboard is<br />
mostly <strong>in</strong> the same computer room <strong>and</strong> sometimes with the manager of the<br />
department <strong>in</strong> his cab<strong>in</strong> which is located <strong>in</strong> the same build<strong>in</strong>g, if not <strong>in</strong> the same<br />
floor.<br />
Un<strong>in</strong>terrupted power supply systems (UPS) are <strong>in</strong> existence. Fire ext<strong>in</strong>guishers<br />
are fixed <strong>in</strong> different locations of the computer room. Pitifully there is no cont<strong>in</strong>uous<br />
tra<strong>in</strong><strong>in</strong>g given to personnel <strong>in</strong> fire-f%ht<strong>in</strong>g. Internal auditors do not even consider it<br />
as part of their duty to see whether the fire eximpishen have been refilled.<br />
The basic precautian of ensur<strong>in</strong>g that <strong>in</strong>flammable material is not stored mar<br />
or around the computer room is not observed Thermacole boxes or thermocole<br />
material which arrive as pack<strong>in</strong>g material for the hardware <strong>and</strong> $oftware is stored <strong>in</strong><br />
the computer room itself if not <strong>in</strong> the computer library. Computer rooms <strong>in</strong> many<br />
<strong>in</strong>stances do not have amiakrised air-condition<strong>in</strong>g. The same airemdition<strong>in</strong>g ducts<br />
run through the build<strong>in</strong>g as also the computer room <strong>in</strong> many <strong>in</strong>stances. While open
fire may not exist <strong>in</strong> the computer room, burn<strong>in</strong>g of camphor on Friday even<strong>in</strong>gs <strong>in</strong><br />
different parts of the offices is not an uncommon situation.<br />
For convenience the computer division <strong>in</strong> many <strong>in</strong>stances is situated <strong>in</strong> the<br />
ground floor. While precautions are taken that water does not flow through the dra<strong>in</strong><br />
pipes <strong>and</strong> water culverts, the possibility of water <strong>in</strong>undat<strong>in</strong>g the computer room from<br />
clogged culverts of neighbour<strong>in</strong>g organisations dur<strong>in</strong>g ra<strong>in</strong>y season is not taken care<br />
of.<br />
The necessity for hav<strong>in</strong>g a documented plan for disaster recovery is not<br />
appreciated, as spend<strong>in</strong>g effort <strong>and</strong> time "on an unlikely event" seems <strong>in</strong> their op<strong>in</strong>ion<br />
futile.<br />
The concept of <strong>in</strong>surance cover <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> as it exists now<br />
is to pmvide an <strong>in</strong>surance cover to the extent of the cost of the hardware purchased.<br />
In some <strong>in</strong>stances, if expensive software has been purchased that cost also is <strong>in</strong>cluded.<br />
However, the total cover for <strong>in</strong>surance <strong>in</strong> the eventuality of<br />
i) Program be<strong>in</strong>g lost<br />
ii) Program data be<strong>in</strong>g corrupted<br />
iii) Fraud occur<strong>in</strong>g due to failure of software<br />
iv) Connected costs of restructur<strong>in</strong>g data files<br />
v) Loss of blls<strong>in</strong>ess due to nnn-function<strong>in</strong>g of the computer whether due to<br />
hardware or software fault<br />
Amongst other disaster due importance should be given also to the impact of an<br />
attack from virus, specially <strong>in</strong> a PC <strong>environment</strong> or a net-worked <strong>environment</strong>. There<br />
is a great vulnerability to attacks from virus. While there is knowledge about the
existence of virus, steps necessary to prevent attacks from viruses is not adequate.<br />
Instances are many when some steps are taken after an attack of virus. While the<br />
systems department does take some steps though not adequate to prevent viruses<br />
auditors are totally ignorant <strong>in</strong> their knowledge of viruses, its impact of attack of virus<br />
on computer <strong>in</strong>formation <strong>and</strong> programmes <strong>and</strong> steps to be taken as a precautionary<br />
measure.<br />
In the data collected, on the assurance that anonimity will be obta<strong>in</strong>ed. The<br />
follow<strong>in</strong>g <strong>in</strong>formation was available.<br />
In one of the large public limited organisations which had offices all over<br />
India, the computer room was flooded with water due to overflow<strong>in</strong>g of the dra<strong>in</strong>age<br />
<strong>in</strong> the neighbour<strong>in</strong>g build<strong>in</strong>g due to ra<strong>in</strong>. The water level under the false floor<strong>in</strong>g was<br />
namely 5 to 6 <strong>in</strong>ches. The organisation bailed out the water with mugs <strong>and</strong> buckets.<br />
As already the computer <strong>in</strong>stallation was down for three days soon after the bail<strong>in</strong>g<br />
out of the water was completed, the current was switched on want<strong>in</strong>g to use the<br />
computer henceforth. There was a short circuit due to the dampness <strong>and</strong> there was<br />
damage to the hardware <strong>and</strong> of the programs which was on the hard disk The<br />
organisation struggled for a week to ten days recreat<strong>in</strong>g software <strong>and</strong> negotiat<strong>in</strong>g with<br />
hardware suppliers for repfacement.<br />
In one of the lead<strong>in</strong>g foreign banks <strong>in</strong> Mount Road, Madras certa<strong>in</strong> modems<br />
<strong>and</strong> about 40 term<strong>in</strong>als were burnt out due to lightn<strong>in</strong>g strik<strong>in</strong>g one of the cables<br />
runn<strong>in</strong>g through the open yard of the bank It is needless to mention the crisis that<br />
the bank had to manage.<br />
In another organisation data used to be entered <strong>in</strong>to the floppy at the flock<br />
free <strong>and</strong> sent for process<strong>in</strong>g to the head office 25 kms away. Several days data was
lost as the data was be<strong>in</strong>g transported without adequate protection <strong>in</strong> ord<strong>in</strong>ary card<br />
board boxes <strong>in</strong> an auto rickshaw which had the motor on the reverse. The magnetic<br />
field created by the motor erased all the data which was realised only much later.<br />
In yet another organisation which prided over the fact that it has got back up<br />
for all its programs <strong>and</strong> files, the entire operation was paralised for more than two<br />
months. This was due to the fact the sudden ra<strong>in</strong>s <strong>in</strong>undated the computer room<br />
which also used the duplicate copies of the programs <strong>and</strong> files!<br />
In another organisation due to uncontrolled <strong>and</strong> unexpected power supply<br />
problems the disk was scratched. The organisation immediately unloaded the disk<br />
open<strong>in</strong>g the duplicate copy of the programs <strong>and</strong> files. The source of the problem not<br />
hav<strong>in</strong>g been set right the disk which conta<strong>in</strong>ed the duplicate copy was also scratched<br />
Loss of files due to attack of virus were very many. In most of the cases where<br />
disaster strike, there was no recovery plan. The problems <strong>and</strong> crisis were only<br />
discussed <strong>in</strong> private as organisations felt that there will be loss of image. It was<br />
officially reported.<br />
STANDARD ACCEFED PROCEDURES<br />
When a disaster occurs, an organisation which is well equipped to face it is<br />
able to resume normal operations by follow<strong>in</strong>g a pre-determ<strong>in</strong>ed recovery strategy.<br />
It is <strong>in</strong>terest<strong>in</strong>g to recall the California Federal when a disastrous earthquake struck<br />
California. Internal Auditor, Mr. John G. Burch, <strong>in</strong> his article Disaster Recovery Plan<br />
on moral <strong>and</strong> professional responsibility describes the experience "CALFEDERAL".<br />
Therewas no time for <strong>in</strong>stallation to have a graceful degradation, the system is
eported to have gonedown <strong>in</strong>elegantly; they were taken totally by surprise. It is<br />
reported that CAL FEDERAL employees under the direction of Senior Vice<br />
President of Comput<strong>in</strong>g & Communications of CAL FEDERAL were able to activate<br />
the Cont<strong>in</strong>gency Plan with<strong>in</strong> one hour after 29 hour non-stop recovely work;<br />
everyth<strong>in</strong>g was back to normal. Soon thereafter there was a second earthquake; the<br />
cont<strong>in</strong>gency plan had <strong>in</strong>cluded a "HOT SITE". Hot site is a back facility which is a<br />
computer <strong>in</strong>stallation which is fully equipped <strong>and</strong> is more or less a duplicate of the<br />
exist<strong>in</strong>g <strong>in</strong>stallation. CAL FEDERAL after its second disaster recovery plan<br />
recovered <strong>in</strong> n<strong>in</strong>e hours. It is reported that the Vice-President stated that a lot of<br />
data process<strong>in</strong>g Managers, thought it won't happen to them, but I was not s<strong>in</strong>gled out<br />
by God; It is a moral responsibility to have a plan.<br />
Yet another reported case is of a Computer Centre which survived <strong>in</strong> 1992<br />
Los Angles riots due to the existence of an effective disastcr recovery plan. Riots had<br />
started <strong>in</strong> Los Angles; there was extensive loot<strong>in</strong>g <strong>and</strong> fires were widespread. It is<br />
reported that.. the data process<strong>in</strong>g centre survived the emergency unscathed".<br />
(a)<br />
(b)<br />
Analys<strong>in</strong>g the reasons for a successful SUMV~~<br />
of the Datacentre:<br />
Data Process<strong>in</strong>g M re bad plan for emergencies<br />
Had a comprehensive <strong>and</strong> well documented cont<strong>in</strong>gency plan to be used <strong>in</strong> the<br />
course of a major earthquake, as after all earthquake war another hlpe of<br />
emergency. This cont<strong>in</strong>gency plan worked out even <strong>in</strong> this type of emergency.<br />
The plan even <strong>in</strong>cluded stock<strong>in</strong>gUearthquake bags" which conta<strong>in</strong>ed food <strong>and</strong><br />
ohr essentials for the employees".<br />
(c) The computer site had effective security. The fust two fbBl% !m <strong>and</strong><br />
it had no public lobby. No casual visitors were allowed entry <strong>in</strong>to the build<strong>in</strong>g.
L<strong>in</strong>da Larsens concludes that the Los Angles Data Process<strong>in</strong>g Centre survived<br />
a major urban riot because they were well prepared for an emergency.<br />
As aga<strong>in</strong>st the above two <strong>in</strong>stances, an example nearer home highlights a<br />
situation with<strong>in</strong> our country. The Reserve Bank of India's National Clear<strong>in</strong>g Centre<br />
at Nariman Po<strong>in</strong>t, Bombay had a breakdown of their computer for four to five days.<br />
The system could not be set right <strong>and</strong> several la!& cheques worth several crores<br />
rema<strong>in</strong>ed stagnant. Instructions were given to bankers to prepare themselves for<br />
manual clear<strong>in</strong>g as the "Clear<strong>in</strong>g system was malfunction<strong>in</strong>g". It is not always that a<br />
disaster occurs but one should be prepared for the same with an effective disaster<br />
recovery <strong>and</strong> cont<strong>in</strong>gency plan. There should be st<strong>and</strong>ard policies <strong>and</strong> procedures<br />
issued by the Management cover<strong>in</strong>g the follow<strong>in</strong>g aspects:<br />
i. Cont<strong>in</strong>gency Plann<strong>in</strong>g Process<br />
ii. Risk analysis<br />
iii. Strategy for cont<strong>in</strong>gency plann<strong>in</strong>g<br />
iv. Documentation<br />
v. Test<strong>in</strong>g<br />
vi Risks <strong>and</strong> <strong>controls</strong><br />
vii Audit consideratioas<br />
Tbe need for Management's awarw for a cont<strong>in</strong>gency plan should <strong>and</strong> is<br />
aris<strong>in</strong>g out of the follaw<strong>in</strong>g factors:<br />
i) Information is a valuable asset of the organisation<br />
ii) Unlike previously computers are spread all over the organisation.<br />
iii) Organisations arc depend<strong>in</strong>g upon amputen <strong>and</strong> not men usen.<br />
(iv) Computers capability to contribute to decision-mak<strong>in</strong>g process
CONTINGENCY PLANNING PROCESS<br />
As the adage "Prevention is better than cure" goes, it is better to have<br />
preventive measures to avoid a disaster rather than strugll<strong>in</strong>g after a disaster to br<strong>in</strong>g<br />
normalcy. The preventive steps may be classified under the fcllow<strong>in</strong>g three heads.<br />
(a)<br />
@)<br />
(c)<br />
Organisation<br />
User <strong>in</strong>volvement<br />
Adm<strong>in</strong>istrative procedures<br />
(a)<br />
Organisation<br />
The most important step is to have a team which has:<br />
(a)<br />
@)<br />
(c)<br />
Centralised responsibility<br />
Adequate visibility<br />
Appropriate authority<br />
It is necessary that there should be one leader who is the primary responsible<br />
authority for coord<strong>in</strong>at<strong>in</strong>g <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g the cont<strong>in</strong>gency plan. It is essential that<br />
all the departments <strong>in</strong> the organisation are made aware of the fact that the<br />
organisation is <strong>in</strong>tend<strong>in</strong>g to develop a cont<strong>in</strong>gency plan. As the users <strong>and</strong><br />
thedepartments are made awarefor the need to have a cont<strong>in</strong>gency plan, awareness<br />
for potential risks is spread. As the project leader has to liaise with the different<br />
departments, senior management should vest the project leader with appropriate<br />
authority <strong>and</strong> communicate the same to others <strong>in</strong> the organisation.
(b)<br />
User <strong>in</strong>volvement<br />
Users should be closely associated with the development of cont<strong>in</strong>gency plan.<br />
They should be <strong>in</strong>volved <strong>in</strong> assess<strong>in</strong>g the risk result<strong>in</strong>g from a disruption as users arc<br />
the best judges <strong>and</strong> they would be able to assess the associated risks better. The<br />
useful functions that the users wuld perfom would be<br />
(i)<br />
Make analysis<br />
The users should evaluate the impact of the failure of computer systems on<br />
their bus<strong>in</strong>ess function. They should make a fair assessment of their time when they<br />
can manage without computer process<strong>in</strong>g. Users must be closely associated <strong>in</strong> the<br />
process of identify<strong>in</strong>g <strong>and</strong> prioritis<strong>in</strong>g critical applications.<br />
Users <strong>and</strong> the system staff need to work very closely to decide on procedures<br />
<strong>in</strong> the case of a computer breakdown <strong>and</strong> also the procedures which need to be<br />
adopted to get back to the computer systems.<br />
Adm<strong>in</strong>istration<br />
As already mentioned one penon should be selected as the leader; his<br />
responsibility should <strong>in</strong>clude develop<strong>in</strong>g a plann<strong>in</strong>g methodology, develop plans to<br />
implement the policy especially an organisational structure, tra<strong>in</strong><strong>in</strong>g the staff,<br />
review<strong>in</strong>g the process <strong>and</strong> report<strong>in</strong>g to the management, ma<strong>in</strong>ta<strong>in</strong> the plan,<br />
CO-ord<strong>in</strong>ate the others <strong>in</strong>volved <strong>in</strong> decid<strong>in</strong>g the plan. A plann<strong>in</strong>g methodolog should<br />
be used to ensure quality, security, consistency, comprehensiveness <strong>and</strong><br />
ma<strong>in</strong>ta<strong>in</strong>ability".
Risk Analysis<br />
It is extremely important to identify <strong>and</strong> prioritise critical applications. The<br />
applications which need to be restored <strong>and</strong> the order <strong>in</strong> which they need to be<br />
restored should be settled.<br />
The factors which contribute to the criticality of the applications a n need to<br />
be studied carefull).<br />
facility.<br />
The next step would be to evaluate the threat of disaster to the computer<br />
ANALYSIS AND FINDINGS<br />
A sample survey of 30 organisations was conducted. The questionnaire utilised<br />
for this purpose is enclosed. (Table 8.1) The response irom all the 30 organisations<br />
was analysed. The <strong>in</strong>formation was personally gathered by me from the organisations.<br />
In addition, had a discussion with the five lead<strong>in</strong>g firms of auditors to ascerta<strong>in</strong> the<br />
audit procedures followed <strong>in</strong> connection with the Disaster Recovery Plan of their<br />
clients' organisations which were extensively us<strong>in</strong>g computers for preparation of<br />
management <strong>in</strong>formation as also f<strong>in</strong>ancial statements for audit certification (Table<br />
8.2) The hdqs as gathered from the sample of organisations surveyed are as<br />
follows:-<br />
(i)<br />
(ii)<br />
There were no st<strong>and</strong>ard policies or guidel<strong>in</strong>es for the organisation regard<strong>in</strong>g<br />
cont<strong>in</strong>gency plan or DRP.<br />
None of the organisations hadanyremote safe backgronnd storage vault for<br />
stor<strong>in</strong>g the programs systems, documentation or important data.
(iii)<br />
None of the organisations had an <strong>in</strong>surancy policy whichcoveredanyth<strong>in</strong>g<br />
other than the cost of the hardware.<br />
(iv) None of the organisations had applied their m<strong>in</strong>d regard<strong>in</strong>g the legal<br />
responsibility that may arise for non-performance should a disaster strike the<br />
organisation. In the absence of any DRP or policies or procedures provided<br />
by the management, there was no documentation for DRP.<br />
(v) All the organisations had copies of the programs backed up. However, these<br />
programs were not stored <strong>in</strong> most of the cases <strong>in</strong> a remote place away from<br />
the computer <strong>in</strong>stallation.<br />
(vi) In most of the cases, the computer programs <strong>and</strong> critical data were copied<br />
<strong>and</strong> stored <strong>in</strong> the systems manager'scab<strong>in</strong> which was part of the computer<br />
department.<br />
(vii) In most cases it was also found that thermocole pack<strong>in</strong>gs <strong>and</strong> card board<br />
boxes which were arrived with peripherals or computer stationary were<br />
stacked near or around the computer <strong>in</strong>stallation without the least awareness<br />
that these be<strong>in</strong>g combustible material should never be stacked near the<br />
computer <strong>in</strong>stallation.<br />
(viii) There were no documented evidence regard<strong>in</strong>g key personnelto be contacted<br />
<strong>in</strong> case of a disaster.<br />
Informal discussions provided the <strong>in</strong>formation that the organisations did have<br />
situations when disasters did strike them <strong>in</strong> the follow<strong>in</strong>g areas:-<br />
* Disk crash<br />
* Virus attack<br />
* Water leakage<br />
* Hardware failure
Software gett<strong>in</strong>g conupted.<br />
In all the above situations, the organisations did have problems <strong>and</strong> they<br />
resorted to a "Crisis Management". Strangely this had not resulted <strong>in</strong> any permanent<br />
action be<strong>in</strong>g taken by way of formalis<strong>in</strong>g the DRP <strong>and</strong> cont<strong>in</strong>gency plan.<br />
Apan from these f<strong>in</strong>d<strong>in</strong>gs, survey results of Messrs Coopers Lybr<strong>and</strong> are enclosed.<br />
(Table ) These f<strong>in</strong>d<strong>in</strong>gs are no reported cases <strong>in</strong> our country. There are no reported<br />
cases as yet of loss <strong>in</strong>curred due to disasters strik<strong>in</strong>g the organisations. However, it<br />
should be noted that there were blasts <strong>in</strong> Delhi, big fire <strong>in</strong> multi- storeyed build<strong>in</strong>g<br />
which affected amongst other organisations Bharat Heavy Electricals Limited,<br />
earthquake <strong>in</strong> Bombay <strong>and</strong> bomb blast <strong>in</strong> Bombay which affected any number of<br />
organisations <strong>and</strong> the11 computer operations. In Madras, lightn<strong>in</strong>g struck a multi<br />
national company which affected more than forty term<strong>in</strong>als. More recently hardware<br />
problems <strong>in</strong> the Reserve Bank of India clear<strong>in</strong>g House operations is a case <strong>in</strong> po<strong>in</strong>t.<br />
AUDIT<br />
The discussions with the auditors revealed that their areas of operation <strong>and</strong><br />
activity did not <strong>in</strong>clude evaluat<strong>in</strong>g the adequacy of a DRP.. This has been confirmed<br />
also by an the 30 organisations which were <strong>in</strong>cluded <strong>in</strong> the survey. The auditors have<br />
been ignorant of the need to review the adequacy of a DRP. The auditors while they<br />
are aware that they need to value aU the assets <strong>and</strong> certify their existence, somehow<br />
as yet have not realised the value of <strong>in</strong>formation <strong>and</strong> computer support for their<br />
organisations.
SUGGESTIONS FROM TEE POINT OF VIEW OF TEE ORGANISATIONS<br />
The organisation should realise that cont<strong>in</strong>gency plann<strong>in</strong>g for <strong>in</strong>formation<br />
systems is an important element of <strong>in</strong>ternal control to ensure computer data <strong>and</strong><br />
resources would be available <strong>in</strong> case there is dismption of any nature to computer<br />
operations. Cont<strong>in</strong>gency plann<strong>in</strong>g is an important management plann<strong>in</strong>g. The<br />
cont<strong>in</strong>gency plann<strong>in</strong>g process should <strong>in</strong>clude the follow<strong>in</strong>g :<br />
Cont<strong>in</strong>gency plann<strong>in</strong>g<br />
* The plan should ensure the cont<strong>in</strong>uity of the organisation's operations.<br />
* Should m<strong>in</strong>imise recovery times<br />
Must support the Bus<strong>in</strong>ess Recovery Plan<br />
* Fulfill legal obligations<br />
Risk analysis<br />
This <strong>in</strong>volves identification of exposures <strong>and</strong> threats that the organisations may<br />
be exposed. Hurricanes, earthquakes, bomb blasts <strong>in</strong> our own country are no longer<br />
an unlikely probability. These aspects need to be provided for.<br />
Critical applications need to be identified by evaluat<strong>in</strong>g its impact on the<br />
organisations from the po<strong>in</strong>t of view of<br />
(a)<br />
(b)<br />
(c)<br />
Legal obligations<br />
Interruption to senice to customers<br />
Potential loss of revenue
Assess <strong>in</strong>surance cover<br />
Insurance cover should not just be only for the cost of hardware. The<br />
exposures that the computer organisations is likely to have needs to be studied <strong>and</strong><br />
covered.<br />
Document<strong>in</strong>g the plan<br />
It is unanimously accepted that the success of a cont<strong>in</strong>gency plan depends to<br />
a great extent on the quality of documentation. The documentation should clearly<br />
have the follow<strong>in</strong>g:-<br />
(i)<br />
(ii)<br />
The names <strong>and</strong> contact addresses of the ma<strong>in</strong> members of the recovery team<br />
The details of recovery plan.<br />
These plans should <strong>in</strong>clude the specific activities that need to be met~culously<br />
performed to m<strong>in</strong>imise recovery time loss from disruption. List of important files that<br />
need to be restored to cont<strong>in</strong>ue process<strong>in</strong>g <strong>and</strong> procedures for recover<strong>in</strong>g those files<br />
from back up tapes <strong>and</strong> disks.<br />
It is not uncommon to have problems on pay rol or dividend warrant runs at<br />
the most critical period It would be advisable for such critical applications to have<br />
even hard copies nf impartant data<br />
The details of all equipment that would be needed to fully rebuild <strong>and</strong><br />
reprocess needs to be <strong>in</strong>ventories.
Forms <strong>and</strong> supplies<br />
The cont<strong>in</strong>gency plans should have full details regard<strong>in</strong>g specific forms that<br />
would be needed to cont<strong>in</strong>ue critical applications.<br />
Ewemple : Pay slips, dividend warrants, <strong>in</strong>voice forms, contract forms etc The<br />
importance of cont<strong>in</strong>gency plan lies <strong>in</strong> its periodic test<strong>in</strong>g. It is necessary that the plan<br />
should be tested. However, it should be realised that unless the plan 1s fool-proof,<br />
test<strong>in</strong>g of the plan may result <strong>in</strong> the disaster itself. Ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a cont<strong>in</strong>gency plan is<br />
an on-go<strong>in</strong>g process. It should be cont<strong>in</strong>ually ma<strong>in</strong>ta<strong>in</strong>ed, tested, evaluated <strong>and</strong><br />
updated.<br />
Review of <strong>in</strong>surance coverage<br />
The <strong>in</strong>surance coverage should be adequate <strong>and</strong> upto date. The more<br />
important aspects for which the <strong>in</strong>surance should have cover would be<br />
(i)<br />
(ii)<br />
(iii)<br />
(iv)<br />
Cost of equipment whether purchased or leased<br />
Coverage for mechanical <strong>and</strong> electrical breakdowns which may result <strong>in</strong> loss<br />
of data or programs<br />
Coverage for fraudulent or dishonest acts of employees<br />
Cawrage for loss of data <strong>and</strong> software<br />
The policy should preferably cover the equipment at its replacement cost. It<br />
would be advisable also to provide for coverage for the follow<strong>in</strong>g :<br />
(i)<br />
(ii)<br />
(iii)<br />
Loss of documents<br />
Cost of reproduc<strong>in</strong>g data<br />
Injuries of personnel
AUDIT<br />
The auditor should necessarily verify whether there is cont<strong>in</strong>gency or a DRP.<br />
If there is a DRP, he should br<strong>in</strong>g with the contents to ensure that the st<strong>and</strong>ard<br />
accepted contents as discussed under documentation are all <strong>in</strong>cluded. The auditor<br />
should pay special attention to the follow<strong>in</strong>g aspects :<br />
(i) Accuracy<br />
While the plan may be <strong>in</strong> existence as to how accurate it is needs to be<br />
verified.<br />
(ii) Currency<br />
It is extremely important that the cont<strong>in</strong>gency plan is current as an out dated<br />
plan is no plan.<br />
(iii)<br />
Test<strong>in</strong>g<br />
It would be advisable for an auditor to test a plan. It would be more effective<br />
if it is comb<strong>in</strong>ed with a scheduled test<strong>in</strong>g of the organisations. This would give him<br />
an opportunity to personally evaluate the effectiveness of the plan. In the absence of<br />
test<strong>in</strong>g a thorough walk- through of the important aspects of the test plan would be<br />
adequate.<br />
AUDIT OF DISASTER RECOVERY PLAN<br />
More organisations have ceased to be mere users of audit process<strong>in</strong>g facilities.<br />
The appreciation of changes of Information Technology has been so great that most
organisations are dependent upon <strong>computerised</strong> <strong>in</strong>formation. They are no longer<br />
mere users.<br />
In view of dependence <strong>and</strong> reliance on computers <strong>and</strong> computer <strong>in</strong>formation<br />
it is not unlikely that should disaster strike the computer, the organisations may run<br />
around. Information is an asset <strong>and</strong> it requires to be safeguarded. Computer<br />
<strong>in</strong>stallations may be struck by disaster - human or by an act of God. The human<br />
element may be by way of <strong>in</strong>tentional or un-<strong>in</strong>tentional corruption of data <strong>and</strong><br />
programs, fraud, sabotage etc. Fire, fraud, earthquake, lightn<strong>in</strong>g are other situations<br />
which affect the computer operations <strong>and</strong> disable it totally or partly. It is the<br />
responsibility of the auditor to verify the adequacy of the disaster recovey plan. He<br />
should ensure that there is a written documented plan which lays down the various<br />
procedures which would enable the organisation to recover from the disaster with<strong>in</strong><br />
a critical time-frame.<br />
Eg. Reserve Bank of India <strong>in</strong>cident, earthquake at California.<br />
It is necessary for the auditor to be aware of what are the <strong>in</strong>gredients of DRP<br />
or a cont<strong>in</strong>gency plan with specific reference to the particular <strong>environment</strong> he is<br />
<strong>audit<strong>in</strong>g</strong>. Be<strong>in</strong>g aware, he is expected to evaluate the adequacy or otherwise <strong>and</strong> give<br />
a report on the same.
TABLE 73<br />
DISASI'ER RECOVERY PLAN<br />
1. Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es regard<strong>in</strong>g the cont<strong>in</strong>gency plan or DRP<br />
available? If so, are they adequate?<br />
( ) Yes - adequate <strong>and</strong> upto date<br />
( ) Yes - Reasonably adequate <strong>and</strong> upto date but need improvement<br />
( ) No - Not available.<br />
2. Have you checked whether the organisation has a remote, safe documents<br />
storage vault <strong>and</strong> valuable documents stored <strong>in</strong> the same?<br />
( ) Yes - verified <strong>and</strong> found to be <strong>in</strong> order<br />
( ) Yes - the vault does not have a latest <strong>and</strong> important documents.<br />
( ) No - No such check made.<br />
3. Have you checked whether there is an <strong>in</strong>surance policy to cover the computer<br />
hardware <strong>and</strong> software?<br />
( ) Yes - checked the policy. It covers both<br />
( ) Yes - only the hardware<br />
( )No<br />
4. Have you checked from the angle of legal responsibility to ensure that the<br />
vital documents are h<strong>and</strong>led satisfactorily <strong>and</strong> reta<strong>in</strong>ed for sufficient time?<br />
( ) Yes - checked with the legal department<br />
( ) Yes - from my judgment<br />
( )No<br />
5. Have you checked the existence of any cont<strong>in</strong>gency plan? Is it<br />
well-documented?<br />
( ) Yes - well documented<br />
( ) Yes - discussed with EDP staff<br />
( )No
CHArnR VIII<br />
AUDIT APPROACH<br />
Ovemew<br />
Approach to audit <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>, as already mentioned, is<br />
different from the approach <strong>in</strong> a manual system. While specific <strong>controls</strong> <strong>and</strong> audit<br />
concerns are associated with each <strong>computerised</strong> <strong>environment</strong>, there is a general<br />
approach recommended for a <strong>computerised</strong> <strong>environment</strong>. In this chapter, that aspect<br />
is discussed.<br />
The exam<strong>in</strong>ation upon which the report of attestation is based is known as<br />
Audit. The <strong>in</strong>dividual do<strong>in</strong>g such work is usually referred to as auditor. An auditor<br />
may be an <strong>in</strong>ternal auditor or an external auditor. The <strong>in</strong>ternal auditor is appo<strong>in</strong>ted<br />
by the Management <strong>and</strong> he reports to them. External auditor or a statutory auditor<br />
<strong>in</strong> companies is appo<strong>in</strong>ted by the shareholders, at the annual general meet<strong>in</strong>g <strong>and</strong><br />
under the Campany Law. The auditor gives his report under the statute to the<br />
shareholders.<br />
'The Statement of responsibilities of the Internal Auditors" was issued by the<br />
Institute of Internal Auditors orig<strong>in</strong>ally <strong>in</strong> 1947. Subsequently <strong>in</strong> 1978, "St<strong>and</strong>ards for<br />
the professional practice of <strong>in</strong>ternal <strong>audit<strong>in</strong>g</strong>" was issued.<br />
The ma<strong>in</strong> po<strong>in</strong>ts covered were:<br />
' Independence<br />
* Professional proficiency
* Scope of work<br />
* Performance of audit work<br />
* Management of the Internal Audit Departments.<br />
The more important aspects under this head are as follows :<br />
Independence<br />
Internal auditors should be <strong>in</strong>dependent of the activities they audit.<br />
Objectivity<br />
Internal auditors should be objective <strong>in</strong> perform<strong>in</strong>g audits.<br />
The <strong>in</strong>ternal <strong>audit<strong>in</strong>g</strong> department's Knowledge, skills <strong>and</strong> discipl<strong>in</strong>es -The<br />
<strong>in</strong>ternal <strong>audit<strong>in</strong>g</strong> department should possess or should obta<strong>in</strong> the knowledge, skills<br />
<strong>and</strong> discipl<strong>in</strong>es needed to cany out its audit responsibilities.<br />
The <strong>in</strong>ternal <strong>audit<strong>in</strong>g</strong> department should provide assurance that <strong>in</strong>ternal audits<br />
are properly supenised.
The Internal auditor<br />
Cont<strong>in</strong>u<strong>in</strong>g Education<br />
Internal auditors should ma<strong>in</strong>ta<strong>in</strong> their technical competence through<br />
cont<strong>in</strong>u<strong>in</strong>g education.<br />
Due professional cart<br />
audits.<br />
Internal auditors should exercise due professional care <strong>in</strong> perform<strong>in</strong>g <strong>in</strong>ternal<br />
Reliability <strong>and</strong> <strong>in</strong>tegrity of <strong>in</strong>formation<br />
Internal auditors shoulu review the reliability <strong>and</strong> <strong>in</strong>tegrity of f<strong>in</strong>ancial <strong>and</strong><br />
operat<strong>in</strong>g <strong>in</strong>formation <strong>and</strong> the means used to identify measure classify <strong>and</strong> repon<br />
such <strong>in</strong>formation.<br />
Compliance with policies, plans, procedures, laws <strong>and</strong> regulations: Internal<br />
auditors should review the systems established to ensure compliance with those<br />
policies, plans, procedures, laws <strong>and</strong> regulations which could haw a significant impact<br />
on operations <strong>and</strong> reports <strong>and</strong> should determ<strong>in</strong>e whether the organisation is <strong>in</strong><br />
compliance.<br />
Safeguard<strong>in</strong>g of assets<br />
Internal auditors should review tht means of safeguard<strong>in</strong>g assets <strong>and</strong> as<br />
appropriate verify the existence of such assets.
Exam<strong>in</strong><strong>in</strong>g <strong>and</strong> evaluat<strong>in</strong>g <strong>in</strong>formation<br />
Internal auditors should collect, analyse, <strong>in</strong>terpret <strong>and</strong> document <strong>in</strong>ionnation<br />
to support audit results.<br />
Quality assurance<br />
The director of <strong>in</strong>ternal <strong>audit<strong>in</strong>g</strong> should establish <strong>and</strong> ma<strong>in</strong>ta<strong>in</strong> a quality<br />
assurance program to evaluate the operations of the <strong>in</strong>ternal <strong>audit<strong>in</strong>g</strong> department.<br />
The <strong>in</strong>ternal audit department provides assistance to Management by analys<strong>in</strong>g<br />
<strong>and</strong> report<strong>in</strong>g on the activities reviewed by them. Internal auditors can be concerned<br />
with any phase of the bus<strong>in</strong>ess activity oi the organisation. Information systems is an<br />
important activity of the organisation which also forms the basis for account<strong>in</strong>g <strong>and</strong><br />
f<strong>in</strong>ancial statement. So to atta<strong>in</strong> the objective of render<strong>in</strong>g assistance to management<br />
<strong>in</strong> the effective discharge of the responsibilities, auditors activities will <strong>in</strong>clude the<br />
follow<strong>in</strong>g :<br />
- Review<strong>in</strong>g <strong>and</strong> evaluat<strong>in</strong>g the soundness, adequacy of <strong>controls</strong><br />
associated with account<strong>in</strong>g, f<strong>in</strong>ance <strong>and</strong><br />
other activities satismg<br />
himself regard<strong>in</strong>g the extent of compliance with established policies <strong>and</strong><br />
procedures.<br />
- Evaluat<strong>in</strong>g reliability of management data <strong>and</strong> <strong>in</strong>formation developed,<br />
review<strong>in</strong>g <strong>in</strong>formation systems, record <strong>and</strong> process f<strong>in</strong>ancial data.<br />
The <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards pronounced by the professional bodies are discussed<br />
<strong>in</strong> greater detail <strong>in</strong> the Chapter on Audit<strong>in</strong>g St<strong>and</strong>ards. SAS No.47 addresses audit<br />
risk. Audit risk is def<strong>in</strong>ed at the f<strong>in</strong>ancial statement level as "the risk that the auditor
may unknow<strong>in</strong>gly fail to appropriately modify his op<strong>in</strong>ion on f<strong>in</strong>ancial statements that<br />
are materially rnis-stated".<br />
The risk that material error exists is divided <strong>in</strong>to:<br />
(i)<br />
(ii)<br />
Inherent risk <strong>and</strong><br />
Control risk<br />
The components of audit risk could be described as follows :<br />
OVERALL AUDIT RISK<br />
+,<br />
Risk that balance of account<br />
About Detection<br />
The <strong>in</strong>herent risk could be identified with a knowledge of the bus<strong>in</strong>ess <strong>and</strong> an<br />
underst<strong>and</strong><strong>in</strong>g of its transactions.<br />
Internal control risk<br />
The <strong>in</strong>ternal control risk is assessed when the <strong>in</strong>ternal auditor by establish<strong>in</strong>g<br />
the effectiveness of the control system. The basic objective of any <strong>in</strong>ternal account<strong>in</strong>g<br />
control system is to provide assurance that all transactions are complete <strong>and</strong> accurate.
In a <strong>computerised</strong> <strong>environment</strong>, the auditor needs to review <strong>and</strong> evaluate the<br />
associated <strong>in</strong>ternal control systems to determ<strong>in</strong>e whether adequate <strong>controls</strong> exist to<br />
assure the auditor that all transactions are processed correctly <strong>and</strong> completeiy.<br />
It is <strong>in</strong> this background when an auditor is perform<strong>in</strong>g his duty <strong>in</strong> a<br />
<strong>computerised</strong> <strong>environment</strong>, unless he is aware of acceptable st<strong>and</strong>ards for <strong>controls</strong><br />
associated with a particular <strong>computerised</strong> <strong>environment</strong>, he would not be able to<br />
evaluate its adequacy. Consequently his assur<strong>in</strong>g himself that all transactions are<br />
processed correctly <strong>and</strong> completely does not arise.<br />
In large organisations auditors are permitted to rely on the <strong>in</strong>ternal auditors<br />
op<strong>in</strong>ion under certa<strong>in</strong> circumstances. In addition they have their own responsibility<br />
as they are certify<strong>in</strong>g the correctness of f<strong>in</strong>ancial statements which themselves are<br />
prepared on the computer. It will thus be observed that an auditor, whether he be<br />
<strong>in</strong>ternal or external, he should be knowledgeable about specific <strong>controls</strong>. Specific<br />
<strong>controls</strong> would be different depend<strong>in</strong>g upon the specific <strong>computerised</strong> <strong>environment</strong>.<br />
The objectives of the audit <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> are only the same.<br />
However, <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> <strong>in</strong> new of the <strong>in</strong>ternal <strong>controls</strong> be<strong>in</strong>g<br />
different, the audit mechanism for evaluat<strong>in</strong>g such <strong>controls</strong> has to be different too.<br />
PROBLEM AREAS<br />
All organisations - small <strong>and</strong> big - have <strong>computerised</strong> their account<strong>in</strong>g system.<br />
Larger organisations are hav<strong>in</strong>g sophisticated management <strong>in</strong>formation systems. The<br />
technological developments have been grow<strong>in</strong>g very fast. Audit<strong>in</strong>g skills have<br />
rema<strong>in</strong>ed stagnant. The <strong>in</strong>ternal auditors do not have <strong>in</strong> their team any staff member
who possess the necessary skills <strong>and</strong> knowledge to audit <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> The position regard<strong>in</strong>g external auditors who are big firms of long<br />
st<strong>and</strong><strong>in</strong>g <strong>and</strong> who have amongst their clients large organisations with very high<br />
turnover are also not hav<strong>in</strong>g necessary skills <strong>and</strong> knowledge to perform an effective<br />
audit<br />
The present practices adopted by the auditors is limited to extensive check<strong>in</strong>g<br />
of hard copies of computer statements. While extensive check<strong>in</strong>g of the contents of<br />
the computer statements is undertaken, no attempts are be<strong>in</strong>g made to satisfy<br />
themselves about the basic correctness <strong>and</strong> completeness of the Statements. In a<br />
<strong>computerised</strong> <strong>environment</strong> <strong>audit<strong>in</strong>g</strong> is generally divided <strong>in</strong>to three categories:<br />
i. Aud~t<strong>in</strong>g around the computer<br />
ii.<br />
iii.<br />
Audit<strong>in</strong>g through the computer<br />
Audit<strong>in</strong>g with the computer<br />
i. Audit<strong>in</strong>g around the computer could be resorted to when the computer could<br />
be dealt with like a Black Box <strong>and</strong> the pr<strong>in</strong>t outs are exhaustive <strong>and</strong><br />
comprehensive so that every <strong>in</strong>put transactions can be traced to an output<br />
document.<br />
ii.<br />
iii.<br />
Audit<strong>in</strong>g through the computer is a situation when computer cannot be<br />
treated as a Black Box. Transactions are sometimes visible <strong>and</strong> sometimes<br />
<strong>in</strong>visible. The audit trail itself becomes a bit more complex. In such situations,<br />
the program logic should be tested.<br />
In <strong>audit<strong>in</strong>g</strong> with the computer, auditors' skills <strong>and</strong> knowledge are so high that<br />
he takes advantage of the capabilities of a computer <strong>and</strong> uses his own<br />
program or a software to evaluate the correctness <strong>and</strong> the completeness of
computer statements In the present day computer technology has developed<br />
to such an extent that it would be most appropriate for an auditor to perform<br />
an audit with the computer. However, the methodology adopted by all the<br />
auditors without exception is to adopt the approach of <strong>audit<strong>in</strong>g</strong> around the<br />
computer while the situation dem<strong>and</strong>s an <strong>audit<strong>in</strong>g</strong> with the computer. The<br />
auditors are not perform<strong>in</strong>g any of the functions.<br />
i. Underst<strong>and</strong><strong>in</strong>g the computer system i.e. to know thetype of hardware <strong>and</strong><br />
softwareused <strong>and</strong>the operat<strong>in</strong>g system used.<br />
ii.<br />
iii.<br />
A list of applications<br />
Study<strong>in</strong>g the system flow-charts.<br />
Verify<strong>in</strong>g whether there is adequate documentation for programs, whether<br />
there are any formal procedures documented for changes <strong>and</strong> programs,<br />
underst<strong>and</strong><strong>in</strong>g the built-<strong>in</strong> <strong>controls</strong> as also the compensat<strong>in</strong>g <strong>controls</strong> for each of the<br />
applications, test<strong>in</strong>g the programs <strong>and</strong> other procedures to evaluate the existence <strong>and</strong><br />
adequacy of <strong>controls</strong>, disaster recovery plan, report<strong>in</strong>g to the management regard<strong>in</strong>g<br />
their op<strong>in</strong>ion on the audit performed.<br />
In the absence of awareness of the management regard<strong>in</strong>g the necessity to<br />
have an audit of the <strong>computerised</strong> <strong>environment</strong>, they do not have the <strong>in</strong>ternal audit<br />
to perform audit of the <strong>computerised</strong> <strong>environment</strong><br />
In the absence of official statements from the professional bodies, external<br />
auditors are not perform<strong>in</strong>g the audit of the <strong>computerised</strong> <strong>environment</strong>.
There are reported <strong>and</strong> unreported cases of frauds occur<strong>in</strong>g <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong>.<br />
Due to lack of knowledge, competence <strong>and</strong> skills <strong>and</strong> also as so far neither the<br />
Management nor the auditor has been sued by a third party for dereliction of duty<br />
for not evaluat<strong>in</strong>g the <strong>controls</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> the present outdated<br />
practices <strong>and</strong> methods of <strong>audit<strong>in</strong>g</strong> are cont<strong>in</strong>u<strong>in</strong>g <strong>in</strong> a sophisticated <strong>environment</strong> of<br />
us<strong>in</strong>g the latest <strong>in</strong>formation technology.<br />
Lack of awareness of the risks <strong>and</strong> vulnerablities associated with<br />
computerisation generally <strong>and</strong> specifically with certa<strong>in</strong> <strong>environment</strong>s was apparent <strong>in</strong><br />
very many examples. Infalliability of the computer is confused with the notion that<br />
all computer output will be error free <strong>and</strong> complete <strong>and</strong> correct <strong>and</strong> so no questions<br />
need be asked.<br />
There have been <strong>in</strong>stances when the accountants with<strong>in</strong> the company with the<br />
cooperation of the computer staff have been able to produce computer pr<strong>in</strong>g outs to<br />
suit the audit requirements <strong>and</strong> auditon of the particular concern certified the<br />
accounts based on such statements <strong>in</strong> the f<strong>in</strong>n belief that they have checked<br />
"computer outputs".<br />
In another organisation while there was supposedly a cnntrol on the total<br />
entries to be passed undder each category there was no creation of a suspense file<br />
for entries which were rejected. Letters were written to the concerned departments<br />
with a copy to <strong>in</strong>ternal audit regard<strong>in</strong>g the entries rejected. It was a shock<strong>in</strong>g<br />
revelation to note that the matter ended there. In the same organisation the
vulnerability was exploited by collusion between a staff member of the computer<br />
department <strong>in</strong>charge of control totals <strong>and</strong> a clerk is one of the outstation depots. A<br />
cash entry was passed, supposeedly, to support a deposit <strong>in</strong> the ban of the depot.<br />
Bank reconciliations done six months later, did not help to reveal the <strong>in</strong>termediary<br />
frauds. Even the <strong>in</strong>ternal auditors as also the external auditors were totally unaware<br />
of the go<strong>in</strong>gs on. Neither of them had any knowledge of the approach to audit when<br />
the accounts are computtrised.<br />
In another organisation preparation of <strong>in</strong>voices were <strong>computerised</strong> with the<br />
built <strong>in</strong> control to reject such records which did not comply with the control<br />
supposedly built <strong>in</strong>to the program regrdign type of product, sales tax classification,<br />
excise duty classification etc. Surpris<strong>in</strong>gly the computer system staff had built the logic<br />
that once the record was rejected, the rejected records would be rectified by the user<br />
department <strong>and</strong> fed <strong>in</strong>to the comuter <strong>and</strong> hence it would be waste of computer<br />
efficiency to check aga<strong>in</strong> ! This led to a situation when if a computer record had to<br />
bypass the supposedly built <strong>in</strong> <strong>controls</strong> they must have it rejected <strong>in</strong>itially. In a<br />
discussion on <strong>controls</strong>, with F<strong>in</strong>ance Controller this po<strong>in</strong>t was brought out when the<br />
F<strong>in</strong>ancial Controller was surprised of the loophole <strong>in</strong> the control. He hastened to<br />
have it corrected. Aga<strong>in</strong>, however, neight the <strong>in</strong>ternal auditors nor external auditors<br />
were aware of this situation.<br />
In yet another organisation while prepar<strong>in</strong>g stock valuation reports on the<br />
computer, the wrong master file regard<strong>in</strong>g the market value was loaded which was<br />
compared with correct master file of costs. The logic of compar<strong>in</strong>g the cost or market<br />
value whichever is lower was no doubt correctly applied. But the stock valuation was<br />
wrong as wrong market file was loaded.
STANDARD ACCEPTED PRACTICES<br />
The objective of an audit is to evaluate the adequacy or othenvisc of the<br />
<strong>in</strong>ternal <strong>controls</strong> <strong>and</strong> to report on the same. The objective of an audit does not<br />
change irrespective whether the <strong>environment</strong> is manual or <strong>computerised</strong>. The method<br />
of satisfy<strong>in</strong>g onself with <strong>controls</strong> that need to exist do exist <strong>and</strong> they are adequate,<br />
however change when the <strong>environment</strong> changes from the manual.<br />
In a <strong>computerised</strong> <strong>environment</strong> different situations may arise:<br />
(a)<br />
(b)<br />
(c)<br />
While the data orig<strong>in</strong>ates from the user department, the record<strong>in</strong>g <strong>and</strong><br />
process<strong>in</strong>g of the same takes place <strong>in</strong> a separate department, normally called<br />
the data procest<strong>in</strong>g department.<br />
The user departments may be provided with term<strong>in</strong>als, either <strong>in</strong>telligent or<br />
dumb. AIl these term<strong>in</strong>als are net-worked <strong>and</strong> a file server or two is<br />
ma<strong>in</strong>ta<strong>in</strong>ed <strong>in</strong> a separate department under the control of a separate manager.<br />
A Database Management System might have been <strong>in</strong>troduced add<strong>in</strong>g yet<br />
another complexity to a local area network.<br />
Whatever may be the method that is adopted, there are certa<strong>in</strong> changes which<br />
have taken place as dist<strong>in</strong>ct from the manual system:<br />
i. Transactions are not always visible<br />
ii.<br />
iii.<br />
The <strong>in</strong>put for certa<strong>in</strong> computer runs or the output of certa<strong>in</strong> other computer<br />
with the result <strong>in</strong>termediary results may not be always available <strong>in</strong> a hard<br />
COPY.<br />
With each type of computerisation, there are certa<strong>in</strong><strong>controls</strong> associated with<br />
them to ensure accuracy, completeness, <strong>in</strong>tegrity <strong>and</strong> security of the system.
In view of the above the auditor necessarily will have to be knowledgeable<br />
about the relevant <strong>controls</strong> that are applicable to a specific computeriscd<br />
<strong>environment</strong> so that he is <strong>in</strong> a position to evaluate the adequacy or otherwise of the<br />
same. He would thus be able to give a comprehensive report about his op<strong>in</strong>ion of the<br />
<strong>in</strong>ternal <strong>controls</strong>, <strong>in</strong> the <strong>in</strong>formation system which is be<strong>in</strong>g used by the<br />
organisation.The auditor, either <strong>in</strong>ternal or external, is expected to report either to<br />
the management or to the shareholders as the case may be, about he be<strong>in</strong>g satisfied<br />
or otherwise about the adequacy of the <strong>controls</strong>. In the case of adequacy, he should<br />
be <strong>in</strong> a position to quantify the consequences or the magnitude of such a weakness.<br />
To achieve the above mentioned objectives, the auditor should adopt the proper<br />
approach, as mentioned by William E.Perry.'<br />
STEP 1<br />
The <strong>in</strong>itial step that the auditor should take would be to scope the<br />
<strong>environment</strong>, primarily to underst<strong>and</strong> the <strong>environment</strong> <strong>in</strong> which the computer<br />
applications run <strong>and</strong> also to assess the audit scope <strong>and</strong> decide on the areas <strong>in</strong> which<br />
the audit will bc conducted. Scop<strong>in</strong>g helps the auditor to collect adequate background<br />
<strong>in</strong>formation to perform an effective audit function. The various tasks that the auditor<br />
would be required to perform are:<br />
(a) Underst<strong>and</strong> the audit objective<br />
(b) Def<strong>in</strong>e the scopeofthe assignment to obta<strong>in</strong> necessary background<br />
<strong>in</strong>formation.<br />
I<br />
William E.Perry Audit<strong>in</strong>g Information Systems A step by step audit approach<br />
EDP Auditors Foundation Audit Guide Series.
given blow:<br />
The above tasks may be effectively performed by follow<strong>in</strong>g the procedures<br />
l%e audit objective should be very clearly stated giv<strong>in</strong>g no room for any<br />
ambiguity. The scope of the assignment may be constra<strong>in</strong>ed as mentioned by William<br />
EPerry, by four Ts-vk Time, Talent, Tools <strong>and</strong> Travel. As is obvious, if the time is<br />
<strong>in</strong>adequate <strong>and</strong> the effort of travel is more than reasonable, the scope cannot<br />
necessarily be extensive. In addition, if the concerned staff do not have the necessary<br />
talent or though the staff may have the talent, if the necessary tools <strong>in</strong> the form of<br />
the software packages or utilities are not available or usable at the computer<br />
<strong>in</strong>stallation, the auditor would be constra<strong>in</strong>ed. This would be a contributoly factor for<br />
decid<strong>in</strong>g on the scope of the assignment.<br />
The auditor should necessarily obta<strong>in</strong> the background <strong>in</strong>formation; this would<br />
enable him to put the objective of the audit <strong>in</strong> the proper perspective. The auditor<br />
should meet the concerned key personnel <strong>in</strong> the computer department as also the<br />
user's department, he should acquire some knowledge if he does not already possess,<br />
so as to enable him to assess the possibility of any potential problems. The auditor<br />
should prepare suitable questionnaire which, when completed, would give him<br />
necessary <strong>in</strong>formation about the auditee be<strong>in</strong>g evaluated as also the <strong>computerised</strong><br />
<strong>environment</strong><br />
STEP 2<br />
Underst<strong>and</strong> the Information System<br />
An <strong>in</strong>formation system would generally have the follow<strong>in</strong>g <strong>in</strong>gredients: (a)<br />
Manual process; (b) Basic documenu; (c) Computer process<strong>in</strong>g; (d) Computer files
held <strong>in</strong> either <strong>in</strong> the hard disdfloppies, various <strong>in</strong>puts <strong>and</strong> outputs; the auditor must<br />
first obta<strong>in</strong> a overview of the <strong>in</strong>formation system by concentrat<strong>in</strong>g on the system<br />
objectives <strong>and</strong> identify flow of audit evidence. The procedures he could usefully<br />
follow to underst<strong>and</strong> the <strong>in</strong>formation is stated below :<br />
The <strong>in</strong>formation system would encompass both manual <strong>and</strong> automated<br />
process<strong>in</strong>g. Hence, it is necessary to study the systems <strong>in</strong> the basic manual<br />
<strong>environment</strong>, the f<strong>in</strong>al <strong>computerised</strong> <strong>environment</strong> <strong>and</strong> the l<strong>in</strong>kage between the two.<br />
A method which has been generally found effective to underst<strong>and</strong> an <strong>in</strong>formation<br />
system is for the auditor to conduct a "systems walkthrough". This <strong>in</strong>volves<br />
identification of all <strong>in</strong>put transactions by the auditor <strong>and</strong> follow<strong>in</strong>g these transactions<br />
through the various computer process. This <strong>in</strong>formation should generally be available<br />
<strong>in</strong> the documentation that the computer department is expected to ma<strong>in</strong>ta<strong>in</strong>. The<br />
documentation would <strong>in</strong>clude a list of the various authorised applications with a<br />
systems flow-chart for the different applictions like the payroll, <strong>in</strong>ventory, f<strong>in</strong>ancial<br />
account<strong>in</strong>g etc. Each of the systems documentation should have (a)program<br />
specifications (b) List<strong>in</strong>g of the source code, user manuals, operations procedure etc<br />
The auditor may obta<strong>in</strong> an application flow- chart from the organisation or<br />
develop one himself. A flow-chart is a pictorial representation of the computer<br />
process. The flow-chart helps <strong>in</strong> simplify<strong>in</strong>g <strong>and</strong> present<strong>in</strong>g <strong>in</strong> a concise form large<br />
amounts of complex computer process<strong>in</strong>g.<br />
It is recommended that when the auditor prepares application flow-charts, they<br />
should be reviewed with the organisation's data process<strong>in</strong>g department to ensure its<br />
accuracy <strong>and</strong> completeness.
m p 3<br />
Identify the audit risks<br />
A risk can be def<strong>in</strong>ed as a potential loss or damage to an organisation. This<br />
is present <strong>in</strong> any <strong>environment</strong> <strong>and</strong> <strong>computerised</strong> <strong>environment</strong> is more vulnerable to<br />
risk if adequate steps are not taken to implement effectively. The functions that the<br />
auditor has to perform for identify<strong>in</strong>g the audit risk would be by (a) identify<strong>in</strong>g the<br />
possible risk <strong>in</strong>herent <strong>in</strong> the <strong>in</strong>formation systems (b) evaluate the magnitude of the<br />
risk <strong>and</strong> (c) prioritise the risk with reference to the importance from the auditor's<br />
po<strong>in</strong>t of view.<br />
Identify<strong>in</strong>g the risks<br />
It would be possible to identify the risks <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> only<br />
if the auditor <strong>and</strong> his team are familiar with the <strong>in</strong>formation system as also the<br />
<strong>computerised</strong> <strong>environment</strong> <strong>in</strong> which the particular <strong>in</strong>formation system operates. As<br />
mentioned earlier, a <strong>computerised</strong> <strong>environment</strong> has additional risks as compared to<br />
manual process<strong>in</strong>g. It is necessary for the auditor to identify these risks. An<br />
illustrative but not necessarily an exhaustive list of all the risks generally associated<br />
with the <strong>computerised</strong> <strong>environment</strong> is as mentioned below:<br />
Repetition of emrs<br />
While <strong>in</strong> a manual process errors are made <strong>in</strong>dividually, <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> if there is an error <strong>in</strong> a program, the error would be committed<br />
consistently for any number of transactions with greater speed.
Cascad<strong>in</strong>g of emrs<br />
An error <strong>in</strong> a particular part of a program may trigger an unrelated error <strong>in</strong><br />
another part of the programme or applications systems may <strong>in</strong> its turn trigger yet<br />
another error; this type of error becomes more complicated when there is an<br />
<strong>in</strong>tegrated system.<br />
Unreasonable process<strong>in</strong>g<br />
In the absence of human judgment, certa<strong>in</strong> unreasonable process<strong>in</strong>g is likely<br />
to take place. A junior <strong>in</strong>dividual on a very low salary may be given a computer job<br />
the value of which is ten times or hundred his entitlement There may be an<br />
<strong>in</strong>ventory application <strong>in</strong> which a quantity for a particul,ir item may be- denoted with<br />
a negative figure. Similarly due to wrong process<strong>in</strong>g a cash account may also denote<br />
a negative balance.<br />
Incomt entiy of data<br />
Though properly prepared, may be wrongly entered <strong>in</strong>to the computer. Even<br />
when data is generated <strong>and</strong> entered <strong>in</strong>to the computer, at the same time, there is a<br />
possibility of errors creep<strong>in</strong>g <strong>in</strong>.<br />
Concentration of data<br />
Unlike <strong>in</strong> a manual system when volum<strong>in</strong>ous data is stored <strong>in</strong> different places,<br />
<strong>in</strong> a computeriscd <strong>environment</strong> the data is concentrated <strong>in</strong> a computer file. This gives<br />
room for the possibility of data be<strong>in</strong>g copied without even the owners of the data
e<strong>in</strong>g aware of the same. Sometimes this may result <strong>in</strong> the orig<strong>in</strong>al data be<strong>in</strong>g<br />
modified or deleted. When more <strong>and</strong> more data are stored <strong>in</strong> a centralised place, the<br />
greater is the value for the data <strong>and</strong> greater is the vulnerability. The <strong>in</strong>ability to<br />
substantiate process<strong>in</strong>g <strong>in</strong> the absence of proper audit it may be difficult to<br />
substantiate the process<strong>in</strong>g. It should be possible to trace the sources of transactions<br />
<strong>and</strong> establish its <strong>in</strong>tegrity by means of control totals.<br />
Concentration of responsibilities<br />
Responsibilities which might have been separated for control purposes <strong>in</strong> a<br />
nontomputerised <strong>environment</strong> may get merged <strong>and</strong> get concentrated <strong>in</strong> a s<strong>in</strong>gle<br />
application. This necessitates the substitution of new <strong>controls</strong> to make up for the<br />
previous separation of duties.<br />
Determ<strong>in</strong>e the magnitude of risk<br />
While quantitative rank<strong>in</strong>g of the risk like whether it is high, medium or low<br />
is adequate, it may be useful to quantify the same to facilitate effective presentation<br />
to the management.<br />
Prioritis<strong>in</strong>g the risks<br />
It is important that the risks should be prioritised so that the auditor would<br />
be able to prioritise his risks <strong>and</strong> suitably divide the resources among the various<br />
risks.
STEP 4<br />
Identify<strong>in</strong>g audit evidence<br />
Electronic evidence as dist<strong>in</strong>ct from the paper evidence has had a significant<br />
impact on the control process as also the audit process. As more <strong>and</strong> more evidence<br />
is becom<strong>in</strong>g electronic to substantiate the evidence, it is necessary that not only the<br />
electronic evidence should be available, but it should be supported by adequate <strong>and</strong><br />
relevant <strong>controls</strong> concern<strong>in</strong>g its orig<strong>in</strong>ation, record<strong>in</strong>g <strong>and</strong> storage. The follow<strong>in</strong>g table<br />
provides details regard<strong>in</strong>g <strong>in</strong>formation systems audit evidence :<br />
INFORMATION SYSTEM AUDIT EVIDENCE1<br />
Types of Evidence<br />
Authorization<br />
Record<strong>in</strong>g<br />
Access to assets<br />
Asset accountability<br />
Operational Performance<br />
Satisfy goals <strong>and</strong><br />
objectives<br />
Examples of Evidence <strong>in</strong> Automated System<br />
Supervisor key<br />
* Automated authorization mles<br />
* User signoff<br />
Data filesldata bases<br />
* Systemlprogram documentation<br />
Communication logs<br />
* Passwords<br />
Security Systems<br />
* Communication logs<br />
Operator log<br />
* DBMS log<br />
* Program change control<br />
* Job accouunt<strong>in</strong>g log<br />
Softwarehardware monitors<br />
Failurelcompla<strong>in</strong>t reports<br />
Quality assurance reports<br />
Metrics<br />
Post-implementation review reports<br />
-<br />
William E.Perry, Audit<strong>in</strong>g Information Systems a Step-by-step Audit Approach, p.46.<br />
ZDP Auditors Foundation Audit Guide Series, 1983.
It is very important to note that it is not only the computer technology but also<br />
the use to which the technology is put which decides the type of evidence that the<br />
auditor will need to look <strong>in</strong>to. The auditor would be better advised <strong>in</strong> this connection<br />
to (i) make an exaustive list of all the evidence produced by the <strong>computerised</strong><br />
application system; most of the <strong>in</strong>formation should be available even at the stage<br />
when the auditor spends time to underst<strong>and</strong> the <strong>in</strong>formation system <strong>and</strong> (ii)<br />
document the audit evidence. When document<strong>in</strong>g the evidence the major po<strong>in</strong>ts that<br />
the auditor should note would be (1) Medium: It may be stored on a floppy or a hard<br />
disc or tape; (2) Location; the place where the computer media is stored. (3) Size<br />
<strong>and</strong> format: the size of the file as also the format of the records are important (4)<br />
Period: the time for which the evidence would be stored before be<strong>in</strong>g discarded is<br />
very important. The auditor should ensure that the evidence is capable of be<strong>in</strong>g<br />
reta<strong>in</strong>ed till such time he requires. The auditor should collect adequate <strong>in</strong>formation<br />
so that he would be able to develop his own software programme or use a computer<br />
utility so that he can analyse <strong>and</strong> list the electronic evidence for audit purposes.<br />
STEP5<br />
Identify key control po<strong>in</strong>ts<br />
Key control po<strong>in</strong>ts are po<strong>in</strong>ts <strong>in</strong> a computer system where the risk is greatest<br />
<strong>and</strong> naturally control is most important The generally accepted <strong>and</strong> easily usable<br />
strategies which can be adopted by the auditors are as follows:<br />
i. Checklist<br />
ii.<br />
iii.<br />
Control flow chart<strong>in</strong>g<br />
Matrices
The questionnaires have many disadvantages as they tend to be very long <strong>and</strong><br />
hence make it difficult to analyse. The Matrix is a good <strong>and</strong> effective stragety. This<br />
matrix provides list of <strong>controls</strong> to protect <strong>in</strong>formation systems aga<strong>in</strong>st possible<br />
vulnerabilities. Control flow-charts are most effective. The tasks <strong>in</strong>volved are: (1)<br />
Locate the risks on the control flow chart; (2) Document the key <strong>controls</strong> on the<br />
control charts, (3) Locat<strong>in</strong>g the <strong>controls</strong> on the control flow chart: The auditor who<br />
would have already identified the possible risks must match these risks with that part<br />
of the <strong>in</strong>formation systems <strong>in</strong> which the risk is the greatest. This match<strong>in</strong>g would help<br />
<strong>in</strong> identiFy<strong>in</strong>g the po<strong>in</strong>ts where the risks need to be controlled or where the key<br />
control po<strong>in</strong>ts are <strong>in</strong>corporated <strong>in</strong> a <strong>computerised</strong> system.<br />
Document key control on the application flow chart<br />
It would be necessary for the auditor to document the computer systems<br />
<strong>controls</strong> by concentrat<strong>in</strong>g on the key <strong>controls</strong>.<br />
STEP 6<br />
IDENTIFYING CONTROL WEAlCNESSES<br />
A weakness is a condition which <strong>in</strong> the auditor's op<strong>in</strong>ion could result <strong>in</strong> a loss;<br />
once it is identified, it can be tested to determ<strong>in</strong>e the magnitude of the potential<br />
control weaknesses.
Document<strong>in</strong>g for control weakness identification<br />
Unlike manual systems which are <strong>in</strong>consistent, <strong>computerised</strong> <strong>in</strong>formation<br />
systems are pre-determ<strong>in</strong>ed <strong>and</strong> consistent. The three methods which could be used<br />
for document<strong>in</strong>g of control weaknesses are (a) control flow chart<strong>in</strong>g; @) conflict<br />
matrix <strong>and</strong> (c) transactions-control matrices.<br />
Preparation of a conflict matrix<br />
This is an easy method for identify<strong>in</strong>g when a s<strong>in</strong>gle <strong>in</strong>dividual is vested with<br />
too much responsibility. The process <strong>in</strong>volved <strong>in</strong> prepar<strong>in</strong>g the conflict matrix consists<br />
of identify<strong>in</strong>g the people who have <strong>in</strong>terest <strong>in</strong> <strong>in</strong>formation system <strong>and</strong> secondly<br />
identify<strong>in</strong>g conflict<strong>in</strong>g connections by means of the ability they have to manipulate.<br />
Process<strong>in</strong>g the matrix is prepared by list<strong>in</strong>g of the connections of one access of the<br />
people <strong>in</strong>volved <strong>in</strong> the <strong>in</strong>formation systems <strong>in</strong> the other access.<br />
Preparation of transactions control matrix<br />
Transactions which <strong>in</strong>volve economic events like cash, bank, receipts <strong>and</strong><br />
payments should be considered for this matrix. The economic events are recorded on<br />
one access of the matrix while the <strong>in</strong>formation systems are recorded <strong>in</strong> the other<br />
access. Controls codify<strong>in</strong>g each of these transactions are listed at the matrix <strong>in</strong>tersection.<br />
This type of the matrix has the advantage of document<strong>in</strong>g the compensat<strong>in</strong>g<br />
<strong>controls</strong>.
Analysis <strong>and</strong> document potential control weeknesses<br />
The control assessment consists of four <strong>in</strong>gredients.<br />
First, identify the risk; control flow chart could help <strong>in</strong> identify<strong>in</strong>g the risk.<br />
Second, determ<strong>in</strong>e the magnitude of the risk;<br />
Third, determ<strong>in</strong>e the strength of the <strong>controls</strong>; each of the <strong>controls</strong> should be<br />
assessed <strong>in</strong>dividually to enable the auditor to assess how strong it is.<br />
Fourth, identify control weakness <strong>and</strong> document the same. The auditor should<br />
make cost-benefit analysis to ensure that cost of the control is not more than thc<br />
magnitude of the loss due to the weakness.<br />
Verify<strong>in</strong>g the <strong>in</strong>tegrity of the computer files<br />
The various steps <strong>in</strong> verify<strong>in</strong>g the <strong>in</strong>tegrity of the computer files are:<br />
i. Identify<strong>in</strong>g the files for exam<strong>in</strong>ation; this could be done by study<strong>in</strong>g the<br />
systems flow chart. The files generally selected are those that would be needed<br />
to test control weaknesses.<br />
ii.<br />
File documents.
File documents<br />
Save the needed computer files. It is necessary for the auditor after hav<strong>in</strong>g<br />
decided which file is needed to ensure that the file will be available at the time he<br />
plans to take or conduct the test.<br />
iii.<br />
Verify the <strong>in</strong>tegrity of the file<br />
This is done to ensure that the data on file is reconcilable to an <strong>in</strong>dependent<br />
control - the total or equivalent. Examples - control figures of subsidiary ledgers,<br />
overstatement of assets, understatements of liabilities. The file <strong>in</strong>tegrity may be<br />
performed <strong>in</strong>dependently or <strong>in</strong> conjunction with other audit tests. It is very important<br />
to note that the file <strong>in</strong>tegrity test should be personally performed by the auditors.<br />
Auditor's <strong>in</strong>dependence would be lost if the tests were developed <strong>and</strong> performed<br />
bythe data process<strong>in</strong>g people or by the user department. However, where the auditor<br />
does not have the necessary skills, he could rely on a third party.<br />
iv.<br />
Verify the <strong>in</strong>tegrit: of the data on the file<br />
The auditor may use the software or utility <strong>and</strong> have the data on the file <strong>and</strong><br />
have the same classified accord<strong>in</strong>g to their requirements. Example: Accounts<br />
receivable file, classified as more than six months, less than six months; the balances<br />
which are beyond credit limits authorised etc; <strong>in</strong>ventories as items which have not<br />
moved for more than a year or as A, B, C analysis.
STEP 8<br />
CONDUCT Ah' AUDIT TEST<br />
In countries where computerisation has been <strong>in</strong> existence for more than 50<br />
years, as <strong>in</strong> the case of United States, Canada, Japan, Australia, etc. there are<br />
software <strong>in</strong> the category of generalised computer audit software. However, <strong>in</strong> our<br />
country we do not have the availability of such a software <strong>and</strong> also the necessary<br />
knowledge <strong>and</strong> skills to use such software is absent. However, the auditors are not<br />
h<strong>and</strong>icapped by the absence of such a software. The <strong>controls</strong> used by the<br />
programmers <strong>and</strong> systems analysts to build <strong>in</strong> <strong>controls</strong> could be used by the auditors<br />
to conduct such tests.<br />
STEP 9<br />
CONCLUDING THE AUDIT<br />
The objective of the audit is to evaluate the <strong>controls</strong> <strong>and</strong> give <strong>in</strong>formation on<br />
the adequacy or otherwise of the same. Hence, while conclud<strong>in</strong>g audit the auditor<br />
should determ<strong>in</strong>e the f<strong>in</strong>d<strong>in</strong>gs, develop recommendations <strong>and</strong> work<strong>in</strong>g out the details<br />
for the acceptance of those recommendations. The steps <strong>in</strong>volved are :<br />
(1) Develop audit f<strong>in</strong>d<strong>in</strong>gs; a f<strong>in</strong>d<strong>in</strong>g is a comparison of exist<strong>in</strong>g situation with an<br />
ideal situation. A f<strong>in</strong>d<strong>in</strong>g should conta<strong>in</strong> the follow<strong>in</strong>g <strong>in</strong>formation:<br />
(i) factual situation observed by the auditor
(2) criteria for judgment. The criteria <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> are the<br />
st<strong>and</strong>ards <strong>and</strong> guidel<strong>in</strong>es <strong>and</strong> well-def<strong>in</strong>ed implementable <strong>controls</strong> specific to<br />
each environmenq<br />
(3) Effect of the condition<br />
The auditor should compare the condition as it exists with the condition as it<br />
should exist <strong>and</strong> give an op<strong>in</strong>ion on the effect it would have. (4) Develop audit<br />
recommendations: It is advisable that the auditor should discuss his recommendations<br />
with the auditee. It is well said that the best recommendation is the one that has been<br />
accepted prior to its be<strong>in</strong>g presented.<br />
Writ<strong>in</strong>g the Audit Report<br />
The audit report should be short, be bereft of term<strong>in</strong>ology <strong>and</strong> jargcn; it<br />
should conta<strong>in</strong> a summary with explanatory material attached. The report should be<br />
positive <strong>and</strong> effective, giv<strong>in</strong>g suggestions about corrective actions to be taken <strong>in</strong> areas<br />
which have been prioritised.<br />
ANALYSIS AND FINDINGS<br />
A questionnaire based on st<strong>and</strong>ard literature of audit approach was prepared.<br />
Lead<strong>in</strong>g firms of Chartered Accountants were also selected with sample. All the firms<br />
<strong>and</strong> <strong>in</strong>dividual auditors have a wide variety of clients which <strong>in</strong>clude public limited<br />
companies, nationalised banks etc. Almost all their clients have computers <strong>in</strong> their
organisation. All the f<strong>in</strong>ancial statements which are certified by these firms are<br />
prepared on the computer. A total sample of 30 auditors was selected.<br />
The response to the questionnaire was personally collected. A summary of the<br />
response received on the questionnaire is enclosed.<br />
An analysis discloses that none of the auditors are at present hav<strong>in</strong>g<br />
confidence or the skills to perform an audit <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>. Further,<br />
they certified that the f<strong>in</strong>ancial statements which are outputs from computers<br />
represent a true <strong>and</strong> fair view of the affairs of the company. A detailed discussion<br />
with them reveal that they are ignorant of specific <strong>controls</strong> <strong>in</strong> each types of the<br />
<strong>computerised</strong> <strong>environment</strong>; they rely on the management personnel of their clients'<br />
organisation for the <strong>in</strong>tegrity of the <strong>in</strong>formation.<br />
A further sample of 30 companies who are clients of one particular auditor's<br />
firm was chosen. These firms are dealt with by different partners who have their own<br />
assistants who are qualified chartered accountants. A more detailed study based on<br />
the questionnaire was performed. It was reveal<strong>in</strong>g to note that neither the juniors of<br />
the firm nor the seniors have made any attempt to study the <strong>controls</strong> <strong>in</strong> the<br />
<strong>computerised</strong> <strong>environment</strong> of their clients. In all the cases the auditors were not even<br />
aware of the type of computer that was <strong>in</strong> their client's organisation.<br />
Information is an important asset of the organisation <strong>and</strong> the organisations are<br />
entirely dependent on the <strong>in</strong>formation produced by the computer. In all the<br />
organisations computerisation has been <strong>in</strong> existence for more than I5 years. The
auditors were not aware of the possible risks <strong>in</strong>volved. They claim that the <strong>in</strong>tegrity<br />
of the people associated with computers <strong>in</strong> their client's organisation was<br />
unquestionable <strong>and</strong> hence they have no reason to feel concerned. It was also claimed<br />
that they had not come across any fraud situation. I conducted an <strong>in</strong>dependent study<br />
of a sample of 30 organisations <strong>and</strong> had personal discussions with the senior members<br />
of the staff, both <strong>in</strong> the computer division as also the f<strong>in</strong>ance departments. A<br />
statement is enclosed giv<strong>in</strong>g the risk factor <strong>in</strong>volved. The computer-risk assessment<br />
procedure <strong>and</strong> the questionnaire have been adopted, as suggested <strong>in</strong> the book "Audit<br />
computer Security - A manual with case studies" by S. Rao Vallabhaneni, the data<br />
was gathered by provid<strong>in</strong>g the questionnaire to them earlier <strong>and</strong> meet<strong>in</strong>g them later.<br />
The questionnaire wa, jo<strong>in</strong>tly compiled by me <strong>and</strong> the senior member of the<br />
computer department who did it with the approval <strong>and</strong> knowledge of the F<strong>in</strong>ance<br />
Controller.<br />
The risk value <strong>and</strong> the criterion weight are not based on any scientific<br />
evidence; they are based on <strong>in</strong>tuition <strong>and</strong> graded accord<strong>in</strong>g to the <strong>in</strong>tensity of the<br />
risk. The risk rank<strong>in</strong>g work<strong>in</strong>g sheet was prepared (Annexure H).<br />
SUGGESTIONS FOR ORGANISATIONS<br />
Knowledge of appropriate <strong>controls</strong> associated with specific <strong>computerised</strong><br />
<strong>environment</strong>s should be acquired by the auditors, whether they be <strong>in</strong>ternal or<br />
external. Managements who have the primary responsibility for <strong>controls</strong> should issue<br />
policies <strong>and</strong> guidel<strong>in</strong>es <strong>in</strong> consultation with competent people, from with<strong>in</strong> <strong>and</strong> from
outside consultants. The policies <strong>and</strong> guidel<strong>in</strong>es should clearly lay down the<br />
procedures regard<strong>in</strong>g<br />
- Organisational <strong>and</strong> adm<strong>in</strong>istrative <strong>controls</strong><br />
- Documentation st<strong>and</strong>ards<br />
- Ma<strong>in</strong>tenance of security <strong>and</strong> <strong>in</strong>tegrity of files <strong>and</strong> data<br />
- Procedures for disaster recovery plann<strong>in</strong>g<br />
- Nom<strong>in</strong>at<strong>in</strong>g a group for constantly monitor<strong>in</strong>g the implementation of<br />
policies <strong>and</strong> procedures <strong>and</strong> ensur<strong>in</strong>g that they are updated <strong>in</strong> keep<strong>in</strong>g<br />
with the changed circumstances.<br />
SUGGESTIONS FOR AUDITORS<br />
It is long overdue for the auditors to become computer-literate. It is essential<br />
for them to have a thorough knowledge of control <strong>and</strong> security aspects associated<br />
with each <strong>computerised</strong> <strong>environment</strong>. This need for knowledge is immediate <strong>and</strong> long<br />
overdue. It would be desirable to have a EDP cell <strong>in</strong> all large audit firms. The staff<br />
of the EDP Cell needs to be tra<strong>in</strong>ed <strong>and</strong> kept upto date on current techno lo^ <strong>in</strong><br />
computers.<br />
Where it is not possible to have a separate cell it would be advisable to rope<br />
<strong>in</strong> a consultant who has the necessary knowledge <strong>and</strong> experience. However, the<br />
auditor's basic responsibility regard<strong>in</strong>g the need for satisfy<strong>in</strong>g himself about the<br />
adequacy of <strong>controls</strong> cannot be relegated or delegated due to non-availability of<br />
competent staff. With knowledge adequate to meet the situation, it is recommended
outside assistance can be sought. In special circumstances, when evaluation of assets<br />
needs to be done <strong>and</strong> certified, it is not uncommon to get a third party who is<br />
competent to do so to give a certificate based upon which the auditors themselves<br />
authenticate the f<strong>in</strong>ancial statement. The same procedure needs to be adopted<br />
immediately.<br />
If auditors <strong>and</strong> organisations do not wake up to the situation, frauds of serious<br />
consequence would take place. The chapter describ<strong>in</strong>g the "scenario" <strong>in</strong> other parts<br />
of the world has a short description of the crimes <strong>and</strong> frauds that have been reported<br />
<strong>in</strong> countries such as USA. UK <strong>and</strong> Australia.<br />
Various charts depict<strong>in</strong>g the average annual computer abuse, loss <strong>and</strong><br />
computer crime loss, relative seriousness of frauds have been enclosed. These charts<br />
<strong>and</strong> reports should be eye-openers for managements of organisations <strong>and</strong> auditors to<br />
implement post-haste audit of <strong>and</strong> <strong>in</strong> <strong>computerised</strong> <strong>environment</strong>.
CHAPTER IX<br />
SUMMARY, CONCLUSION AND RECOMMENDATIONS<br />
This Chapter presents a summary of conclusion <strong>and</strong> recommendations of the<br />
study besides mak<strong>in</strong>g useful recommendations <strong>in</strong> control st<strong>and</strong>ards <strong>and</strong> <strong>audit<strong>in</strong>g</strong><br />
procedures <strong>in</strong> a wmputerised <strong>environment</strong><br />
AUDITING STANDARDS<br />
International bodies like the American Institute of Certified Public<br />
Accountanq Institute of Internal Auditors, USA, the Institute of Chartered<br />
Accountants of Engl<strong>and</strong> <strong>and</strong> Wales, United K<strong>in</strong>gdom, EDPAA Foundation, USA,<br />
have issued official pronouncements regard<strong>in</strong>g the <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards to be observed<br />
<strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> Though there may be no enforc<strong>in</strong>g authority <strong>in</strong>sist<strong>in</strong>g<br />
on the auditors obsemng certa<strong>in</strong> procedures it is quite necessary for the auditors to<br />
change their approach <strong>and</strong> adopt appropriate tools <strong>and</strong> techniques while <strong>audit<strong>in</strong>g</strong> <strong>in</strong><br />
a wmputerised <strong>environment</strong><br />
The <strong>in</strong>numerable <strong>in</strong>stances of frauds which have occured <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> reported elsewhere <strong>in</strong> the world (as mentioned <strong>in</strong> Chapter I) proves<br />
beyond doubt that it is absolutely imperative for the auditor to acquire adequate skills<br />
<strong>and</strong> competence. In the absence of such skill <strong>and</strong> competence to certify that<br />
adequate <strong>controls</strong> commensurate with size <strong>and</strong> nature of the organisation exist is<br />
mean<strong>in</strong>gless. In addition, <strong>in</strong> the absence of adequate knowledge of necessary <strong>in</strong>ternal
<strong>controls</strong> <strong>in</strong> different <strong>computerised</strong> <strong>environment</strong>, the auditor will not be able to satisfy<br />
himself that they represent a uue <strong>and</strong> fair view.<br />
CONTROLS IN END-USER COMPUTING<br />
The practice of end-user comput<strong>in</strong>g has been proliferat<strong>in</strong>g due to the fact that<br />
the cost of hardware <strong>and</strong> software has been fall<strong>in</strong>g significantly <strong>and</strong> they have been<br />
becom<strong>in</strong>g very user-friendly. In addition, more <strong>and</strong> more users have become more<br />
computer-literate <strong>and</strong> hence usage of computers, specially PCs by functional<br />
departments, has become very common. However, the study reveals that there are<br />
no policies <strong>and</strong> procedures regard<strong>in</strong>g the control <strong>and</strong> security <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong> Well-accepted control procedures are absent Neither the management<br />
nor the user is <strong>in</strong> full realisation of the consequences of <strong>in</strong>stall<strong>in</strong>g end-user<br />
comput<strong>in</strong>g without implement<strong>in</strong>g the necessary discipl<strong>in</strong>e which comes with it<br />
Neither the <strong>in</strong>ternal auditors nor the external auditors are seized with the<br />
responsibility of the accepted procedures if audit review have not been followed.<br />
CONTROLS IN L9N<br />
With the development of <strong>in</strong>formation technology <strong>and</strong> communication <strong>and</strong> with<br />
the availability of communication software, many organisations have taken advantage<br />
of this concept Needless to say there are additional control features which need to<br />
be adhered to <strong>in</strong> a net-worked <strong>environment</strong> us<strong>in</strong>g advance communication facilities.<br />
The net-work<strong>in</strong>g <strong>environment</strong> is a few further steps <strong>in</strong> technological development<br />
The auditors have not acquired adequate skills <strong>and</strong> competence <strong>in</strong> our country even<br />
for <strong>audit<strong>in</strong>g</strong> <strong>in</strong> a basic <strong>computerised</strong> environmenr In view of this, they are not even
aware of the necessary <strong>controls</strong> <strong>in</strong> a net-worked <strong>environment</strong>. Hence the adequacy<br />
of <strong>audit<strong>in</strong>g</strong> practices does not ark. The <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards as practised now are<br />
totally <strong>in</strong>adequate.<br />
CONTROLS IN DATABASE MANAGEMENT SYSTEM<br />
Database management sptem is an extremely useful technology <strong>and</strong> many<br />
vendor packages like ORACLE, INGRESS <strong>and</strong> SYBASE are <strong>in</strong> the market vie<strong>in</strong>g<br />
with each other ; after real'i<strong>in</strong>g the utility of DBMS certa<strong>in</strong> large organisations have<br />
implemented the same. However, a study of a sample number of organisations<br />
reveals that the control procedures <strong>and</strong> practices are <strong>in</strong> l<strong>in</strong>e with the accepted norms<br />
<strong>in</strong> toto. As regards the audit procedures apart from the organisations report<strong>in</strong>g that<br />
neither the <strong>in</strong>ternal auditor nor the external auditor have ever reviewed their<br />
<strong>controls</strong>, the auditors themselves ave conceded that they are not even aware of the<br />
control objectives <strong>and</strong> audit concerns, thus prov<strong>in</strong>g aga<strong>in</strong> that control practices <strong>and</strong><br />
<strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>.<br />
UNM ENVIRONMENT<br />
This particular operat<strong>in</strong>g system can be chosen as when it was <strong>in</strong>troduced it<br />
had a number of loopholes. The organisations who <strong>in</strong>troduced the system realised it<br />
after <strong>in</strong>troduction <strong>and</strong> even by a process of control trial <strong>and</strong> error, are try<strong>in</strong>g to plug<br />
the loopholes. A study of the practices <strong>in</strong> the organisations which have implemented<br />
UNIX reveals that all of them have had an unpleasant experience or two when the<br />
vulnerabilities <strong>in</strong> the operat<strong>in</strong>g systems have been exploited by a process of<br />
evaluation, securities are be<strong>in</strong>g built <strong>in</strong>to this <strong>environment</strong>, However, <strong>in</strong> most of the
organisations the system is not fool-proof. As regards the auditors they are totally<br />
unaware of the concept of operat<strong>in</strong>g system vulnerabilities <strong>in</strong> general <strong>and</strong> UNIX<br />
operat<strong>in</strong>g system <strong>in</strong> particular.<br />
DISASTER RECOVERY PLAN (DRP)<br />
It is extremely important that once the systems have been <strong>computerised</strong> there<br />
should be a disaster recovery plan. There are well-established procedures <strong>and</strong><br />
guidel<strong>in</strong>es for evolv<strong>in</strong>g a plan, implement<strong>in</strong>g it, ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g it <strong>and</strong> constantly<br />
renew<strong>in</strong>g it; It is an on-go<strong>in</strong>g process. However, <strong>in</strong> practice the organisations, mostly,<br />
do not go beyond ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g a copy of the programme <strong>and</strong> data, that too <strong>in</strong> the<br />
same build<strong>in</strong>g <strong>in</strong> the same computer department, mostly <strong>in</strong> the cab<strong>in</strong> of the Systems<br />
Manager. The organisation, specially the computer department is aware of the risks<br />
<strong>in</strong>volved. However, the study reveals that neither the management nor the data<br />
personnel departments have seriously done any th<strong>in</strong>k<strong>in</strong>g of evolv<strong>in</strong>g an effective<br />
disaster recovery plan. Auditors do not realise that <strong>in</strong>formation is an asset While<br />
evaluat<strong>in</strong>g <strong>and</strong> verify<strong>in</strong>g the existence of assets <strong>in</strong>formation is left out of count The<br />
fact that there is no <strong>in</strong>surance coverage other than for the hardware is totally lost<br />
sight of. In the absence of any knowledge of the contents of disaster recovery plan<br />
<strong>and</strong> also the absence of any awareness for the necessity of disaster recovery plan,<br />
<strong>audit<strong>in</strong>g</strong> <strong>in</strong>volvement <strong>in</strong> evaluat<strong>in</strong>g the existence of disaster recovely plan <strong>and</strong> its<br />
adequacy is totally absent.<br />
SUMMARY AND CONCLUSIONS<br />
An analysis of the appropriate <strong>controls</strong> <strong>in</strong> specific <strong>computerised</strong> <strong>environment</strong><br />
reveals that it is far below acceptable norms. The concerned auditors, both <strong>in</strong>ternal<br />
<strong>and</strong> external are totally ignorant The analysis of the f<strong>in</strong>ancial statement <strong>and</strong> f<strong>in</strong>d<strong>in</strong>gs
substantiate the NULL hypothesis that control st<strong>and</strong>ards are <strong>in</strong>adequate <strong>and</strong> <strong>audit<strong>in</strong>g</strong><br />
<strong>in</strong>visible <strong>and</strong> hence <strong>in</strong>efficient<br />
Questionnaires for Physical security (Appendix A), for Personal Security<br />
(Appendix B), Data security (Appendix C), Application software security (Appendix<br />
D), Systems software security (Appendii E), Telecommunication security (Appendix<br />
F), Computer operation security (Appendix G) were used to collect data <strong>and</strong> quantify<br />
the risk assessment under each of the areas. The results as obta<strong>in</strong>ed are given <strong>in</strong><br />
table 10.1.'<br />
The table as given below conta<strong>in</strong>s risk rank<strong>in</strong>g worksheet was utilised.<br />
Table - Risk-Rank<strong>in</strong>g Worksheet<br />
r<br />
Computer Security Area<br />
Physical Security<br />
Personnel Security<br />
Data Security<br />
Applications Software Security<br />
Systems Software Security<br />
Telecommunications Security<br />
Computer Operation Security<br />
Lovv<br />
0-26<br />
0-34<br />
0-44<br />
0-64<br />
0-42<br />
0-39<br />
0-33<br />
Risk Level<br />
Medium<br />
27-52<br />
35-68<br />
45-88<br />
65-128<br />
43-84<br />
40-78<br />
34-66<br />
High<br />
53-96<br />
53-129<br />
89-172<br />
129-263<br />
85-152<br />
79-138<br />
67-124<br />
The data obta<strong>in</strong>ed was anlalysed utilis<strong>in</strong>g the norms provided the above table. The<br />
analysis of the sample survey if 30 organisations was as given <strong>in</strong> the follow<strong>in</strong>g table:<br />
Audit<strong>in</strong>g Computer Secuirt - A Manual with Case Studies<br />
by S.Rao Vallabhaneni, J O Wiley ~ & Sons, New York.
Type of Security<br />
Physical Security<br />
Personnel Security<br />
Data Security<br />
Application Software Security<br />
System Sohware Security<br />
Telecommunication Sobre Security<br />
Computer Operations Security<br />
It will be observed that out of the 30 organisations, 29 organisations were <strong>in</strong> the high<br />
risk category <strong>in</strong> areas of systems software security, telecommunication software<br />
security <strong>and</strong> computer operation security. 28 of the 30 organisations were <strong>in</strong> the high<br />
risk category <strong>and</strong> two <strong>in</strong> the medium risk category <strong>in</strong> the areas of Personnel security,<br />
data security <strong>and</strong> application saftware security. There was only one organisation <strong>in</strong><br />
the low risk category <strong>and</strong> 2 organisations <strong>in</strong> the medium risk category <strong>and</strong> the balance<br />
of the 27 <strong>in</strong> the high risk category under the category of Physical security. It is of<br />
significance to note that out of the 30 organisations one organisation which had low<br />
risk <strong>in</strong> 2 areas <strong>and</strong> medium risk <strong>in</strong> 6 areas was a multi national company which had<br />
auditors com<strong>in</strong>g from abroad. The head office of the organisation <strong>in</strong> U.S. which had<br />
offices al! over the world bad laid down st<strong>and</strong>ard procedures <strong>and</strong> guidel<strong>in</strong>es for<br />
security aspects <strong>and</strong> audit procedures.<br />
Total Na<br />
Of<br />
'-''%ahation<br />
30<br />
30<br />
30<br />
30<br />
30<br />
30<br />
30<br />
' Low<br />
Risk<br />
1<br />
1<br />
Numben <strong>in</strong><br />
Medium<br />
Risk<br />
2<br />
2<br />
2<br />
2<br />
1<br />
1<br />
High<br />
Risk<br />
27<br />
28<br />
28<br />
28<br />
29<br />
29<br />
29
228<br />
ANALYSIS FOR RISK ASSESSMENT (Table 10.1)<br />
~1.<br />
N~.<br />
1.<br />
2.<br />
3.<br />
4.<br />
5.<br />
6.<br />
7.<br />
8.<br />
9.<br />
10.<br />
11.<br />
12.<br />
13.<br />
14.<br />
15.<br />
16.<br />
17.<br />
18.<br />
19.<br />
20.<br />
21.<br />
22.<br />
23.<br />
24.<br />
25.<br />
26.<br />
27.<br />
28.<br />
29.<br />
30.<br />
Physical<br />
Security<br />
1<br />
28<br />
60<br />
60<br />
60<br />
50<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
60<br />
Computer<br />
Operations<br />
Security<br />
7<br />
43<br />
86<br />
%<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
Personnel<br />
Security<br />
2<br />
58<br />
103<br />
103<br />
93<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
103<br />
Data<br />
Security<br />
3<br />
49<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
96<br />
Teleeommu<br />
nication<br />
System<br />
Security<br />
6<br />
43<br />
86<br />
8h<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
86<br />
Security<br />
Application<br />
Software<br />
Security<br />
4<br />
68<br />
172<br />
172<br />
172<br />
182<br />
182<br />
182<br />
182<br />
182<br />
182<br />
182<br />
182<br />
182<br />
182<br />
182<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
172<br />
Systems<br />
Sohn<br />
Security<br />
5<br />
42<br />
100<br />
90<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
1W<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
I0<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100<br />
100
AUDIT APPROACH<br />
AND<br />
RECOMMENDATION
AUDIT APPROACH<br />
A study of the general approach <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> reveal that<br />
auditors of large organisations which have complex computer <strong>environment</strong> have not<br />
followed any of the accepted procedures. As a matter of fact, the <strong>controls</strong> of the<br />
general questionnaire seemed <strong>in</strong>comprehensible responses to them. Questionnarie <strong>in</strong><br />
Appendix I was negative <strong>in</strong> all the cases. The general new expressed was that senior<br />
executive <strong>in</strong> charge of computer operations <strong>in</strong> their client's offices were very<br />
competent <strong>and</strong> reliable. Aga<strong>in</strong> apan from the support<strong>in</strong>g evidence collected from<br />
well known auditors it was supported by their clients also. They had no hesitation <strong>in</strong><br />
stat<strong>in</strong>g that the <strong>controls</strong> <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong> have never been evaluated<br />
either by the <strong>in</strong>ternal auditors or the external auditors. A study of the <strong>controls</strong> <strong>and</strong><br />
the <strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards supports the NULL hypothesis, <strong>controls</strong> are <strong>in</strong>sufficient <strong>and</strong><br />
<strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards are woefully <strong>in</strong>adequate.<br />
RECOMMENDATIONS<br />
It is more than overdue that the management <strong>and</strong> the auditors should realise<br />
the impact of computerisation on <strong>audit<strong>in</strong>g</strong>. While the objectives of <strong>audit<strong>in</strong>g</strong> have not<br />
changed the means of achiev<strong>in</strong>g those goals <strong>and</strong> objectives have def<strong>in</strong>itely changed.<br />
Hence, it is necessary for the management to ensure that <strong>controls</strong> <strong>in</strong> the<br />
<strong>computerised</strong> <strong>environment</strong> <strong>in</strong>troduced <strong>in</strong> their organisation are adequate. They should<br />
also be seized with the necessity for a disaster recovery plan. With these objectives,<br />
they should equip their <strong>in</strong>ternal audit depanment with staff competent to evaluate<br />
the adequacy of <strong>controls</strong>. In case it is not possible for them to immediately tra<strong>in</strong><br />
the personnel of the <strong>in</strong>ternal<br />
audit department to acquire adequate skills <strong>and</strong>
competence they should <strong>in</strong>clude <strong>in</strong> the audit team an <strong>in</strong>formation technologist, who<br />
is competent <strong>and</strong> knowledgeable of the specific <strong>computerised</strong> <strong>environment</strong> <strong>in</strong> their<br />
organisation. In the absence of such a staff, the possibility of frauds associated with<br />
<strong>computerised</strong> <strong>environment</strong> cannot be ruled out. It is better to take preventive steps.<br />
As the computers are sophisticated, knowledgeable computer personnel with<br />
fraudulent <strong>in</strong>tentions may hold the organisation to ransom. Apart from f<strong>in</strong>ancial loss<br />
the organisation would also suffer loss of image.<br />
The statutory auditors cannot hope to protect themselves for improper<br />
discharge of their duties as auditors <strong>in</strong> a <strong>computerised</strong> <strong>environment</strong>. Absence of<br />
<strong>audit<strong>in</strong>g</strong> st<strong>and</strong>ards which make it obligatory to observe certa<strong>in</strong> procedures may not<br />
preclude their be<strong>in</strong>g sued for negligence. The auditors should equip themselves to<br />
meet the challenges of fast-chang<strong>in</strong>g technology. It is recommended that large<br />
<strong>audit<strong>in</strong>g</strong> firms should have an EDP Cell. The personnel should consist of people<br />
knowledgeable about general <strong>and</strong> application <strong>controls</strong> <strong>in</strong> a <strong>computerised</strong><br />
<strong>environment</strong>, as also of <strong>controls</strong> specific to certa<strong>in</strong> <strong>computerised</strong> <strong>environment</strong>s.<br />
Their skills with the experience of auditon would help to discharge the responsibility<br />
to the management, the shareholders <strong>and</strong> the public. They should also consider<br />
seek<strong>in</strong>g the senices of specialists <strong>in</strong> the field <strong>and</strong> rely<strong>in</strong>g on the specialists' op<strong>in</strong>ion<br />
regard<strong>in</strong>g adequacy of <strong>controls</strong>.<br />
The technology is develop<strong>in</strong>g very fast. In the exist<strong>in</strong>g computer <strong>environment</strong><br />
itself <strong>controls</strong> are not satibfactory <strong>and</strong> <strong>audit<strong>in</strong>g</strong> methods <strong>in</strong>appropriate. In the<br />
follow<strong>in</strong>g pages, a brief review of the Emerg<strong>in</strong>g Technologies is provided to highlight
the widen<strong>in</strong>g gap between development of technology <strong>and</strong> <strong>controls</strong> <strong>and</strong> <strong>audit<strong>in</strong>g</strong><br />
st<strong>and</strong>ards.<br />
EMERGING TECHh'0U)GIES<br />
To rema<strong>in</strong> competitive <strong>and</strong> be able to respond quickly to global markets<br />
organisation need to change <strong>and</strong> they are chang<strong>in</strong>g. The concept of tele- commut<strong>in</strong>g<br />
from anywhere <strong>in</strong> the world to any other place <strong>in</strong> the world <strong>and</strong> to his olfice <strong>in</strong> the<br />
home town has become a reality <strong>and</strong> a necessity. It is possible to have a personal<br />
computer net-worked <strong>in</strong>to the office systems. This <strong>in</strong> turn would have access to<br />
electronic mail <strong>and</strong> support of fax facility. This gives enormous power to the user;<br />
he is able to obta<strong>in</strong> <strong>in</strong>formation from the system. Along with the advantage there is<br />
a disadvantage <strong>in</strong> that it provides the user with the capacity to destroy or modify any<br />
<strong>in</strong>formation. This leads to a situation when data security becomes a major issue. The<br />
Institute of Internal Auditors Research Foundation of United States of America <strong>in</strong><br />
its research project "Systems Auditability <strong>and</strong> Control Report" as reported <strong>in</strong><br />
Appendix A of Module II, has analysed the most frequently reported risk for<br />
<strong>in</strong>formation technology components. One of the components that has been<br />
considered is emerg<strong>in</strong>g technologies ; the given survey f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong> observations<br />
relat<strong>in</strong>g to emerg<strong>in</strong>g technologies are as follows:<br />
Most frequently reported risks for Information Technology Components:<br />
* Forty six per cent of the 254 respondents <strong>in</strong>dicated that one of the<br />
highest risks is unauthorised access or changes to data or systems. Of<br />
this 46% (117 respondents), 30% felt the risk would decrease <strong>in</strong> the
future, 25% felt there would be no change, <strong>and</strong> 45% said it would<br />
<strong>in</strong>crease".<br />
Emerg<strong>in</strong>g technologies has been classified under the follow<strong>in</strong>g heads:<br />
i. Development<br />
ii. Storage<br />
iii. Personnel<br />
iv. Communications<br />
v. Data base<br />
vi. Interface<br />
vii. Knowledge based systems<br />
Development methodology<br />
Exam<strong>in</strong>ation has been made of the emerg<strong>in</strong>g technologies that support<br />
applications system development; i.e. the technology which facilitates development<br />
of systems <strong>and</strong> the correspond<strong>in</strong>g programmes. The two ma<strong>in</strong> po<strong>in</strong>ts which have been<br />
considered are :<br />
i. CASE (Computer Aided Software Eng<strong>in</strong>eer<strong>in</strong>g) <strong>and</strong><br />
ii. OOP (Object Oriented Programm<strong>in</strong>g)<br />
i. CASE<br />
It is a software technology which has been developed to <strong>in</strong>crease productivity<br />
<strong>and</strong> improve software quality. This has been achieved by <strong>in</strong>troduction of product<br />
st<strong>and</strong>ards <strong>and</strong> analysis. The usage of CASE technology is also expected to decrease<br />
the cause of documentation <strong>and</strong> ma<strong>in</strong>tenance of application systems.
Generally the CASE products are classified under two heads:<br />
i. Upper a e : This deals with a strategic plann<strong>in</strong>g to requirements def<strong>in</strong>ition,<br />
proto-typ<strong>in</strong>g <strong>and</strong> systems module design<br />
ii. h r esse : This deals with code design<strong>in</strong>g <strong>and</strong> code generation, test<strong>in</strong>g for<br />
ma<strong>in</strong>tenance.<br />
It is reported that the most widely used case tools are analysis, work benches,<br />
auditors, debuggers, compilers <strong>and</strong> test tools It is reported further that the code<br />
generators are very specified <strong>and</strong> may even produce upto 85% of the code for a<br />
given application. It is reported that great sav<strong>in</strong>g will be realised <strong>in</strong> ma<strong>in</strong>tenance.<br />
Automatic production of documentation is a much appreciated <strong>in</strong>centive where large<br />
products of system development are <strong>in</strong>volved. It is reported that this has been<br />
greatly appreciated by the US department of Defence Programmers. Us<strong>in</strong>g of CASE<br />
te~hnology has been found to be useful <strong>in</strong> re-eng<strong>in</strong>eer<strong>in</strong>g. Reeng<strong>in</strong>eer<strong>in</strong>g is a process<br />
by which the exist<strong>in</strong>g software systems are modernised so that their functional lives<br />
could be prolonged as also preserved. The value of the exist<strong>in</strong>g system of re-<br />
eng<strong>in</strong>eer<strong>in</strong>g consists of three components, viz<br />
i. Reverse eng<strong>in</strong>eer<strong>in</strong>g<br />
ii.<br />
iii.<br />
Foryard eng<strong>in</strong>eer<strong>in</strong>g<br />
Code generation<br />
In the first phase, viz reverse eng<strong>in</strong>eer<strong>in</strong>g, the system as it exists is analysed<br />
<strong>in</strong> detail <strong>and</strong> categorised <strong>in</strong>to its component def<strong>in</strong>itions. In the forward eng<strong>in</strong>eer<strong>in</strong>g,<br />
the exist<strong>in</strong>g system is functionally enhanced to a new technology platform. In the f<strong>in</strong>al<br />
phase, viz code generation the programmer generates the needed codes from the<br />
component def<strong>in</strong>itions.
While <strong>in</strong> America, it is reported that CASE tools are extensively used It<br />
must be observed that even <strong>in</strong> our own country, lead<strong>in</strong>g software consultants are<br />
mak<strong>in</strong>g extensiw use of these tools while offer<strong>in</strong>g their senices to the various<br />
organisations for software development The tool has certa<strong>in</strong> risks, <strong>controls</strong> <strong>and</strong> audit<br />
considerations associated with its usage. They are as follows:<br />
i. Auditabiiity<br />
ii.<br />
iii.<br />
Accuracy<br />
Integrity<br />
The CASE envimnment <strong>and</strong> ma<strong>in</strong>tenance<br />
Certa<strong>in</strong> tools for data <strong>in</strong>tegrity by <strong>in</strong>clud<strong>in</strong>g validation <strong>and</strong> authorised acwss.<br />
If these tools are not properly managed, it would result <strong>in</strong> loss of data <strong>in</strong>tegrity.<br />
CASE tools need to be consistently used. If it is <strong>in</strong>consistently used to def<strong>in</strong>e<br />
bus<strong>in</strong>ess tools, it would lead to development of improper systems which <strong>in</strong> turn would<br />
lead to significant bus<strong>in</strong>ess risk.<br />
SECURITY<br />
It is very important to protect proprietary data from unauthorised access. If<br />
such a protection is not there, it would lead to proprietary <strong>and</strong> strategic data be<strong>in</strong>g<br />
disclosed to unauthorised people which may result <strong>in</strong> a bus<strong>in</strong>ess risk.
STANDARDS<br />
There are no common st<strong>and</strong>ards for all CASE tools. This may lead to a<br />
situation when different CASE tools with differ<strong>in</strong>g st<strong>and</strong>ards be<strong>in</strong>g used <strong>in</strong> the same<br />
<strong>environment</strong> This may cause <strong>in</strong>compatibility <strong>and</strong> duplication of efforts.<br />
ADMINISTRATION<br />
Proper use of CASE <strong>in</strong>formation is absolutely necessary. To achieve this,<br />
there has to be effective adm<strong>in</strong>istration <strong>and</strong> control of user access. When CASE tools<br />
are used for Reverse Eng<strong>in</strong>eer<strong>in</strong>g the ma<strong>in</strong> objective is to create new <strong>and</strong> important<br />
versions of software. In the absence of adequate adm<strong>in</strong>istrative procedures there is<br />
a possibility of risk that multiple versions of the same software may be created which<br />
may result <strong>in</strong> confusion.<br />
Costs associated with implementation of CASE should bc justified from the<br />
angle of the benefits aris<strong>in</strong>g therefrom.<br />
CONTROLS<br />
CASE tools themselves have facilities <strong>and</strong> features for control purposes.<br />
These could be effectively utilised for implement<strong>in</strong>g <strong>in</strong> a CASE <strong>environment</strong> Some<br />
of the <strong>controls</strong> are as follows :<br />
To obta<strong>in</strong> accurate <strong>and</strong> complete documentation the repository can be utilised<br />
as an effective control tool. CASE tools have their own access control features. These
can be utilised to enforce only authorised access to the <strong>in</strong>formation <strong>in</strong> a CASE<br />
<strong>environment</strong>.<br />
The risk of <strong>in</strong>advertent data corruption <strong>and</strong> improv<strong>in</strong>g productivity can be<br />
achieved by us<strong>in</strong>g the functions of CASE tools which have their own mles for<br />
ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g data <strong>in</strong>tegrity, validation <strong>and</strong> access.<br />
Risks associated with data accuracy <strong>and</strong> ~ntegrity could be mitigated by hav<strong>in</strong>g<br />
end-user <strong>in</strong>volvement while the systems are be<strong>in</strong>g developed.<br />
Use of change management procedures <strong>in</strong> the systems development process<br />
is another important control <strong>in</strong> the CASE <strong>environment</strong>. Many CASE tools have<br />
version control features as well as authorisation <strong>and</strong> sign off functions.<br />
CASE tools for auditors<br />
An auditor could perform specific audit tasks by utilis<strong>in</strong>g CASE features <strong>and</strong><br />
functions. Given below are some of the examples of situations <strong>in</strong> which the auditor<br />
could use CASE tools.<br />
i. System can be understood <strong>and</strong> the <strong>controls</strong> could be documented by mak<strong>in</strong>g<br />
use of the repository as an <strong>in</strong>formation source. When the question of '%re<br />
use" arises the repository could be used as an audit trail. It is necessary for<br />
the auditor to become familiar with CASE tools as these tools represent<br />
possible <strong>in</strong>creased risks. However, by underst<strong>and</strong><strong>in</strong>g <strong>and</strong> master<strong>in</strong>gihese tools<br />
the auditor could use them as control <strong>and</strong> <strong>audit<strong>in</strong>g</strong> tools.
OBJECT ORIENTED SOFTWARE<br />
In the conventional programm<strong>in</strong>g the object of problem solv<strong>in</strong>g was<br />
procedural while <strong>in</strong> object oriented programm<strong>in</strong>g it is not so. Mr. Grady Booch, an<br />
ADA expert sums up the difference between object oriented programm<strong>in</strong>g <strong>and</strong><br />
procedural programm<strong>in</strong>g as follows : "Write the specifications of the sofhvare you<br />
want to build, underl<strong>in</strong>e the verbs if you are after procedural code; nouns if you aim<br />
for an object oriented program.<br />
RISKS AND CONTROLS<br />
Object oriented software is a totally new technology; there are certa<strong>in</strong><br />
<strong>in</strong>herent risks; some of the risks are: There is concern regard<strong>in</strong>g accuracy <strong>and</strong><br />
<strong>in</strong>tegrity of the contents of the objectives as the implementation of OOPS stress that<br />
the content of an object can be "hidden" from the program.<br />
If careful management procedures are not applied, there is a risk that the<br />
accuracy <strong>and</strong> <strong>in</strong>tegrity of the libraries associated with the OOPS may become<br />
questionable. It is likely that the implementation of OOP then may be a degradation<br />
of performance.<br />
However, these new technologies provide possibility for apply<strong>in</strong>g <strong>in</strong>novative<br />
approaches <strong>and</strong> implement new <strong>and</strong> more reliable <strong>controls</strong>.<br />
The techniques for implement<strong>in</strong>g <strong>controls</strong> <strong>in</strong> OOP <strong>environment</strong> are totally<br />
different from those <strong>in</strong> traditional programm<strong>in</strong>g objects. The auditor must have<br />
adequate knowledge to underst<strong>and</strong> <strong>and</strong> evaluate <strong>controls</strong> <strong>in</strong> this new technology.
SM)RAGE TECHNOLOGY<br />
Magnetic storage have been the traditional medium of storage. Recent<br />
developments have provedthat optical storage is technically better <strong>and</strong> provide many<br />
more attrative benefits like greater storage capacity, longer storage life <strong>and</strong> better<br />
error detection <strong>and</strong> correction mechanism. However, there are certa<strong>in</strong> reasons<br />
associated with this technology like <strong>in</strong>creased exposure to data loss or theft This is<br />
due to the smaller size of the medium.<br />
PROCESS TECHNOLOGY<br />
Even <strong>in</strong> the area of process<strong>in</strong>g technology there have been emerg<strong>in</strong>g trends<br />
<strong>and</strong> the two ma<strong>in</strong> technologies are (i) Co-operative process<strong>in</strong>g <strong>and</strong> fault tolerant<br />
computers.<br />
i. Co-operative pmcess<strong>in</strong>g<br />
In co-operative process<strong>in</strong>g mach<strong>in</strong>es have separate portions of application.<br />
However, they work together to accomplish common process<strong>in</strong>g objective.<br />
Data that resides on computers <strong>in</strong> different locations is accessed. In a<br />
co-operative process<strong>in</strong>g <strong>environment</strong> the process<strong>in</strong>g power <strong>and</strong> data are distributed<br />
across a computer network.
Risks, <strong>controls</strong> <strong>and</strong> audit considerations<br />
Cooperative process<strong>in</strong>g technology works <strong>in</strong> a multi-processor or multiple<br />
mach<strong>in</strong>e <strong>environment</strong> which leads to the boundaries of the applications be<strong>in</strong>g less<br />
discreet than those of traditional process<strong>in</strong>g applications.<br />
Audit accuracy <strong>and</strong> <strong>in</strong>tegrity: Because many <strong>and</strong> different hardware <strong>and</strong><br />
software <strong>environment</strong>s are <strong>in</strong>volved, there is a possibility of risk of <strong>in</strong>compatible<br />
versions <strong>and</strong> unsatisfactory change management procedures.<br />
In view of different locations be<strong>in</strong>g used there is a replication of data <strong>and</strong><br />
files. If there is a possibility of risk of these files not be<strong>in</strong>g properly synchronisedwith<br />
the master copy.<br />
In a cooperative process<strong>in</strong>g data is<br />
moved from the ma<strong>in</strong> frame to<br />
microcomputers. These microcomputers may not have adequate CASE <strong>controls</strong> to<br />
protect data from unauthorised use.<br />
RECOVERYANDBACKUP<br />
Recovery <strong>and</strong> back up procedures require more detailed plann<strong>in</strong>g.
ERROR HANDLING AM) ADMINISTRATION<br />
Enor h<strong>and</strong>l<strong>in</strong>g process would be compromised if there are not sufficient<br />
<strong>controls</strong>. However, there are <strong>controls</strong> which could m<strong>in</strong>imise, if not elim<strong>in</strong>ate these<br />
risks. Some of them are as follows :<br />
When an <strong>in</strong>formation system spans multiple comput<strong>in</strong>g <strong>environment</strong>s special<br />
care should be taken to ensure adequate co-ord<strong>in</strong>ation of activity. The designers<br />
<strong>and</strong> implementors should take adequate steps to m<strong>in</strong>imise the risk of un-co-ord<strong>in</strong>ated<br />
process<strong>in</strong>g to mitigate the risk of absence of synchronisation. Special software could<br />
be designed. It should automatically modify all tables <strong>and</strong> files at periodical <strong>in</strong>tervals.<br />
Change management procedures should be controlled strictly.<br />
As restart <strong>and</strong> recovery procedures are complicated the designers <strong>and</strong><br />
developers <strong>and</strong> usen should ensure that the co-operative process<strong>in</strong>g sohare has<br />
features <strong>and</strong> functions which will facilitate recoverability.<br />
AUDITORS<br />
Auditor should be aware of the <strong>in</strong>herent risks <strong>and</strong> assure himself that there<br />
are adequate <strong>controls</strong> which would m<strong>in</strong>imise the risks.<br />
<strong>controls</strong>.<br />
Co-operative process<strong>in</strong>g will require new audit trail <strong>and</strong> system recoverability
APPENDIX - A<br />
CompanyDivisionNnit<br />
Risk Assessment Worksheet tor Physical Security1<br />
Name of the Organisation<br />
Date:<br />
Criterion<br />
Risk Criterion<br />
x<br />
Value Weight<br />
-<br />
Total risk<br />
,core<br />
1.<br />
Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es<br />
about physical security distributed to<br />
employees? If so, are they adequate<br />
<strong>and</strong> up-to-date?<br />
( ) Yes-Fully adequate <strong>and</strong> up-to-date<br />
( ) Yes-Reasonably adequate <strong>and</strong> upto-date<br />
but need improvement<br />
( ) Not distributed-Inadequate <strong>and</strong> not<br />
up-to-date<br />
1.0 x 4.0<br />
20 x 4.0<br />
3.0 x 4.0<br />
=<br />
=<br />
=<br />
2.<br />
Are physical access <strong>controls</strong> (e.g. locks<br />
cards, badges, security guards,<br />
television monitors) available? If so,<br />
are the, adequate <strong>and</strong> effective?<br />
( ) Yes-Fully adequate <strong>and</strong> effective<br />
( ) Yes-Reasonably adequate <strong>and</strong><br />
effective but needs improvement<br />
( ) YesNo-Totally <strong>in</strong>adequate <strong>and</strong><br />
<strong>in</strong>effective<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
I<br />
Adapted from Computer Security - A Manual with Case Studies by S.Rao<br />
Vallabhaneni.
Criterion<br />
Risk Criterion<br />
x<br />
Value Weight<br />
=<br />
Total risk<br />
score<br />
3.<br />
Status of <strong>environment</strong>al Controls<br />
(Aircondition<strong>in</strong>g, heat, dust, humidity)<br />
( ) Always <strong>in</strong> compliance with<br />
suggested guidel<strong>in</strong>es<br />
( ) Not always <strong>in</strong> compliance with<br />
suggested guidel<strong>in</strong>es<br />
( ) Not monitored most of the time<br />
1.0 x 4.0<br />
20 x 4.0<br />
4.0 x 4.0<br />
-<br />
-<br />
=<br />
4.<br />
Are good housekeep<strong>in</strong>g <strong>and</strong> security<br />
related procedures distributed to<br />
employees? If so, are they up-to-date<br />
<strong>and</strong> followed?<br />
( ) Yes-up-to-date <strong>and</strong> followed<br />
( ) Yes-Reasonably up-to-date<br />
followed most of the time<br />
( ) Not distributed not up-to-date <strong>and</strong><br />
not followed<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
=<br />
=<br />
=<br />
5.<br />
Time s<strong>in</strong>ce last audit:<br />
( ) Less than one year<br />
( ) Less thari two years<br />
( ) Two yean or more<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
=<br />
=<br />
=<br />
6.<br />
Last audit results:<br />
( ) Good <strong>controls</strong><br />
( ) Adequate <strong>controls</strong>, but need<br />
improvement<br />
( ) Inadequate <strong>controls</strong><br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
Total score for physical security categoy
APPENDIX - B<br />
Company/Division/Unit<br />
Risk Assessment Worksheet for Personnel Security1<br />
Name of the Organisation Date :<br />
1.<br />
2.<br />
3.<br />
4.<br />
Criterion<br />
Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es<br />
about personne: securlty distributed to<br />
employees? If so, are they adequate<br />
<strong>and</strong> up-to-date?<br />
( ) Yes-Fully adequate <strong>and</strong> up-to-date<br />
( ) Yes-Reasonably adequate <strong>and</strong> upto-date<br />
but need improvement<br />
( ) Not distributed-Inadequate <strong>and</strong> not<br />
up-to-date<br />
Are employment verifications<br />
performed prior to hire?<br />
1 { $~~:%~~~ective<br />
basis<br />
) Yes-No-only when time <strong>and</strong><br />
memory permit<br />
Are legal, education, credit, <strong>and</strong> police<br />
verifications performed prior to hire?<br />
t 1 Yes-Always<br />
Yes-On selective basis<br />
( ) Yeslno-only when time <strong>and</strong><br />
memory permit<br />
Are employees required to sign conflict<br />
of-<strong>in</strong>terest or code-of-conduct statement<br />
at the time of hire?<br />
( ) Yes-Always<br />
( ) Yes-On selective basis<br />
( ) YesMo-only when time <strong>and</strong><br />
memory permit<br />
Risk<br />
Value<br />
Criterion<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
Weight<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 3.0<br />
2.0 x 3.0<br />
4.0 x 3.0<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total risk<br />
'Ore<br />
Adapted from Computer Security - A Manual with Case Studies by S.Rao<br />
Vallabhaneni.
5.<br />
6.<br />
7.<br />
8.<br />
Criterion<br />
Are employees required to sign nondisclosure<br />
statements with respect to<br />
passwords <strong>and</strong> other sysiem <strong>in</strong>formation<br />
at the time of hire?<br />
i j Yes-Always<br />
Yes-On selective basis<br />
( ) Yes/h'o-Only when time <strong>and</strong><br />
memory permit<br />
Are all employees frequently rem<strong>in</strong>ded<br />
of their responsibilities <strong>in</strong> the area of<br />
computer security?<br />
t ) Periodically<br />
) Not regularly<br />
( ) Only on an <strong>in</strong>dividual basis when<br />
an improper action is taken by that<br />
employee<br />
Time s<strong>in</strong>ce last audit:<br />
( ) Less than one year<br />
( ) Less than two years<br />
( ) Two years or more<br />
Last audit results:<br />
( Good <strong>controls</strong><br />
ti Adequate <strong>controls</strong>, but need<br />
improvement<br />
( ) Inadequate <strong>controls</strong><br />
Risk Criterion<br />
x<br />
Value Weieht<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0 x 6.0<br />
1.0 x 3.0<br />
2.0 x 3.0<br />
3.0 x 3.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total risk<br />
scan
APPENDIX. C<br />
Risk Assessment Worksheet far Data Security1<br />
CampanyDivisionAJ~t<br />
Name of the Organisarion<br />
Date<br />
1.<br />
2.<br />
3.<br />
Criterion<br />
Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es<br />
about personnel security distributed to<br />
employees? If so, are they adequate <strong>and</strong><br />
up-to-date?<br />
( ) Yes-Fully adequate <strong>and</strong> up-to-date<br />
( ) Yes-Reasonably adequate <strong>and</strong> up-todate<br />
but need improvement<br />
( ) Not distributed-Inadequate <strong>and</strong> not up.<br />
to-udte<br />
Is access control security systems software<br />
<strong>in</strong> place, <strong>and</strong> is it used effectively to control<br />
access to data files?<br />
) Yes-Used effectively<br />
I ) Yes-Not used effectively<br />
( ) Not <strong>in</strong> place<br />
Are the access rules or privileges<br />
established <strong>in</strong> the security software for<br />
access<strong>in</strong>g data files always <strong>in</strong> l<strong>in</strong>e with<br />
employee job duties.<br />
I1 Usually-Not Yes-Always<br />
a major problem<br />
( ) No-A major problem from an<br />
operations viewpo<strong>in</strong>t<br />
Risk<br />
Value<br />
Criterion<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
1.0 x 6.0<br />
20 x 6.0<br />
4.0 x 6.0<br />
1.0 x 6.0<br />
20 x 6.0<br />
4.0 x 6.0<br />
Weight<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total risk<br />
Adapted from Computer Security - A Afanual with Case Studies by S.Rao<br />
Vallabhaneni.
4.<br />
Criterion<br />
Are datalsystem owners established for all<br />
critical <strong>and</strong> sensitive data files?<br />
Risk<br />
Value<br />
Criterion<br />
x<br />
Weieht<br />
=<br />
Total risk<br />
score<br />
7<br />
5.<br />
Yes-Always<br />
Usually-Not a major problem<br />
( ) No-A nlajor problem from an<br />
operation viewpo<strong>in</strong>t<br />
Are datafsystem custodians established for<br />
all critical <strong>and</strong> sensitive data files?<br />
1.0 x 6.0<br />
20 x 6.0<br />
4.0 x 6.0<br />
=<br />
=<br />
=<br />
6.<br />
( ) Yes-Always<br />
a major problem<br />
o-A major problem from an<br />
operations vievo<strong>in</strong>t<br />
Are datalsystem users established for all<br />
critical <strong>and</strong> sensitive data files?<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
7.<br />
( ) Yes-Alwavs<br />
( ) ~sually-~'>t a major proolem<br />
( ) No-A major problem from an<br />
operations view po<strong>in</strong>t<br />
Do datalsystem users need permission from<br />
datalsystem owners before mak<strong>in</strong>g changes<br />
to all critical <strong>and</strong> sensitive data files <strong>and</strong><br />
programs?<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
=<br />
=<br />
=<br />
8.<br />
( ) Yes-Always<br />
( Yes-permission is delegated<br />
( Permission is not obta<strong>in</strong>ed-A major<br />
problem from an operations viewpoi~t.<br />
Time s<strong>in</strong>ce last audit:<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
=<br />
=<br />
=<br />
( ) Less than one year<br />
1.0 x 4.0<br />
=<br />
improvement 2.0 x 5.0<br />
4.0 x 5.0<br />
Total score for data security category
APPENDIX - D<br />
Risk Assessment Worksheet for Application SoPhvare Security1<br />
CompanylDirisionRTnit<br />
vii<br />
Name of the Organisation<br />
Date<br />
1.<br />
2.<br />
Criterion<br />
Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es<br />
about personnel security distniuted to<br />
employees? If so, are they adequate<br />
<strong>and</strong> up-to-date?<br />
) Yes-Fully adequate <strong>and</strong> up-to-date<br />
I ) Yes-Reasonably adequate <strong>and</strong> upto-date<br />
but need improvement<br />
( ) Not distributed-Inadequate <strong>and</strong> not<br />
up-to-date<br />
Is access control security systems<br />
software <strong>in</strong> place, <strong>and</strong> is it used<br />
effectively to control access to program<br />
files?<br />
Risk<br />
Criterion<br />
Value 'Weight<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
"<br />
=<br />
=<br />
=<br />
Total risk<br />
"Ore<br />
3.<br />
( ) Yes-Used effectively<br />
( ) Yes-Not used effectively<br />
( ) Not <strong>in</strong> place<br />
Are the access mles or privilege<br />
established <strong>in</strong> the security software for<br />
access<strong>in</strong>g program files always <strong>in</strong> l<strong>in</strong>e<br />
with employee job duties?<br />
1.0 x 6.0<br />
20 x 6.0<br />
4.0 x 6.0<br />
=<br />
=<br />
=<br />
( ) Yes-Alwa)s<br />
( ) Usual$-not a major problem<br />
( ) No-A major problem from an<br />
operations viewpo<strong>in</strong>t<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0x6.0<br />
=<br />
=<br />
=<br />
Adapted from Computer Security - A Manual with Case Studies by S.Rao<br />
Vallabhaneni.
4.<br />
5.<br />
6.<br />
7.<br />
8.<br />
Criterion<br />
Are computer security requirements<br />
made explicit dur<strong>in</strong>g new system<br />
development <strong>and</strong> ma<strong>in</strong>tenance work?<br />
Yes-But not always<br />
No-Only when time <strong>and</strong> memory<br />
emit<br />
Do functional users, auditors, EDP<br />
quality assurance staff, <strong>and</strong> EDP<br />
security staff participate <strong>in</strong> system<br />
development <strong>and</strong> ma<strong>in</strong>tenance?<br />
( ) Yes-Users, auditors, EDP quality<br />
assurance staff, <strong>and</strong> EDP security<br />
staff participate<br />
( ) Usually only users participate-Not<br />
others<br />
( ) No user, auditor, or EDP quality<br />
assurance staff, or EDP security<br />
staff participation<br />
Is a system development <strong>and</strong><br />
ma<strong>in</strong>tenance methodology used?<br />
( ) Followed consistently<br />
ot followed at all<br />
Is purchased software used?<br />
( Yes-With no major changes<br />
( Yes-With m<strong>in</strong>or changes<br />
( ) yes-With major changes <strong>and</strong><br />
comb<strong>in</strong>ed with <strong>in</strong> house<br />
development<br />
Are systems planned to be developed<br />
<strong>and</strong> ma<strong>in</strong>ta<strong>in</strong>ed by end-users us<strong>in</strong>g<br />
fourth generation languages,application/<br />
program generator, or other methods?<br />
I { N Yes-With o the help of DP staff<br />
Risk Criterion<br />
x<br />
Value Weieht<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0 x 6.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 5.0<br />
20xs.o<br />
4.0 x 5.0<br />
1.0 x 5.0<br />
20xS.O<br />
4.0~ 5.0<br />
1<br />
11.0x7.01=1<br />
2.0x7.0 =<br />
( ) Yes-Without the help of DP staff 5.0 x 7.0 =<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total risk<br />
score
9.<br />
10.<br />
11.<br />
12.<br />
Criterion<br />
Are<br />
r;<br />
the systems planned to bc<br />
prototype?<br />
Or later discarded<br />
Yes-with fullscale implementation<br />
of system development life cycle<br />
(SDLC)<br />
( ) Yes-Later moved to production<br />
mthout follow<strong>in</strong>g SDLC procedures<br />
Are regulatory agency requirements for<br />
the systems met?<br />
I<br />
( ) No reports sent to agency<br />
) One agency gets reports<br />
) More than one agency gets reports<br />
Time s<strong>in</strong>ce last audit:<br />
( Less than one year<br />
(1 Le ss than two years<br />
( ) Two years or more<br />
Last audit results:<br />
( ) Good <strong>controls</strong><br />
( ) Adequate <strong>controls</strong>, but need<br />
improvement<br />
( ) Inadequate <strong>controls</strong><br />
Risk Criterion<br />
x<br />
Value We<strong>in</strong>ht<br />
1.0 x 8.0<br />
2.0 x 8.0<br />
5.0 x 8.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total risk<br />
SCOW<br />
Total score for applications software security category
APPENDIX E<br />
Risk Assessment Worksheet for Systems Software Security1<br />
Company/Llivision/Unit<br />
Name of the organisaiton assessed Date :<br />
1.<br />
2<br />
3.<br />
,<br />
4.<br />
I<br />
Criterion<br />
Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es<br />
about systems sohare security<br />
distributed to employees? If so, are they<br />
adequate <strong>and</strong> up-to-date<br />
I<br />
Yes - fully adequate <strong>and</strong> up-to-date<br />
Yes - reasonably adequate <strong>and</strong> up-todate<br />
but need improvement<br />
( ) Not distributed-<strong>in</strong>adequate <strong>and</strong> not<br />
up-to-date<br />
Is access control security systems software<br />
<strong>in</strong> place, <strong>and</strong> is it used effectively to<br />
control access to operat<strong>in</strong>g system, data<br />
base programs, <strong>and</strong> dadsystem files?<br />
( Yes used effectively<br />
ti Yes - not used effectively<br />
( ) Not <strong>in</strong> place<br />
Are appropriate system management<br />
facility (SMF) records logged by the<br />
operat<strong>in</strong>g system to support the security<br />
software, <strong>and</strong> arc the logs renewed?<br />
I<br />
Logged <strong>and</strong> reviewed<br />
Logged <strong>and</strong> not reviewed<br />
( ) Not logged at all<br />
Are the access rules or privileges<br />
established <strong>in</strong> the security software for<br />
access<strong>in</strong>g operat<strong>in</strong>g system <strong>and</strong> data base<br />
programs <strong>and</strong> data files always <strong>in</strong> l<strong>in</strong>e<br />
with employee job duties ?<br />
Yes - Always<br />
Usually - Not a major problem<br />
IUsk Criterion<br />
x<br />
Value Weight<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
1.0 x 6.0<br />
20 x 6.0<br />
4.0 x 6.0<br />
1 0 x 4.0<br />
20 x 4.0<br />
3.0 x 4.0<br />
1.0 x 6.0<br />
( ) No - A major problem from an<br />
LO x 6.0<br />
operations newpo<strong>in</strong>t 4.0 x 6.0<br />
-<br />
-<br />
-<br />
-<br />
-<br />
-<br />
-<br />
-<br />
-<br />
Total<br />
Risk<br />
Score<br />
Adapted from Computer Security - A Manual with Case Studies by S.Rao<br />
Vallabhaneni.
5.<br />
6.<br />
7.<br />
8.<br />
9.<br />
Criterion<br />
Are user exits employed <strong>in</strong> the systems<br />
software implementation <strong>and</strong> operation?<br />
0 No<br />
( Yes - <strong>in</strong> a few cases<br />
( { Yes - <strong>in</strong> many cases<br />
Are powerful utility pro rams protected<br />
<strong>and</strong> controlled properly!<br />
[ { E:ally yes<br />
() No<br />
Are options <strong>and</strong> parameters <strong>in</strong> systems<br />
software products propertly selected,<br />
used, <strong>and</strong> logged?<br />
( ) yes<br />
( ) Usually yes<br />
0 No<br />
Time s<strong>in</strong>ce last audit:<br />
( ) Less than one year<br />
( ) Less than two years<br />
( ) More than two years<br />
Last audit results :<br />
( ) Good <strong>controls</strong><br />
( ) Adequate <strong>controls</strong>, but need<br />
improvement<br />
( ) Inadequate <strong>controls</strong><br />
Risk Criterion<br />
x<br />
Value Weieht<br />
1.0 x 5.0<br />
20 x 5.0<br />
4.0 x 5.0<br />
1.0 x 4.0<br />
20 x 4.0<br />
3.0 x 4.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
-<br />
-<br />
-<br />
-<br />
-<br />
Total<br />
Risk<br />
Score<br />
Total score for systems sohare security category.
APPENDIX F<br />
xii<br />
Risk Assessment Worksheet for Telecommuoicstions Security1<br />
CompanyDivisionlUnit<br />
Name of the organisation assessed<br />
1.<br />
2.<br />
3.<br />
4.<br />
-- -<br />
Criterion<br />
Are st<strong>and</strong>ards, policies <strong>and</strong> guidel<strong>in</strong>es<br />
about telecommunications security<br />
distributed to employees? If so, are they<br />
adequate <strong>and</strong> up-to-date?<br />
I1<br />
Yes - fully adequate <strong>and</strong> up-to-date<br />
Yes - reasonably adequate <strong>and</strong> up-todate<br />
but need improvement<br />
( ) Not distributed - <strong>in</strong>adequate <strong>and</strong> not<br />
up-to-date<br />
Is access control security systems software<br />
<strong>in</strong> place, <strong>and</strong> is it used effectively to<br />
control access to telecommunications<br />
programs <strong>and</strong> data files ?<br />
( ) Yes - used effectively<br />
( ) Yes - not used effectively<br />
( ) Not <strong>in</strong> place<br />
Are the access rules or privileges<br />
established <strong>in</strong> the security software for<br />
access<strong>in</strong>g telecommunications programs<br />
<strong>and</strong> data files always <strong>in</strong> l<strong>in</strong>e with<br />
employee job duties ?<br />
l i yes ' a'"<br />
Usually not a major problem<br />
No - a major problem from an<br />
operations viewpo<strong>in</strong>t<br />
Are term<strong>in</strong>al IDS part of the user<br />
identification <strong>and</strong> authentication process?<br />
( ) Yes - always<br />
( ) Yes - not always<br />
0 No<br />
Date :<br />
Risk Criterion<br />
x<br />
Value Weight<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0 x 6.0<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0 x 6.0<br />
1<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
3.0 x 6.0<br />
"<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total<br />
Risk<br />
Score<br />
Adapted from Computer Security - A Manual with Cose Studies by S.Rao<br />
Vallabhaneni.
5.<br />
6.<br />
7.<br />
Criterion<br />
Are security - related cotnrols over<br />
program data, <strong>and</strong> message transmission<br />
activities adequate <strong>and</strong> effective (e.g.,<br />
encryption with key management,<br />
message sequence numbers, bit counts,<br />
call-back?)<br />
( ) Yes - fuly adequate <strong>and</strong> effective<br />
( ) Yes - reasonably adequate <strong>and</strong><br />
effective but need improvement<br />
( ) Not at all adequate or effective<br />
I I<br />
Time s<strong>in</strong>ce last audit :<br />
Less than one year<br />
Less than two years<br />
( ) Two years or more<br />
Last audit results :<br />
( ) Good <strong>controls</strong><br />
( ) Adequate <strong>controls</strong>, but need<br />
improvement<br />
( ) Inadequate <strong>controls</strong><br />
Total score for telecommunications security category<br />
Risk Criterion<br />
x<br />
Value Weight<br />
1.0 x 8.0<br />
20x 80<br />
3.0 x 8.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
Total<br />
Risk<br />
Score
xiv<br />
APPENDIX G<br />
Risk Assessment Worksheet for Computer Operations Security'<br />
CompanyDivisionNnit<br />
Name of the organisation assessed Date :<br />
1.<br />
Criterion<br />
Are st<strong>and</strong>ards, policies, <strong>and</strong> guidel<strong>in</strong>es<br />
about computer operations security<br />
distributed to employees? If so, are they<br />
adequate <strong>and</strong> up-to-date?<br />
Risk<br />
Value<br />
Criterion<br />
x<br />
Weight<br />
=<br />
Total<br />
Risk<br />
Score<br />
2.<br />
3.<br />
( ) Yes - fully adequate <strong>and</strong> up-to-date<br />
( ) Yes - reasonably adequate <strong>and</strong> up-todate<br />
but need improvement<br />
( ) Not distributed - <strong>in</strong>adeuate <strong>and</strong> not<br />
up-to-date<br />
Is access control security systems software<br />
<strong>in</strong> place, <strong>and</strong> is it used effectively to<br />
control computer operations staffs access<br />
to applications <strong>and</strong> systems software<br />
program <strong>and</strong> data files?<br />
( ) Yes - used effectively<br />
( ) Yes - not used effectively<br />
( ) Not <strong>in</strong> place<br />
Are the access rules or privileges<br />
established <strong>in</strong> the security software for<br />
computer operations staff access<strong>in</strong>g<br />
applications <strong>and</strong> systems software<br />
programs <strong>and</strong> data files always <strong>in</strong> l<strong>in</strong>e<br />
with employee job duties ?<br />
( ) Yes - always<br />
( ) Usually not a major problem<br />
( ) No - a major problem from an<br />
operations viewpo<strong>in</strong>t<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0 x 6.0<br />
1.0 x 6.0<br />
2.0 x 6.0<br />
4.0 x 6.0<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
-<br />
Adapted from Computer Security - A Manual wilh Case Studies by S.Rao<br />
Vallabhaneni.
Criterion<br />
Risk<br />
Value<br />
Criterion<br />
x<br />
Weight<br />
=<br />
Total<br />
Risk<br />
Score<br />
4.<br />
5.<br />
What is the degree of sophistication of<br />
computer hardware <strong>and</strong> peripheral<br />
equipment?<br />
( High<br />
( ) Medium<br />
0 L.Ow<br />
Time s<strong>in</strong>ce last fire drill <strong>and</strong> other<br />
emergency tests conducted :<br />
( ) Six months<br />
( ) One year<br />
( ) Two years<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 4.0<br />
2.0 x 4.0<br />
3.0 x 4.0<br />
=<br />
=<br />
=<br />
=<br />
=<br />
=<br />
6.<br />
7.<br />
Time s<strong>in</strong>ce last audit :<br />
( ) Less than one year<br />
( ) Less than two years<br />
( ) Two years or more<br />
Last audit results :<br />
( ) Good <strong>controls</strong><br />
( ) Adequate <strong>controls</strong>, but need<br />
improvement<br />
( ) Inadequate <strong>controls</strong><br />
1.0 x 4.0<br />
2.0 x 4.0<br />
4.0 x 4.0<br />
1.0 x 5.0<br />
2.0 x 5.0<br />
4.0 x 5.0<br />
=<br />
=<br />
=<br />
-<br />
=<br />
=<br />
'otal score for computer operations security category.
APPENDIX H<br />
QUESTIONNAIRE FOR EVALUATING THE PERFORMANCE OF<br />
THE AUDIT APPROACH, GENERALLY IN A COMPUTERISED<br />
ENVIRONMENT<br />
Scop<strong>in</strong>g the Environment<br />
Yes / Nn<br />
1. Is there a full underst<strong>and</strong><strong>in</strong>g of the audit<br />
objectives?<br />
2. Is there an underst<strong>and</strong><strong>in</strong>g as to where the<br />
audit is to be conducted, the resources<br />
needed. etc.?<br />
3. Is an entrance conference conducted to<br />
expla<strong>in</strong> to the auditees the objective of<br />
computer audit to establish work<strong>in</strong>g ground<br />
rules?<br />
4. Is background <strong>in</strong>formation obta<strong>in</strong>ed<br />
regard<strong>in</strong>g the ove~ew<br />
of the auditee <strong>and</strong><br />
data process<strong>in</strong>g function?<br />
Underst<strong>and</strong><strong>in</strong>g the <strong>in</strong>formation system<br />
5. Do you <strong>in</strong>terview the computer department<br />
staff <strong>and</strong> gather documents about the<br />
<strong>in</strong>formation system?<br />
5. Do you prepare an application flowchart to<br />
underst<strong>and</strong> who is responsible for evidential<br />
matters (both paper <strong>and</strong> electronic) <strong>and</strong><br />
also to know the storage location of the<br />
evidence?
xvii<br />
Yes / No<br />
7. Do you review the application flowchart<br />
with the data process<strong>in</strong>g project team to<br />
ensure proper underst<strong>and</strong><strong>in</strong>g of the<br />
<strong>in</strong>formation system?<br />
Identifj the audit risks<br />
8. Do you create a risk analysis team to help<br />
<strong>in</strong> the risk assessment process?<br />
9. Are risks associated with a specific<br />
<strong>environment</strong> identified?<br />
10. Is any attempt made to determ<strong>in</strong>e the<br />
magnitude of risks (example high, medium,<br />
low)?<br />
11. Are the risks prioritised so as to determ<strong>in</strong>e<br />
the sequence <strong>in</strong> which audit resources will<br />
be exp<strong>and</strong>ed?<br />
Identify audit evidence<br />
12. Is all the evidence produced by the<br />
Information systems listed out?<br />
13. Is the audit evidence documented, specially<br />
<strong>in</strong> view of the evidence be<strong>in</strong>g electronic?<br />
Identify key cnntml po<strong>in</strong>ts<br />
14. Is the application flow-chart reviewed to<br />
locate possible risk areas?<br />
15. Is the application flow-chart exam<strong>in</strong>ed<br />
critically to document key <strong>controls</strong>?<br />
'dentify the contml weaknesses<br />
6. Is the associated manual operations <strong>and</strong><br />
computer process<strong>in</strong>g reviewed to identify<br />
<strong>in</strong>stances when too much responsibility is<br />
vested <strong>in</strong> a s<strong>in</strong>gle <strong>in</strong>dividual?
xv~ii<br />
Yes 1 No<br />
17. Is there any review of preparation of<br />
transactions/control matrix to evaluate<br />
<strong>controls</strong> <strong>and</strong> weaknesses?<br />
18. Is there any analysis <strong>and</strong> documentation of<br />
potential control weaknesses?<br />
VeriPy the <strong>in</strong>tegrity of computer files<br />
19. With a view to decide on perform<strong>in</strong>g<br />
substantive test<strong>in</strong>g <strong>and</strong> compliance test<strong>in</strong>g,<br />
are computer files identified for<br />
exam<strong>in</strong>ation?<br />
20. Are steps taken to save such of those files<br />
which have been selected for perform<strong>in</strong>g an<br />
audit?<br />
21. Are steps taken to veriFy <strong>in</strong>tegrity of<br />
computer file?<br />
22. Are steps taken to verity the <strong>in</strong>tegrity of<br />
data on the file?<br />
Conduct the audit tests<br />
23. Are steps taken to design the audit tests?<br />
24. Is a proper test tool selected <strong>and</strong> prepared?<br />
25. Is the audit tool so selected extensively<br />
tested to ensure that it performs well?<br />
26. Are the test results along with other<br />
relevant material used to ensure accuracy of<br />
computer process<strong>in</strong>g?<br />
Conclude the audit<br />
27. Based on the tasks performed are the audit<br />
f<strong>in</strong>d<strong>in</strong>gs developed?<br />
28. Are suitable audit recommendations<br />
developed?<br />
29. Is an appropriate audit report prepared?<br />
30. Are steps taken to ensure that proper<br />
action is taken on the f<strong>in</strong>d<strong>in</strong>gs <strong>and</strong><br />
recommendations?
BIBLIOGRAPHY<br />
BOOKS<br />
1. Andrew S. Tanabaum -Operat<strong>in</strong>g System, Design &Implementation, Prentice<br />
Hall of India Pvt Ltd., New Delhi, 990.<br />
2 Brian Jenk<strong>in</strong>s & Anthony P<strong>in</strong>kney - An Audit Approach to Computers - A<br />
New Practice Manual, Thc Institute of Chartered Accountants <strong>in</strong><br />
Engl<strong>and</strong> & Wales, 1978.<br />
3. Charlotte Eudy Mcconn, M.S.CDP - Bus<strong>in</strong>ess Computer Systems - Design,<br />
Programm<strong>in</strong>g <strong>and</strong> Ma<strong>in</strong>tenance with case studies - Prentice Hall of<br />
India Private Ltd. New Delhi, 1990.<br />
4. Donn B. Parker - Managers Guide to Computer Security - Reston Publish<strong>in</strong>g<br />
Company Inc. A prentice - Hall Company, Reston, Virg<strong>in</strong>ia, 1981.<br />
5. Donald k Watne & Peter B.B. Turney - Audit<strong>in</strong>g EDP Systmes - Second<br />
Edition - Prentice Hall lnternational INC. Parts 1 & 2, 1984<br />
6. N. Derek Arnold - Unix Security - A Practical Tutorial - McGRAW HILL<br />
Inc., 1992<br />
7. Dimitris N. Chorafas - Design<strong>in</strong>g & Implement<strong>in</strong>g Local Area Networks -<br />
McGRAW HILL Inc. 1984.<br />
8. Elise G. Jancura Robert Boos - Establish<strong>in</strong>g Controls <strong>and</strong> Audit<strong>in</strong>g the<br />
Computersied Account<strong>in</strong>g System - Van Nostr<strong>and</strong> Re<strong>in</strong>hold Company,<br />
1981<br />
9. Elise G. Jancura - Audit <strong>and</strong> Control of Computer Systems - 1974.<br />
10. Graeme Ward & Denis Marshall - Internal Audit H<strong>and</strong> Book -<br />
Recommended Codes <strong>and</strong> Practices for the audit of Data Process<strong>in</strong>g<br />
Activities - The Institute of Internal Auditors UK, 1980.<br />
11. Gordon B. Davis - Audit<strong>in</strong>g & EDP - American Institute of Certified Public<br />
Accountants, New York, 1968.
Gordon C Everst - Database Management Objectives, Systems Function <strong>and</strong><br />
Adm<strong>in</strong>istration, MGRAW Hill, New York, USA, 1986.<br />
Javier F. Kuong, Gerald LIsaacson, Chester M.W<strong>in</strong>ters - Microcomputer<br />
Security, Auditability <strong>and</strong> Controls - Management Advisory<br />
Publications? P.O.Box 151, Wellesley Hills MASS. 02181, 1985.<br />
Javier F. Kuong - Controls for Advanced on-I<strong>in</strong>eData Base System -<br />
Management Advisory Publications, MASS. 02181, 1983.<br />
James Arl<strong>in</strong> Cooper - Computer & Communications Security - Strategies for<br />
1990s - McGRAW HALL Company, 1989.<br />
Jason Lamb, Stanley (STOSH) R. Jarocki & Anna M.Seijas - Netware<br />
Security: Configur<strong>in</strong>g <strong>and</strong> Audit<strong>in</strong>g a Trusted Environment - A Novell<br />
Cooperative Research Report, 1991.<br />
John Muster, Peter Birn <strong>and</strong> Lumix - Unk Power utilities for power users,<br />
BPB Publications, New Delhi, 1989.<br />
T, Perry, Joseph G. Lateer - Underst<strong>and</strong><strong>in</strong>g Oracle BPB Publications, Delhi,<br />
India. 1989.<br />
R.V. Jacobson - PC Vim Contorl H<strong>and</strong>book, Miller Freeman Publications,<br />
San Francisco, U.S.A, 1990.<br />
Keith Heamden - A h<strong>and</strong> book of Computer Security - Kogan Page.<br />
Kamal Gupta - Contemporary Audit<strong>in</strong>g - Third Edition - Tata McGRAW HIll<br />
publish<strong>in</strong>g Company Ltd., New Delhi, 1986.<br />
Kishor Shah S. T<strong>and</strong>on A Bane ji & P<strong>in</strong>ki Shah - Guide to Computer Data<br />
Process<strong>in</strong>g for Accountants <strong>and</strong> Auditors. Wadhwa <strong>and</strong> Company,<br />
Nagpur, India, 1987.<br />
V.P. Lane - Security of Computer Based Information Systems - Macmillan<br />
Education Ltd., 1985.
Michael A. Murphy, Xenia Ley Parker - H<strong>and</strong> Book of EDP Audit<strong>in</strong>g -<br />
Second Edition Coopers & Lybr<strong>and</strong>, Warren Gorham & Lamond,<br />
Boston, New York, 1989.<br />
Michael G. Grottola - The Unix Audit - Us<strong>in</strong>g Unix to Audit Unix, 1993.<br />
Per Br<strong>in</strong>ch Hansen - Operat<strong>in</strong>g System Pr<strong>in</strong>ciples -Eastern Economy Edition,<br />
1990.<br />
Paul J. Rutternan & Arthur Young McClell <strong>in</strong>d - Flowchart<strong>in</strong>g for Auditors<br />
(Moors & Co), 1976.<br />
S. Rao Vallabhaneni - Audit<strong>in</strong>g the Ma<strong>in</strong>tenance of Software - Prentice Hall,<br />
Inc. Englewood Clifts, NJ 07632, 1987.<br />
S. Rao Vallabhaneni - Audit<strong>in</strong>g Operational Application Systems on Large<br />
Computers - A Step-By-Step Audit Approach - The EDP Auditors<br />
Foundation A'idit Guide Series, 1985.<br />
S. Rao Vallabhaneni - Audit<strong>in</strong>g Computer Security - A manual with case<br />
studies - John wiley & Sons, New York, 1990.<br />
S. Rao Vallabhaneni - Audit<strong>in</strong>g Computer Security - A manual with case<br />
studies - John Wiley & Sons, New York, 1989.<br />
Roben T. Mwller, - Computer Audit, Control <strong>and</strong> Security - John Wiley &<br />
Sons, New York, 1989.<br />
Ron Webber - EDP Audit<strong>in</strong>g - Conceptual Foundations <strong>and</strong> Practice - I1<br />
Edition - MCGRAH HALL International Editions, 1980.<br />
Ruth Ashley - Judi N.Fern<strong>and</strong>ez - Teach<strong>in</strong>g Yourself Unix - BPB Publications,<br />
1990.<br />
Sybil P. Parker - McGRAW HILL Dictionary of Computers - McGRAW<br />
HILL Book Company, 1989.<br />
AJ. Thomas & LJ. Douglas - Audit of Computer Systems - Ncc Publications,<br />
Manchester, Engl<strong>and</strong>, 1983.
W. Thomas Porter, William E Perry - EDP Contmls <strong>and</strong> Audit<strong>in</strong>g - Third<br />
Edition - Touche Ross & Co., William E Peny Enterprises Inc Kent<br />
Publish<strong>in</strong>g Company, Boston, MASS, 1981.<br />
Ulless Black - Computer Networks - Protocols, St<strong>and</strong>ards <strong>and</strong> Interfaces -<br />
Prentice Hall International Inc. New Jersey, U.S.A., 1987.<br />
kK Vanwasi - A Dicitionary of Computers - Khanna Publishers, Delhi - 6.<br />
William C Mair : Donald Wood; Keagle W. Davis -Computer Control Audit<br />
- M<strong>in</strong>nesota - Partners : Touche Ross & Co., 1978.<br />
William E Peny - Audit<strong>in</strong>g Information Systems - A step by step audit<br />
approach - EDP Auditors Foundation Audit Guide Series, 1983.<br />
William E. Perry - Report writ<strong>in</strong>g for EDP Auditors, Quality Assurance<br />
Institute, Florida, U.S.A., 1982.<br />
Advanced Computer Assisted Audit Techniques - Monograph Seies - The<br />
EDP Auditors Foundation Inc. The Information Systems Control<br />
Foundation. 1987.<br />
Disaster Recovery : Cont<strong>in</strong>gency Plann<strong>in</strong>g & Program Evaluation - The<br />
Chantico Series - Information Sciences Inc. MASS, 1985.<br />
Advanced Netware - Theory of Operations - Version 2.1, Novell Inc. Provo,<br />
UTAH, U.S.A., 1987.<br />
A critical Review of the Certified Information Systems Auditor's Job Doma<strong>in</strong>-<br />
First Edition Cisa - Exam<strong>in</strong>ation Review Book - Vo1.2 Practice. 1994.<br />
Illustrated Novell Netware - BPM Publish<strong>in</strong>g Inc., Delhi, India, 1989.<br />
ED1 Control Guide - ED1 Council of Australia <strong>and</strong> EDP Auditors Association.<br />
Guidel<strong>in</strong>es to <strong>controls</strong> for Data Process<strong>in</strong>g Environment - The Institute of<br />
Internal Auditors, 1983.<br />
Computer Security Published by Computer Society of India, 1980.<br />
Establish<strong>in</strong>g the Internal Audit Function <strong>in</strong> EDP by the Institute of Internal<br />
Auditors Inc.
RESEARCH PUBLICATIONS<br />
1. Institute of Internal Auditors - Systems Auditability <strong>and</strong> Control Module 8<br />
Audit <strong>and</strong> Control Environment.<br />
2. Institute of Intenal Auditors - Systems Auditability <strong>and</strong> Control Module 3<br />
us<strong>in</strong>g Information Technology <strong>in</strong> Audit<strong>in</strong>g.<br />
3. Institute of Internal Auditors - Systems Auditability <strong>and</strong> Control Module 4<br />
Manag<strong>in</strong>g Computer Resources.<br />
4. Institute of Internal Auditors - Systems Auditability <strong>and</strong> Control Module 5<br />
Manag<strong>in</strong>g Information <strong>and</strong> Develop<strong>in</strong>g Systems.<br />
5. Institute of Internal Auditors - Systems Auditability <strong>and</strong> Control Module 6<br />
Bus<strong>in</strong>ess Systems.<br />
6. Institute of Internal Auditors - Systems Auditability <strong>and</strong> Control Module 7<br />
End-User <strong>and</strong> Departmental Comput<strong>in</strong>g.<br />
7. Institute of Internal Auditors - Systems Auditability <strong>and</strong> Control Module 8<br />
Telecommunications.<br />
8. Institute of Internal Auditors - Systems Adifability <strong>and</strong> Control Module 9<br />
Security.<br />
9. Institute of Internal Auditors -Systems Auditdility <strong>and</strong> Control Module 10<br />
Cont<strong>in</strong>gency Plann<strong>in</strong>g.<br />
10. Institute of Internal Auditors -Systems Auditdility <strong>and</strong> Control Module 11<br />
Emerg<strong>in</strong>g Technologies.
ARTICLES<br />
* Tommie S<strong>in</strong>gleton, Dale Litisher <strong>and</strong> Judith Cassidy "Pioneers of EDP Audit<strong>in</strong>g<br />
<strong>in</strong> North America" EDP Auditor Journal, Vol. Ill, 1993.<br />
* Howard N. Glassman "LANS are nor JS secure as you th<strong>in</strong>k" EDP Auditor<br />
Journal, Vol. IV, 1993.<br />
Zabi Rezaee 'The Possible Impact of the Coso Report on an Entity's Internal<br />
audit function" EDP Auditor Journal, Vol. IV, 1993.<br />
* Owen D. West <strong>and</strong> Christopher Zoladz "Microcomputer Security - Is your<br />
organisation at Risk?" EDP Auditors Journal, Vol. IV, 1993.<br />
* Peggy D. Dwyer anu two other "It can Happer Here : The Importance of<br />
Cont<strong>in</strong>uity Plann<strong>in</strong>g" EDP Auditors Journal, Vol I, 1994.<br />
* L<strong>in</strong>da Lee Larson "Data Centre Survives the 1992 Los Angeles Riots" EDP<br />
Auditor Journal, Vol. I, 1994.<br />
Sherrie Stickl<strong>and</strong> <strong>and</strong> Norma C Powell "Microcomputers <strong>and</strong> the Internal Audit<br />
Function : Rhetoric Vs Action" EDP Auditors Journal, Vol. I, 1989.<br />
David A Crowell <strong>and</strong> Andrew Sundene "Data Communications Audit Concerns"<br />
EDP Auditors Journal, Vol. ILI, 1989.<br />
* Christopher J Calabrese "A Brief Introduction to the Unix Operation System,<br />
EDP Auditors, Journal Vol 111. 1991.<br />
Miklos A Vasarhelvi, Fern B. Halper <strong>and</strong> Kazuo J. Ezawa 'The cont<strong>in</strong>uous<br />
Process Audit System : A Unix-Based Audit<strong>in</strong>g tool" EDPA Auditors Journal,<br />
Vol 111, 1991.
Michael J. Cerullo <strong>and</strong> M. Virg<strong>in</strong>ia Cerullo "Controll<strong>in</strong>g St<strong>and</strong>-Alone<br />
Microcomputer Systems", EDP Auditors Journal Vol. IV, 1991.<br />
Hal McDonald "ED1 Implementation Consideratons EDPA Auditors Journal,<br />
Vol. I. 1990.<br />
Benjam<strong>in</strong> Wright "Auditor shold be Aware of EDI's legal issues" EDPAAuditors<br />
Journal, Vo. I, 1990.<br />
William H. Murray "Computer - Related Crime <strong>and</strong> Audit<strong>in</strong>g <strong>in</strong> the N<strong>in</strong>eties",<br />
EDP Auditors Journal, VoLII, 1990.<br />
J.1. "Buck" Bloom Becker "Computer Crime <strong>and</strong> Abuse (U.S.A)" EDP Auditors<br />
Journal Vol. 11, 1990.<br />
Robert Bigelow "Legal dimensions of Computer Crime" the EDP Auditors<br />
Journal, Vol.11, 1990.<br />
Jarlath O'Neil-Dunne "Computer Aided Software Eng<strong>in</strong>eer<strong>in</strong>g (Case)" EDP<br />
Auditors Journal, Vol. 111, 1990.<br />
Peter Sfoglia "Sybase Security" The EDP Auditors Journal, Vol.111, 1993.<br />
James Norwal "Audit<strong>in</strong>g Adabas Version 5 The EDP Auditor Journal, Vol.11,<br />
1993.