CA Final: Summary Notes: Part: I Information Systems Control and Audit (ISCA) INDEX Ch. Chapter Name Page no No. of No. 1-11 pages 2 Information System Concepts 11 4 Business Continuity Planning & Disaster Recovery Planning 12-23 12 6 Auditing of Information Systems 24-30 7 8 Emerging Technologies 31-41 11 ©Compiled by: Akshay Ramdas Yadav 9881751563
www.akpune.com Compiled By: Akshay R Yadav
Chapter 2: Information System Concepts Information Information means processed Data. Data is facts or values of results. Information is the relations b/w data & other relations. Attributes Of Information: 1) Availability: Availability of information at the time of need. 2) Reliability: Whether the information is reliable. 3) Validity: It measures how close the information is to the purpose for which it asserts to serve. 4) Quality: It means correctness of information. 5) Frequency: Frequency with which information is transmitted/received affects its value. 6) Completeness & Adequacy: Only complete & adequate information can be used in policy making. 7) Transparency: It is essential in decision & policy making. 8) Mode & Format: Easily understandable by people. 9) Rate: Time for rate of transmission/reception of information. 10)Update: Refreshed & updated from time to time. 11)Purpose/Objective: Information must have purpose/objective at the time it is transmitted to a person or machine. 12)Value of information: It is defined as difference b/w the value of change in decision caused by the information & cost of the information. System A system is a group of inter connected components working towards the accomplishment of a common goal by accepting inputs & producing outputs in an ordered transformation process. Classification of System: A) On the basis of Elements: 1) Abstract System: Also known as conceptual system/model. It is an orderly arrangement of interdependent ideas/constructs. (E.g. Theology.) 2) Physical System: It is a set of tangible elements, which operated together to accomplish an objective (e.g. Computer system.) B) On the basis of Interactive behavior: 1) Open System: It interacts with other systems in its environment. E.g. It takes input from the environment & produces output to the environment, which changes as per the changes in the environment. 2) Closed System: It does not interact with the environment & does not change with the changes in environment. C) On the basis of Degree of Human intervention: 1) Manual System: Activities like data collection, maintenance & final reporting are done by human. 2) Automated System: Activities like data collection, maintenance & final reporting are carried out by computer system/machine itself. D) On the basis of Working/Output: 1) Deterministic System: It operates in a predictable manner. (E.g. accounting IS, computer system, production system) 2) Probabilistic System: It can be defined in terms of probable behavior. (E.g. Weather forecasting, sales forecasting, inventory management system. www.akpune.com © Compiled By: Akshay R Yadav 1 88881 44446 98817 51563
Components of Information Systems: 1) People: People mean the IT professionals i.e .system administrator, end users. 2) Computer System: a) Hardware: Physical components of the computers i.e. server or smart terminals. b) Software: Means system software, application software & Utility software. 3) Data: Data is the raw fact, which may be in the form of database. 4) Network: Means communication media (Internet, Intranet, Extranet etc.). Information System model comprises of following steps: 1) Input: Data is collected from an organization/from external environments & converted into suitable format required for processing. 2) Processing: This is converted into information obtained after manipulation of these collected data. 3) Output: Then information is stored for future use/communicated to user. Important characteristics of Computer Based Information Systems (CBIS/CIS): 1) All systems work for predetermined objectives. 2) System has a no. of interrelated & interdependent subsystems/components. 3) No subsystem can function in isolation; it depends on other subsystems for its inputs. 4) If one subsystem fails; in most of the cases, the whole system does not work. 5) The way a subsystem works with another subsystem called interaction. 6) The goal of individual subsystem is of lower priority than the goal of the entire system. Major areas of Computer Based Applications: (MT: FMP HI) (RTP-M16) 1) Finance & Accounting: Ensure the financial viability of the organization, enforce financial discipline & plan & monitor the financial budget. 2) Marketing & Sales: Maximize the sales & ensure customer satisfaction. Marketing facilitates order procurement, creating new customers & advertisement. 3) Production or Manufacturing: Objective of this subsystem to optimally deploy man, machine & material to maximize production/service. 4) Inventory/Stores Management: Inventory management system is designed with a view to keeping the track of materials in the stores. 5) Human Resource Management: Human resource is the most valuable asset for an organization. Effective & efficient utilization of manpower ensure free & timely services in business. Important implications of information systems in business: 1) IS helps managers in efficient decision-making to achieve the organisation goals. 2) Organisation will be able to survive & thrive in a highly competitive environment on the strength of a well-designed IS. 3) IS helps in making right decision at the right time. 4) IS helps in generating innovative ideas for solving critical problems. 5) Knowledge gathered though IS may be utilized by managers in unusual situations. 6) IS is viewed as a process; it can be integrated to formulate a strategy of action/operation. Application of Information Systems in Enterprise Processes: (Or IS perform three vital roles in business firms) 1) Support an org. business processes & operations: This includes TPS, Process Control Systems. 2) Support business decision-making: This includes MIS, DSS & EIS. 3) Support strategic competitive advantage: This includes ES, KMS etc. www.akpune.com © Compiled by: Akshay R Yadav 2 88881 44446 98817 51563
IT TOOLS CRUCIAL FOR BUSINESS GROWTH: 1) Business Website: Cost effective advertisement helps to reach large number of customers. 2) Internet & Intranet: It is the best source of communication. Time & space is no more obstacles for conducting meeting of people working in team from different locations. Intranet is system that permits the electronic exchange of business data within an org. 3) Software & Packages: DBMS, data warehousing, data mining tools, & knowledge can be used for getting information. 4) Business Intelligence (BI): BI refers to applications & technologies that are used to collect & provide access & analyse data & information about companies operations. 5) Computer Systems, Scanners, Laptop, Printer, Webcam, Smart Phone etc: Used in conducting long distance meeting, Increases accuracy; reduce processing times; enable decisions to be made more quickly & speed up customer service. Knowledge required by a “business manager” to operate IS effectively & efficiently: (M18, RTP-N18) 1) Foundation Concepts: It includes fundamental business, & managerial concepts. E.g. ‘what are components of a system & their functions’. 2) Information Technologies (IT): It includes operation, development & management of hardware, software, data management, networks. 3) Business Applications: It includes major uses of IT in business steps i.e. processes, operations, decision making. 4) Development Processes: It comprise how end users & IS specialists develop & execute business/IT solutions to problems. 5) Management Challenges: It includes ‘how the function & IT resources are maintained’ & utilized to attain top performance. www.akpune.com © Compiled by: Akshay R Yadav 3 88881 44446 98817 51563
Types Of Information Systems I) Operational-Level Systems: A) Transaction Processing Systems (TPS): TPS is an IS that manipulates data from business transactions. Any business activity such as sales, purchase, production, delivery, payments or receipts involves transaction & these transactions are to be organized & manipulated to generate various information products for external use. 1) TPS involves following activities: a) Capturing data to organize in files/databases. b) Processing of files/databases using application software. c) Generating information in the form of reports. d) Processing of queries from various quarters of the organisation. 2) Components of TPS: a) Inputs: Source documents, such as customer orders, sales, slips, invoices, purchase orders are the physical evidence of inputs. b) Processing: Involves the use of journals & registers to provide a permanent & chronological record of inputs. c) Storage: Ledgers & files provide storage of data on both manual & computerized systems. d) Output: Any document generated is output. Documents are both input & output. 3) Features of TPS: (MT: LABS) a) Large volume of data: TPS is transaction oriented & generally consists of large volumes of data, it requires greater storage capacity. b) Automation of basic operations: Any TPS aims at automating the basic operations of a business enterprise. c) Benefits are easily measurable: TPS reduces the workload of the people associated with the operations & improves their efficiency by automating some of the operations. Benefits are tangible & easily measurable. d) Source of input for other systems: TPS is the basic source of internal information for other information systems. II) Knowledge-Level Systems: A) Office Automation Systems (OAS): It is most rapidly expanding computer based IS. 1) Activities involved in OAS: i) Document Capture: Documents originating from outside sources like incoming mails, notes, charts, graphs etc. need to be preserved. ii) Document Creation: This consists of preparation of documents, dictation, editing of texts etc. iii) Receipts & Distribution: This basically includes distribution of correspondence to designated recipients. iv) Filling, Search, Retrieval & Follow up: This is related to filling, indexing, searching of documents, which takes up significant time. v) Calculations: These include the usual calculator functions like routine arithmetic, interest calculations etc. vi) Recording Utilization of Resources: This includes, where necessary, record keeping in respect to specific resources utilized by office personnel. 2) Benefits of OAS: a) OAS improves communication within an organization & between enterprises. b) They reduce the cycle time b/w preparation of messages & receipt of messages. c) They also reduce the costs of office communication. d) OAS ensures accuracy of information & smooth flow of communication. www.akpune.com © Compiled by: Akshay R Yadav 4 88881 44446 98817 51563
3) Computer Based OAS: a) Text Processing Systems: Most commonly used components of the OAS, because a large proportion of the office communication takes place in writing using words of a natural language. b) Electronic Document Management System: It captures information contained in documents, stored for future reference & make them available to the users as & when required. These system are very useful in remote access of documents & internal communication through network. c) Electronic Message Communication Systems: ► It offer a lot economy not only in terms of reduced time in sending/receiving the message, but also in terms of reliability of message & cost of communication. ► Components of Message Communication Systems: I) Electronic Mail: Various features of electronic mail:- i) Electronic Transmission: Transmission of messages with email is electronic & message delivery is very quick. ii) Online Development & Editing: Email message can be developed & edited online before transmission. iii) Broadcasting & Rerouting: Email permits sending a message to a large number of target recipients & easy circulation. iv) Integration with other Information Systems: Quick access & accurate information. v) Portability: Email can be accessed from any Personal computer/tablet/smart phones. vi) Economical: Most economical mode for sending & receiving messages. II) Fascimile (fax): It is electronic communication of images of documents over telephone lines. III) Voicemail: It is variation of the email in which messages are transmitted as digitized voice. d) Teleconferencing & Video-conferencing Systems: Business meeting involving more than two persons located at two or more different places uses this system. It helps in reducing time & cost of travel. B) Knowledge Management System (KMS): Knowledge Management (KM) is the process of capturing, developing, sharing, & effectively using organizational knowledge. Type of Knowledge: Explicit knowledge (Recorded) Tacit knowledge (personal know-how) 1) It can be formalized easily. It resides in only few people. 2) It easily available across the organisation. It hasn’t been captured by the org. or made available to others. 3) It is articulated. It is unarticulated. 4) It represented as spoken words, written It represented as intuition, perspective, beliefs, & material & compiled data. values that individuals form based on their experiences. 5) This type of knowledge is codified, easy It is personal, experimental. to document, transfer & reproduce. It is difficult to document & communicate. E.g. Online tutorials, Policy & procedural E.g. hand-on skills, special know-how, manuals employee experiences. www.akpune.com © Compiled by: Akshay R Yadav 5 88881 44446 98817 51563
III) Management-Level Systems: A) Management Information Systems (MIS): MIS is a computer based system that provides flexible & speedy access to accurate data. 1) CHARACTERISTICS OF MIS: (RTP-N17/18) i) Management Oriented: Efforts for the development of the IS should start from an appraisal of management needs & overall business objectives. ii) Management Directed: Mgt. should actively direct the system development efforts. iii) Integrated: Functional & operational subsystems tied together. iv) Heavy Planning Element: MIS takes 1-3 yrs or longer to get established in company. v) Common Data Flows: It means the use of common input, processing & output procedures & media. vi) Common Database: It is defined as a \"super-file\", which consolidates & integrates data records formerly stored in many separate data files. vii) Sub System Concept: It is broken down into digestible sub-systems which can be implemented in phases. viii) Computerized: MIS can be implemented without using a computer; the use of computers increases the effectiveness of the system. 2) Misconceptions about MIS: i) Any computer based IS is a MIS. ii) Any reporting system is MIS. iii) MIS is a management technique. iv) MIS is a bunch of technologies. v) MIS is an implementation of organizational systems & procedures. It is a file structure. vi) Study of MIS is about use of computers. vii) More data in generated reports refers more information to managers. viii) Accuracy plays vital role in reporting. 3) PRE-REQUISITES OF AN EFFECTIVE MIS: a) Database: It is collection of files, which is collection of records & records are nothing but collection of data. Characteristics of Database: a) It is User oriented. b) It is used common data source – avoid duplication of efforts. c) It is available to authorized person only. d) It is controlled by a separate authority established for the purpose, known as DBMS. b) Qualified System & Management Staff: System & computer experts: They understand problems faced by concern & clear about process of decision making. Management experts: Understand concepts & operations of a computer. c) Support of Top Management: If no support from Top management, then no effectively controlled & get lesser priority & may be delayed/abandoned. To gain support, all supporting facts & benefits must be placed before Top mgt. d) Control & maintenance of MIS: Some time, users develop their own procedures/short cut methods to use the system, which reduce its effectiveness. So the system must be controlled & maintained. 4) Constraints In Operating MIS: (N17, RTP- N18) a) Non-availability of experts: It may be overcome by grooming internal staff & proper selection & training. b) Non-availability of co-operation from staff: Handled tactfully by organizing lecturers, showing films & unity of system. www.akpune.com © Compiled by: Akshay R Yadav 6 88881 44446 98817 51563
c) MIS is a non-standardized one: due to varied objectives, the approach adopted for designed & implementation of MIS is a non-standardized one. d) Problem of selecting the sub-system to be installed: It depend upon need & importance of function for which MIS can be installed first. 5) Limitations Of MIS: (M17) i) Quality of output depends upon Quality of input & process. ii) It is not a substitute for effective management. iii) It is not flexible to quickly update with changing need of time. iv) It can’t provide tailor-made information packages. v) It ignores non-quantitative factors. E.g. Morale & attitude vi) It is less useful for non-programmed decisions. vii) Effectiveness reduced in enterprises, where the culture of hoarding information & not sharing with other holds. viii) Effective decrease due to frequent changes in top management, organizational structure & operational team. 6) Evaluation of MIS: i) Examining whether enough flexibility exists in the system to cope with any expected/unexpected information requirement in future. ii) Ascertaining the views of users & the designers about the capabilities & deficiencies of the system. iii) Guiding the appropriate authority about the steps to be taken to maintain effectiveness of MIS. B) Decision Support System (DSS): DSS can be defined as a system that provides tools to managers to assist them in solving semi-structured & unstructured problems in their own, somewhat personalized. 1) Planning Language: i) General-purpose planning languages (GPPL): Allow users to perform many routine tasks like Retrieval of data, performing statistical analyses. E.g. Language in electronic spreadsheet. ii) Special-purpose planning languages (SPPL): They are more limited in what they can do, but they do jobs better than the GPPL. E.g. statistical languages such as SAS & SPSS. 2) Characteristics: 1) Supports decision making at all levels of management. 2) DSS can be used for structure problems. 3) DSS should be user-friendly. 4) DSS should be extensible & evolve overtime. 5) DSS should be easy to use. 6) DSS should be flexible & adaptable. 7) DSS should be helps in group decision making. 8) DSS focuses on decision rather than data & information. 9) DSS used for decision making rather than communicating decision. 3) Components of DSS: i) User: User of a DSS is a manager with an unstructured/semi-structured problem to solve. Manager: Basic computer knowledge & Want DSS user friendly. Staff specialist: More detail oriented & use complex system. www.akpune.com © Compiled by: Akshay R Yadav 7 88881 44446 98817 51563
ii) Databases: DSS includes one or more databases that contain both routine & non-routine data from both internal & external sources. Implementation of database: Implemented at 3 levels:- a) Physical level: Implementation of database on hard disk. b) Logical level: It is designed by professional programs, which have complete knowledge of DBMS. c) External level: Logical level defines schema, which is divided into smaller units known as sub-schemas & given to manager contains all relevant data needed by one manager. iii) Model Base: Allows the user to maintain a dialogue with the model base, which is the “brain” of DSS because it performs data manipulations & computations provided by user & database. 4) Examples of DSS in Accounting: i) Cost Accounting System: Managing costs require controlling costs of supplies, expensive machinery, technology, & a variety of personnel. E.g. Health care industry. ii) Capital Budgeting System: Companies require new tools to evaluate high- technology investment decisions. E.g. Analytical Technique NPV, IRR. iii) Budget Variance Analysis System: Allows these comptrollers to graph, view, analyze, & annotate budget variances, as well as create additional 1 & 5-year budget projections using the forecasting tools. iv) General Decision Support System: User works interactively with the computer to develop a hierarchical model of the decision problem. Expert choice which support variety of problems requiring decisions, they analyze judgement & present the decision maker with best alternative. 5) Difference b/w DSS & Traditional MIS: Dimensions DSS Traditional MIS Providing structured information to 1) Philosophy Providing integrated tools, data, end users models, & languages to end users Internal orientation Relatively inflexible 2) Orientation External orientation Little analytical capability Emphasis on information requirement 3) Flexibility Highly flexible analysis System development based on 4)Analytical capability More analytical capability static information requirements 5) System analysis Emphasis on tools to be used in decision process 6) System design Interactive process IV) Strategic-Level Systems: A) Executive Information Systems (EIS): (RTP-M18) It is sometimes referred to as an Executive Support System (ESS). It serves the strategic level i.e. top level managers of the organization. 1) Characteristics Of EIS: (RTP-M18) i) It is computer based IS that serves the information need of top executives. ii) It enable users to extract summary data without learn query languages. iii) It provides rapid access to timely information & direct access to management report. iv) It is capable of accessing both internal & external data. v) It is provides extensive online analysis tool. vi) It can easily be given as a DSS support for decision making. www.akpune.com © Compiled by: Akshay R Yadav 8 88881 44446 98817 51563
2) Characteristics of information used in Executive Decision Making: (N16) i) Lack of structure: Unstructured decisions are not as clear-cut as deciding how to debug a computer program or how to deal with an overdue account balance. ii) High degree of uncertainty: They work in a decision space where results are not scientifically predictable from actions. iii) Future orientation: Responsibility of the executives to make sure that the organization keeps pointed toward the future. iv) Informal Source: Executives & managers rely heavily on informal source for key information. v) Low level of detail: Most executive decisions are made by observing broad trends. 3) Contents of EIS: (Or Practical set of principles to guide the design of measures & indicators to be included in an EIS) i) EIS measures must be easy to understand & collect. Wherever possible, data should be collected naturally as part of the process of work. An EIS should not add substantially to the workload of managers or staff. ii) EIS measures must be based on balanced view of the org’s objective. iii) EIS measures must encourage management & staff to share ownership of the organization's objectives. iv) EIS measures must evolve to meet the changing needs of the organization. v) EIS information must be available to everyone in the organization. ► Confidential Information should not be part of the EIS. vi) Performance indicators in an EIS must reflect everyone's contribution in a fair & consistent manner. 4) Difference b/w EIS & Traditional Information Systems: Dimensions EIS Traditional IS 1) Level of management For top/near top executives For lower staff 2) Nature of Information Access Specific issues/problems Status reporting 3) Nature of information Provided Online tools & analysis Offline status Reporting 4) Information Sources More external, less internal Internal 5) Drill down facility to go through Available Not available details at successive levels 6) Information format Text with graphics Tabular User-friendly Computer-operator generated 7) Nature of interface Specialized Systems: A) Expert System (ES): ES is highly developed DSS that utilizes knowledge generally possessed by an expert to share a problem. 1) Business applications of Expert Systems: (M18, RTP-N18) i) Accounting & Finance: It provides tax advice & assistance, investment advice. ii) Marketing: It provides establishing sales quotas, responding to customer inquiries. iii) Manufacturing: It helps in determining whether a process is running correctly, selecting transportation routes. iv) Personnel: It is useful in assessing applicant qualifications. v) General Business: It helps in assisting with project proposals, Recommending acquisition strategies. 2) Characteristic of Expert Systems: ► Ability to declare/explain the reasoning process that was used to make decisions. www.akpune.com © Compiled by: Akshay R Yadav 9 88881 44446 98817 51563
3) Need for Expert Systems: i) Expert labour is expensive & scarce. ii) Facing shortage of talent in key positions. iii) Bright/Knowledgeable people can handle only a few factors at a time. iv) Limitations imposed by human information processing capability & the rushed pace at which business is conducted today put a practical limit on the quality of human decision making. 4) Benefits of Expert Systems (ES): i) ES preserve knowledge that might be lost through retirement, resignation/death. ii) ES put information in an active-form. iii) ES assist novices in thinking the way experienced professional do. iv) ES are not subjected to such human fallings as fatigue/busy/emotional. v) ES can be used as a strategic tool in the areas of marketing products, cutting costs & improving products. 5) Properties to possess to qualify for Expert System Development: i) Availability: Experts are capable of communicating. ii) Complexity: ES used complex task that requires logical inference processing. iii) Domain: Domain/Subject area of the problem is relatively small. iv) Expertise: Solutions to the problem require the efforts of experts. v) Structure: Solution process must be able to cope with ill-structured, uncertain, missing, & conflicting data. B) Cross Functional Information Systems: Enterprise Resource Planning (ERP): ERP is process management software that allows an organization to use a system of integrated applications to manage the business & automate many back office functions related to technology, services & human resources. a) Components Of ERP: (RTP-M16) i) Software Component: Most visible part & consists of several modules. E.g. Finance, HR, CRM, supply chain mgt. ii) Process Flow: illustrates the way how information flows among the different modules within an ERP System. iii) Customer mindset: Old ways for working which user understand have to be changed. iv) Change Management: Change needs to be managed at several levels - User attitude; resistance to change; & Business process changes. b) Benefits Of ERP: (RTP-N17) i) Streamlining processes & workflows with a single integrated system. ii) Establish uniform processes. iii) Improved workflow & efficiency. iv) Improved customer satisfaction based on the improved on-time delivery, increased quantity. v) Reduced inventory costs. vi) Reduce redundant data entry & Processes. vii) Turn collections faster. viii) Decrease in vendor pricing. ix) Track actual costs of activities & perform activity based costing. x) Provide consolidated picture of sales, inventory & receivables. www.akpune.com © Compiled by: Akshay R Yadav 10 88881 44446 98817 51563
C) Core Banking System (CBS): (N17) Core Banking is a banking services provided by a group of networked bank branches where customers may access their bank account & perform basic transactions from any of the member branch offices. Elements of core banking: (N17) 1) Opening new accounts. 2) Making & servicing loans. 3) Processing cash deposits & withdrawals. 4) Processing payments & cheques. 5) Calculating interest. 6) Customer Relationship Management (CRM). 7) Establishing criteria for minimum balances, interest rates, no. of withdrawals allowed. 8) Establishing interest rates. 9) Maintaining records for all the bank’s transactions. Various types of Business Applications: (Or Impact of IT on IS for Different sectors) 1) E-business: Also called electronic business & includes purchasing, selling, communication, support services & inventory management through the use of internet technologies. Advantage of E-business - 24 hour sale, lower cost of doing business, more efficient business relationship, eliminate middlemen, unlimited market place. 2) Financial Service Sector: Financial services sector manages large amounts of data & processes enormous numbers of transactions every day. IT has changed the working style of financial services. Now-a-days most of the services are offered by the financial services on internet, which can be accessed from anywhere & anytime that makes it more convenient to the customers. 3) Wholesaling & Retailing: Retail business uses IT to carry out basic functions including till systems for selling items, capturing the sales data by item, stock control, buying, management reports, customer information & accounting. Laser scanners used in most grocery supermarkets & superstores to read product bar codes are among the most distinctive examples of modern computer technology. By using internet or mobile phones retailers can collect & exchange data b/w stores, distribution centers, suppliers & head offices. IT can be used in wholesale for supply chain logistics management, planning, space management, purchasing, re-ordering, & analysis of promotions. 4) Public sectors: It includes services provided by govt. mainly hospitals, police stations, universities etc. IT/IS can be used here, to keep records. Due to application of IT/IS it becomes easy to file FIR without going to police station. Can be made easily by applying online for important documents like passports. 5) Others: IT is efficiently used in entertainment industry, agriculture industry, Tour industry etc. IT has changed the working style of business world drastically. www.akpune.com © Compiled by: Akshay R Yadav 11 88881 44446 98817 51563
Chapter 4: Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP) Types of Plans: (PM, M90/01/05, N08/15) – 6 Marks 1) Emergency Plan: (RTP N15) It specifies the actions to be undertaken immediately when a disaster occurs. Management must identify those situations that require the plan to be invoked. E.g. Major fire, major structural damage, & terrorist attack. 2) Back-up Plan: It specifies the type of backup to be kept, frequency with which backup is to be undertaken, procedures for making backup, location of backup resources. 3) Recovery Plan: (N15, RTP M16) It set out procedures to restore full IS capabilities. Recovery plan should identify a recovery committee that will be responsible for working out the specifics of the recovery to be undertaken. 4) Test Plan: (RTP N16) Final component of a DRP is a test plan. Purpose of the test plan is to identify deficiencies in the emergency/backup/recovery plan. Types of Back-ups 1) Full Back-up: (N14, M15, RTP-M16) Full Back-up captures all files on the disk/within the folder selected for backup. At each backup run, all files designated in the backup job will be backed up again. It is commonly used as an initial/first backup followed with subsequent incremental/differential backups. E.g. - Suppose a full backup is done every night from Monday to Friday. - First backup on Monday will contain the entire list of files & folders. - On Tuesday, the backup will include copying all the files & folders again, no matter the files have got changed or not. Advantages: a) Restores are fast & easy to manage as the entire list of is backed up. b) Easy to maintain & restore different versions. Disadvantages: (RTP-N16) a) Backups can take very long as each file is backed up again. b) Consumes most storage space compared to incremental & differential backups. 2) Incremental Backup: An Incremental Backup captures files that were created or changed since the last backup, regardless of backup type. (N14, RTP-N16, MTP-N16) E.g. Suppose an Incremental backup is done every night from Monday to Friday. - This first backup on Monday will be a full back-up since no prior backups have been taken. - However, on Tuesday, incremental backup will only backup the files that have changed since Monday & - Backup on Wednesday will include only the changes & new files since Tuesday’s backup. Advantages: a) Much faster backups. b) Efficient use of storage space as files is not duplicated. Much less storage space used compared to running full backups & differential backups. c) Disadvantages: a) Restores are slower than with a full backup & differential backups. b) Restores are a little more complicated. All backup** sets are needed to perform a restore. (**First full backup & all incremental backups). 3) Differential Backup: Differential backups fall in the middle b/w full backups & incremental backup. Differential Backup stores files that have changed since the last full backup. E.g. Suppose a differential backup is done every night from Monday to Friday. - On Monday, the first backup will be a full back-up since no prior backups have been taken. - On Tuesday, differential backup will only backup the files that have changed since Monday & - On Wednesday, files changed & files added since Monday’s full back-up will be copied again. - While Wednesday’s backup does not include the files from the first full backup, it still contains the files backed up on Tuesday. www.akpune.com © Compiled By: Akshay R Yadav 12 88881 44446 98817 51563
Advantages: (RTP-M17) a) Much faster backups than full backups. b) More efficient use of storage space than full backups. c) Faster restores than incremental backups. Disadvantages: a) Backups are slower than incremental backups. b) Not as efficient use of storage space as compared to incremental backups. c) Restores are slower than with full backups. d) Restores are little more complicated than full backups but simpler than incremental backups. 4) Mirror back-up: Mirror backups are, as the name suggests, a mirror of the source being backed up. When a file in the source is deleted, that file is eventually also deleted in the mirror backup. E.g. Many online backup services offer a mirror backup with a 30 day delete. This means that when you delete a file on your source, that file is kept on the storage server for at least 30 days before it is eventually deleted. Advantages: Backup is clean & does not contain old & obsolete files. Disadvantages: There is a chance that files in the source deleted accidentally or through a virus may also be deleted from the backup mirror. Alternate Processing Facility Arrangements: (PM, M11,N14,M15,N15) – 4 Marks only 1) Cold Site: (RTP N15) If an organisation can tolerate some downtime, cold-site backup might be appropriate. It has all the facilities needed to install a mainframe system – raised floors, air conditioning, power, communication lines, & so on. 2) Hot Site: (RTP N15) If fast recovery is critical, an organisation might need hot site backup. All hardware & operations facilities will be available at hot site. 3) Warm Site: It provides an intermediate level of backup. It has all cold-site facilities in addition to the hardware that might be difficult to obtain/install. 4) Reciprocal Agreement: Two or more organisations might agree to provide backup facilities to each other in the event of one suffering a disaster. This backup option is relatively cheap, but each participant must maintain sufficient capacity to operate another’s critical system. Third-party site is to be used for backup & recovery purposes: 1) How soon the site will be made available subsequent to a disaster. 2) No. of organisation that will be allowed to use the site concurrently in the event of a disaster. 3) Priority to be given to concurrent users of the site in the event of a common disaster. 4) Period during which the site can be used. 5) Conditions under which the site can be used. 6) Facilities & services the site provider agrees to make available. 7) What controls will be in place & working at the off-site facility. (PM, M10, N17/18-5M, RTP-N15, MTP-M16) www.akpune.com © Compiled By: Akshay R Yadav 13 88881 44446 98817 51563
Disaster Recovery Procedural Plan: (or disaster recovery planning document) (PM, M14, RTP-N15, MTP-N15) (Read only max 12 points) 1) Conditions for activating the plans, which describe the process to be followed before each plan, are activated. 2) Emergency procedures, which describe the actions to be taken following an incident which jeopardizes business operations &/or human life. 3) Fallback procedures, which describe the actions to be taken to move essential business activities to alternate temporary locations. 4) Resumption procedures, which describe the actions to be taken to return to normal business operations. 5) Maintenance schedule, which specifies process for maintaining the plan. 6) Awareness & education activities, which are designed to create an understanding of the business continuity. 7) Contingency plan document distribution list. 8) Detailed description of the purpose & scope of the plan. 9) Contingency plan testing & recovery procedure. 10) List of vendors & their contact numbers & address for emergency purposes. 11) List of phone numbers of employees in the event of emergency. 12) Checklist for inventory taking & updating the contingency plan on a regular basis. 13) Emergency phone list for fire, police, hardware, software, suppliers, customers. 14) Medical procedure to be followed in case of injury. 15) Back-up location contractual agreement, correspondences. 16) Insurance papers & claim forms. 17) Location of data & program files, documentation manuals, back-up media. 18) Alternate manual procedures to be followed E.g. preparation of invoices. 19) Names of employees trained for emergency situation. 20) Details of airlines, hotels & transport arrangements. www.akpune.com © Compiled By: Akshay R Yadav 14 88881 44446 98817 51563
Audit of the BCP/DRP: (PM, N14, M15/16, RTP-N15) Objective of BCP audit is to assess the ability of the enterprise to continue all critical operations during a contingency & recover from a disaster within the defined critical recover time period. BCP Auditor is expected to identify residual risks & provide recommendations to mitigate them. Sample list of BCP Audit steps: (DR/BRP i.e. Disaster recovery/Business Resumption plan) i) Determine if a DRP/BRP exists & was developed using a sound methodology that includes following elements: (N13-6M) a) Identification & prioritization of the activities. b) Plan is based upon a BIA. c) Operations managers & key employees participated in the development of the plan. d) Plan identifies the resources that will likely be needed for recovery. e) Plan is simple & easily understood. f) Plan is realistic in its assumptions. ii) Determine if information backup procedures are sufficient to allow for recovery. iii) Determine if a test plan exists & to what extent the plan has been tested. iv) Determine if resources have been made available to maintain the DR/BRP. v) Obtain & review the existing DRP/BRP. vi) Obtain & review plans for DR/BRP testing &/or documentation of actual tests. vii) Obtain & review the existing BIA. viii) Determine if copies of the plan are safeguarded by off-site storage. ix) Gain an understanding of the methodology used to develop the existing DR/BRP. x) Gain an understanding of the methodology used to develop the existing BIA. xi) Have resources been allocated to prevent the DR/BRP from becoming out-dated & ineffective? xii) Determine all the locations where the DRP/BRP is stored. xiii) Does the DRP/BRP include the names & numbers of suppliers of essential equipment & other material? xiv) Does the DRP/BRP include provisions for the approval to expend funds that were not budgeted for the period? xv) Interview functional area managers/key employees to determine their understanding of the DR/BRP. Do they have a clear understanding of their role in working towards the resumption of normal operations? a) Does the DR/BRP include provisions for Personnel? b) Have key employees seen the plan & are all employees aware that there is such a plan? c) Have employees been told their specific roles & responsibilities if the DR/BRP is put into effect? d) Does the DR/BRP include contact information of key employees, especially after working hours? e) Does the DR/BRP include provisions for people with special needs? f) Does the DR/BRP have a provision for replacement staff when necessary? xvi) Building, Utilities & Transportation: (RTP-M17 a) Does the DR/BRP have a provision for having a building engineer inspect the building & facilities soon after a disaster? b) Does the DR/BRP consider the need for alternative shelter? c) Does the DR/BRP consider the failure of electrical power, natural gas, toxic chemical containers, & pipes? d) Does the DR/BRP consider the disruption of transportation systems? e) Review any agreements for use of backup facilities. f) Verify that the backup facilities are adequate? g) Are building safety features regularly inspected & tested? xvii) Information Technology: (M14/16-6M) a) Determine if the plan reflects the current IT environment. b) Determine if the plan includes prioritization of critical applications & systems. c) Determine if the plan includes time requirements for recovery. d) Does the plan include arrangements for emergency telecommunications? e) In case of interruption, is there alternate means of data transmission? f) Determine if a testing schedule exists & is adequate (at least annually). www.akpune.com © Compiled By: Akshay R Yadav 15 88881 44446 98817 51563
xviii) Administrative Procedures: (RTP-N15) a) Does the DRP/BRP cover administrative & management aspects b) Determine if the DRP/BRP covers procedures for disaster declaration, general shutdown & migration of operations to the backup facility. c) Is there a designated emergency operations center where incident management teams can coordinate response & recovery? d) Have essential records been identified? Do we have a duplicate set of essential records stored in a secure location? e) To facilitate retrieval, are essential records separated from those that will not be needed immediately? Business Continuity Management (BCM) It is a very effective management process to help enterprises to manage the disruption of all kinds, providing countermeasures to safeguard from the incident of disruption of all kinds. Need of Business Continuity Management (BCM): To meet the enterprise business objectives Ensure continuity of services & operations. Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities. Key terms related to BCM. a) Business Contingency: It is an event with the potential to disrupt computer operations, thereby disrupting critical business functions. E.g. Power outage, hardware failure, fire, or storm. b) BCP Process: BCP is a process designed to reduce the risk to an enterprise from an unexpected disruption of its critical functions, & assure continuity of minimum level of services necessary for critical operations. c) Business Continuity Planning (BCP): It refers to the ability of enterprises to recover from a disaster & continue operations with least impact.(Refer below Note) Scope of Business Continuity: Top management define the scope of the BCM program by identifying key products & services that support the enterprise’s objectives, obligations & statutory duties in line with the threat scenario & BIA. Advantages of Business Continuity: (MT: ARD) (RTP-N15) a) Is able to proactively assess the threat scenario & potential risks. b) Has planned response to disruptions which can contain the damage & minimize the impact c) Is able to demonstrate a response through a process of regular testing & trainings. BCM Policy (PM, N14) BCM Policy document is a high level document, which guide to make a systematic approach for disaster recovery, to bring about awareness among the persons in scope about importance business continuity & its & to test & review the BCP. Objective of BCM Policy: (PM) i) Critical services & activities undertaken by the enterprise operation will be identified. ii) Plans will be developed to ensure continuity of key service delivery following a business disruption. iii) Invocation of incident management & BCP can be managed. iv) Incident Mgt. Plans & BCP are subject to on-going testing, revision & updation as required. v) Planning & management responsibility are assigned to senior management team member. www.akpune.com © Compiled By: Akshay R Yadav 16 88881 44446 98817 51563
Business Continuity Planning (BCP) (N10/17, RTP-M16) It is the creation & validation of a practical logistical plan for how an enterprise will recover & restore partially/completely interrupted critical functions within a predetermined time after a disaster/extended disruption. Logistical plan is called a BCP. Business continuity covers the following areas: (PM, N10/17, RTP-M16) i) Business Resumption Planning: This is the operation’s piece of BCP. ii) Disaster Recovery Planning: This is the technological aspect of BCP for advance planning & preparation necessary to minimize losses & ensure continuity of critical business functions of the organisation in the event of disaster. iii) Crisis Management: This is the overall co-ordination of an organization’s response to a crisis to minimizing damage to the org. profitability, reputation or ability to operate. Business Continuity Life Cycle is broken down into 4 broad & sequential sections: i) Risk assessment, ii) Determination of recovery alternatives, iii) Recovery plan implementation, iv) Recovery plan validation. I) Objectives & Goals of Business Continuity Planning (BCP): A) 1Objectives of the BCP: (PM, N08, RTP-N14,M15/16,N16, MTP-N16,M17) 1) Provide safety & well-being of people on the premises at the time of disaster. 2) Continue critical business operations. 3) Minimize the duration of a serious disruption to operations. 4) Minimize immediate damage & losses. 5) Establish management succession & emergency powers. 6) Facilitate effective co-ordination of recovery tasks. 7) Reduce the complexity of the recovery effort. 8) Identify critical lines of business & supporting functions. B) Goals of the BCP: 1) Identify weaknesses & implement a disaster prevention program. 2) Same point 3 of BCP objectives. 3) Same point 6 of BCP objectives. 4) Same point 7 of BCP objectives. II) BCP Manual: (MTP-N15) BCP manual is a documented description of actions to be taken, resources to be used & procedures to be followed before, during & after an event that severely disrupts all or part of the business operations. Developing a BCP A) Methodology for developing BCP: (PM, N08, M14, RTP-N14) – 4 Marks 1 i) Providing management with a comprehensive understanding of the total efforts required to develop & maintain an effective recovery plan. ii) Obtaining commitment from management to support & participate in the effort. iii) Defining recovery requirements from the perspective of business functions. iv) Documenting the impact of an extended loss to operations & key business functions. v) Focusing appropriately on disaster prevention & impact minimization. vi) Selecting business continuity teams that ensure proper balance required for plan development. vii) Developing a BCP that is understandable, easy to use & maintain. viii) Defining how business continuity considerations must be integrated into on-going business planning & system development processes. www.akpune.com © Compiled By: Akshay R Yadav 17 88881 44446 98817 51563
B) Eight phases are given as follows: 1) Pre-Planning Activities (Business Continuity Plan Initiation) 2) Vulnerability Assessment & General Definition of Requirements 3) Business Impact Analysis (BIA) 4) Detailed Definition of Requirements 5) Plan Development 6) Testing Program 7) Maintenance Program 8) Initial Plan Testing & Plan Implementation. Phase 1: Pre-Planning Activities (Project Initiation): This Phase is used to obtain an understanding of the existing & projected computing environment of the organization. This enables the project team to: i) Refine the scope of the project. ii) Develop project schedules. iii) Identify & address any issues. During this phase, a Steering Committee should be established. Two other key deliverables of this phase are: i) Development of a policy to support the recovery program. ii) Awareness program to educate management. Phase 2: Vulnerability Assessment & General Definition of Requirements: Security & controls within an organization are continuing concern. This phase addresses measures to reduce the probability of occurrence of disaster. This phase include the following key tasks: (PM, RTP-N14) i) Thorough Security Assessment of the computing & communications environment including personnel practices; physical security; operating procedures etc. ii) Security Assessment will enable the project team to improve any existing emergency plans & disaster prevention measures. iii) Present findings & recommendations should be forwarded to Steering Committee for corrective actions. iv) Define the scope of the planning effort. v) Develop a Plan Framework. vi) Assemble Project Team & conduct awareness sessions. Phase 3: Business Impact Assessment (BIA): BIA of all business units that are part of the business environment enables the project team to: i) Identify critical systems, processes & functions. ii) Assess economic impact of incidents & disasters iii) Assess “pain threshold,” Phase 4: Detailed Definition of Requirements: During this phase, a profile of recovery requirements is developed. This profile is to be used as a basis for analyzing alternative recovery strategies. Another key deliverable of this phase is the definition of the plan, scope, objectives & assumptions. Phase 5: Plan Development: During this phase, recovery plans components are defined & documented. This phase also includes:- i) Implementation of changes to user procedures, ii) Upgrading of existing data processing operating procedures iii) Vendor contract negotiations. iv) Definition of Recovery Teams, their roles & responsibilities. Phase 6: Testing/Exercising Program: During this phase the plan Testing/Exercising Program is developed. Testing/exercising goals are established & alternative testing strategies are evaluated. www.akpune.com © Compiled By: Akshay R Yadav 18 88881 44446 98817 51563
Phase 7: Maintenance Program: (N16-4M, RTP-N14) a) Maintenance of the plans is critical to the success of an actual recovery. b) Plans must reflect changes to the environments. c) It is critical that existing change management (CM) processes are revised to take recovery plan maintenance into account. d) In areas, where CM does not exist, CM procedures will be recommended & implemented. Phase 8: Initial Plan Testing & Implementation: (RTP-N14) Once plans are developed, initial tests of the plans are conducted & any necessary modifications to the plans are made based on an analysis of the test results. Specific activities of this phase include the following: a) Defining the test purpose/approach. b) Identifying test teams. c) Structuring the test. d) Conducting the test. e) Analyzing test results. f) Modifying the plans as appropriate. Components of BCM (M16/17 –6 Marks) Process BCM – Process: Management process enables the business continuity, capacity & capability to be established & maintained. Stage 1: BCM - Information Collection Process: Activities of assessment process do the prioritization of an enterprise’s products & services & the urgency of the activities that are required to deliver them. Stage 2: BCM – Strategy Process: Finalization of business continuity strategy requires assessment of a range of strategies. This requires an appropriate response to be selected at an acceptable level & during & after a disruption within an acceptable timeframe for each product/service, so that the enterprise continues to provide those products & services. The selection of strategy will take into account the processes & technology already present within the enterprise. Stage 3: BCM – Development & Implementation Process: Development of a management framework & a structure of incident management, business continuity & business recovery & restoration plans. Stage 4: BCM – Testing & Maintenance Process: BCM testing, maintenance & audit testify the enterprise BCM to prove the extent to which its strategies & plans are complete, current & accurate; & Identifies opportunities for improvement. Stage 5: BCM – Training Process: Extensive trainings in BCM framework, incident management, business continuity & business recovery & restoration plans enable it to become part of the enterprise’s core values & provide confidence in all stakeholders in the ability of the enterprise to cope with minimum disruptions & loss of service. www.akpune.com © Compiled By: Akshay R Yadav 19 88881 44446 98817 51563
BCM - Process: BCM process should be in place to address the policy & objectives as defined in the business continuity policy by providing organization structure with responsibilities & authority, implementation & maintenance of BCM. BCM Processes are mapped as follows: A) Organization Structure: i) Organisation should nominate a person/team with appropriate seniority & authority to be accountable for BCM policy implementation & maintenance. ii) It should clearly define the person’s responsibility. B) Implementing Business Continuity in the Enterprise & Maintenance: In establishing & implementing BCM system in the organization, managers from each function on site represent their areas of the operation. These people are also responsible for the on-going operation & maintenance of the system within their area of responsibility. In implementation of BCM, major activities that should be carried out include: (M14-4marks) i) Defining the scope & context. ii) Defining roles & responsibilities iii) Engaging & involving all stakeholders iv) Testing of program on regular basis. v) Maintaining the currency & appropriateness of business continuity program. vi) Reviewing, reworking & updating the business continuity capability, RA & BIAs. vii) Managing costs & benefits associated. viii) Convert policies & strategies into action. C) BCM Documentation & Records: (Or Major documents that should be part of BCM) (PM, M17, RTP-M16) 1) Business continuity policy. 2) Business continuity plans. 3) Business continuity strategies. 4) Business continuity management (BCM) system. 5) BIA report. (BIA: Business impact analysis) 6) RA report. (RA: Risk assessment) 7) Aims & objectives of each function. 8) Activities undertaken by each function. 9) Change control, preventative action, corrective action, document control. 10) Exercise schedule & results. 11) Incident log. 12) Training program. Stage 1: BCM - Information Collection Process In order to design an effective BCM, it is pertinent to understand the enterprise from all perspectives of interdependencies of its activities, external enterprises & including: a) Enterprise’s objectives, stakeholder obligations, statutory duties. b) Activities, assets & resources. c) Impact & consequences over time of the failure of these activities, assets & resources. d) Perceived threats that could disrupt key products & services & Critical activities. A) Business Impact Analysis (BIA): (M13, N11, M15, RTP-M16) BIA is essentially a means of systematically assessing the potential impacts resulting from various events/incidents. www.akpune.com © Compiled By: Akshay R Yadav 20 88881 44446 98817 51563
It enables the business continuity team:- i) Identify critical systems, processes & functions, ii) Assess the economic impact of incidents & disasters iii) Assess the \"pain threshold, \" Tasks to be undertaken to ensure that BCM program is in place while assessing BIA: i) Assess the impacts that would occur if the activity was disrupted over a period of time. ii) Identify the maximum time period after the start of a disruption within which the activity needs to be resumed. iii) Identify critical business processes; iv) Assess the minimum level at which the activity needs to be performed ` v) Identify the length of time within which normal levels of operation need to be resumed. vi) Identify any inter-dependent activities, assets, supporting infrastructure that have also to be maintained continuously/recovered over time. B) Classification of Critical Activities: i) Business Categorization (Vital/Essential/Desirable): Parameters considered in deciding whether a function/service is Vital/Essential/Desirable: i) Loss of revenue. ii) Loss of reputation. iii) Decrease in customer satisfaction. iv) Loss of productivity (man-hours). These parameters shall be graded in a three-point scale 1-3 where, 1 = Low (L) 2 = Medium (M) 3 = High (H) ii) Disaster Scenarios (Major/Minor/Trivial/Catastrophic): Scenario of disaster shall be decided with the matrix given below: X-axis represents the Business impact of the infrastructure & business transaction as desirable (value=1), essential (value=2) or vital (value=3). Y-axis represents the likelihood of occurrence of the disaster on a 3 point scale (1-3). BIA matrix is also referred as Risk Assessment Matrix(RAM) In a RAM, risks are placed on the matrix based on two criteria: 1) Likelihood: Probability of a risk/occurrence of the disaster:- On Y Axis 2) Consequences: Severity of the impact caused by the risk:- On X Axis Likelihood of Occurrence: Based on these risks can be classified under one of following categories: 1) Definite (scaled 3): Risk that is more than 80% likely to cause problems. 2) Likely (scaled 2): Risks that have 60-80% chances of occurrence. 3) Unlikely (scaled 1): Risks that has less than 10% chance of occurrence. Consequences: Consequences of a risk can again be ranked & classified into one of the following category: 1) Trivial/Insignificant (scaled 1): Risks that will cause negligible amount of damage. 2) Minor (scaled 2): A risk will result in some damage, damage is not too significant. 3) Major (scaled 3): Risks with significantly large consequences - great amount of loss. 4) Catastrophic (scaled 4): Risks which can make the project completely unproductive C) Risk Assessment (RA): RA is assessment of the disruption to critical activities, which are supported by resources such as people, process, technology, information, infrastructure supplies & stakeholders. It is the decision of the enterprise to select a RA approach, which is suitable & appropriate to address all of the enterprise’s requirements. www.akpune.com © Compiled By: Akshay R Yadav 21 88881 44446 98817 51563
Stage 2: BCM - Strategy Process: Much preparation is needed to implement the strategies for protecting critical functions & their supporting resources. E.g.: Establish procedures for backing up files & applications. Stage 3: BCM - Development & Implementation Process: Enterprise should have Incident Management Team/Crisis management team for an effective response & recovery from disruptions. A) Incident Management Plan (IMP): IMP manage the initial phase of an incident. IMP should have top mgt. support with appropriate budget for development, maintenance & training. They should be flexible, feasible & relevant. It be easy to read & understand. B) Business Continuity Plan (BCP): To recover/maintain its activities in the event of a disruption to a normal business operation, the BCP are invoked to support the critical activities required to deliver the enterprise’s objectives. Recovery strategies may be two-tiered: a) Business: Logistics, accounting, human resources, etc. b) Technical: IT (e.g. desktop, client-server, mainframe computers, data & voice networks). Stage 4: BCM - Testing & Maintenance Process: A) BCM Testing: BCP has to be tested periodically because there will undoubtedly be flaws in the plan & in its implementation. Responsibility for keeping the plan updated has to be clearly defined in the BCP. BCP testing program should include testing of the technical, logistical, administrative, procedural & other operational systems including relocation of staff. Testing of BCP lead to improvement of BCM capability by: i) Practicing the enterprise’s ability to recover from an incident. ii) Verifying that BCP incorporates all enterprise critical activities. iii) Highlighting assumptions, which need to be questioned. iv) Instilling confidence amongst exercise participants. v) Raising awareness of BCP throughout the enterprise by publicizing the exercise. vi) Validating the effectiveness & timeliness of restoration of critical activities. vii) Demonstrating competence of the primary response teams. Objectives of performing BCP tests in Developing of BCP: 1) Recovery procedures are complete & workable. 2) Competence of personnel in their performance of recovery procedures can be evaluated. 3) There sources such as business processes, systems, personnel, facilities & data are obtainable & operational to perform recovery processes. 4) Manual recovery procedures & IT backup system are operational or restored. 5) Success/failure of the business continuity training program is monitored. Implementation: Once plans are developed, initial tests of the plans are conducted & any necessary modifications to the plans are made based on an analysis of the test results. Specific activities of this phase include the following: i) Defining the test purpose/approach; ii) Identifying test teams; iii) Structuring the test; iv) Conducting the test; v) Analyzing test results vi) Modifying the plans as appropriate. www.akpune.com © Compiled By: Akshay R Yadav 22 88881 44446 98817 51563
B) BCM Maintenance: It is important to keep preparations including documentation, up-to-date. Maintenance tasks undertaken in Development of BCP are to: (PM, MTP-M16) i) Determine the ownership & responsibility for maintaining the various BCP strategies within the enterprise. ii) Identify the BCP maintenance triggers to ensure that any organisational, operational, & structural changes are communicated to the personnel who are accountable for ensuring that the plan remains up-to-date. iii) Determine the maintenance regime to ensure the plan remains up-to-date. iv) Determine the maintenance processes to update the plan. v) Implement version control procedures to ensure that the plan is maintained up-to date. C) Reviewing BCM Arrangements: (PM, N14, M15, RTP-M15, MTP-N15) An audit/self-assessment of the enterprise’s BCM program should verify that: i) All key products & services & their supporting critical activities & resources have been identified & included in BCM strategy. ii) Enterprise’s BCM policy, strategies, framework & plans accurately reflect its requirements. iii) Enterprise’ BCM competence & its BCM capability are effective. iv) Enterprise’s BCM solutions are effective, up-to-date & fit-for-purpose. v) Enterprise’s BCM maintenance & exercising programs are effectively implemented. vi) BCM strategies & plans incorporate improvements identified in the maintenance program. vii) Enterprise has an on-going program for BCM training & awareness. viii) BCM procedures have been effectively communicated to relevant staff. ix) Change control processes are in place & operate effectively. Stage 5: BCM - Training Process: (Not IMP) Enterprise with BCM uses training as a tool to initiate a culture of BCM in all stakeholders by: 1) Developing a BCM program more efficiently. 2) Providing confidence in its stakeholders in its ability to handle business disruptions. 3) Increasing its resilience over time by ensuring BCM implications are considered in decisions at all levels. 4) Minimizing the likelihood & impact of disruptions. Development of a BCM culture is supported by. 1) Leadership from senior personnel in the enterprise. 2) Assignment of responsibilities. 3) Awareness raising. 4) Skills training. 5) Exercising plans. Training, Awareness & Competency: (Refer Only 8 Points) While developing the BCM, competencies necessary for personnel assigned specific management responsibilities within the system are as follows: (N16-4M) 1) Actively listens to others, their ideas, views & opinions. 2) Provides support in difficult/challenging circumstances. 3) Responds constructively to difficult circumstances. 4) Adapts leadership style appropriately to match the circumstances. 5) Promotes a positive culture of health, safety & the environment. 6) Recognizes & acknowledges the contribution of colleagues. 7) Encourages the taking of calculated risks. 8) Encourages & actively responds to new ideas. 9) Consults & involves team members to resolve problems. 10) Demonstrates personal integrity. www.akpune.com © Compiled By: Akshay R Yadav 23 88881 44446 98817 51563
Chapter 6: Auditing of Information Systems IS Audit IS Audit include:- Assessment of internal controls within IS environment to assure validity, reliability & security of information & IS. Assessment of the efficiency & effectiveness of the IS environment. Objectives of IS Audit:- (MT: DASS) 1) Asset Safeguarding Objectives: IS assets must be protected by system of internal controls from unauthorized access. 2) Data Integrity Objectives: It is fundamental attribute of IS Auditing. Importance to maintain integrity of data of an organisation requires all the time. 3) System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics & objective of the system. 4) System Efficiency Objectives: To optimize the use of various IS resources along with the impact on its computing environment. Categories/Types of Information Systems Audits: (MT: SIS MT) (M17, MTP1&2- N18) 1) Systems & Application: An audit to verify that systems & applications are appropriate, efficient & adequately controlled. To ensure valid, reliable, timely & secure input, processing & output at all levels of a system's activity. 2) Information Processing Facilities: (IPF) An audit to verify that the processing facility is controlled. To ensure timely, accurate & efficient processing of applications under normal & potentially disruptive conditions. 3) Systems Development: An audit to verify that the systems under development meet the objectives of the organization. To ensure that the systems are developed in accordance with generally accepted standards for systems development. 4) Management of IT & Enterprise Architecture: An audit to verify that IT management has developed an organizational structure & procedures. To ensure a controlled & efficient environment for information processing. 5) Telecommunications, Intranets, & Extranets: An audit to verify that controls are in place on the client, server & on the network connecting the clients & servers. Inherent limitations of an audit: (Nov 2018) As per (SA 200) “Overall Objectives of An Independent Auditor & Conduct of An Audit in Accordance With Standards of Auditing”, any opinion formed by the auditor is subject to inherent limitations of an audit, which include: 1) Nature of financial reporting. 2) Nature of audit procedures. 3) Need for the audit to be conducted within a reasonable period of time & at reasonable cost. 4) Matter of difficulty, time/cost involved is not a valid basis for the auditor to omit an audit procedure. 5) Fraud, particularly fraud involving senior management/collusion. 6) Existence & completeness of related party relationships & transactions. 7) Occurrence of non-compliance with laws & regulations. 8) Future events/conditions that may cause an entity to cease to continue as a going concern. Validation in Several Ways: i) Asking different personnel the same question & comparing the answers. ii) Asking the same question in different ways at different times. iii) Comparing checklist answers to work papers or other verifiable results. iv) Comparing checklist answers to observations & actual system results. v) Conducting mini-studies of critical phases of the operation. www.akpune.com © Compiled By: Akshay R Yadav 24 88881 44446 98817 51563
Steps/stages in IS Audit: (May 2018) 1) Scoping & pre-audit survey: Auditors determine main areas of focus & any areas that are explicitly out-of-scope. 2) Planning & preparation: Generation of audit work plan/risk-control-matrix. 3) Fieldwork: Gathering of evidence by interviewing staff & managers, reviewing documents & observing processes etc. 4) Analysis: Reviewing & trying to make sense of all that evidence gathered earlier. 5) Reporting: Reporting to the mgt. is done after analysis of evidence is gathered & analyzed. 6) Closure: Closure involves preparing notes for future audits. Factors influencing an organization towards control & audit of computers: (Or Need for control of IS Or Need for Audit of IS) (MT: OC CV HMC) 1) Organizational Costs of Data Loss: Data is a critical resource of an org. for its present & future process. 2) Cost of Incorrect Decision Making: Management & operational controls taken by managers involve detection, investigations & correction of the processes. 3) Costs of Computer Abuse: Unauthorized access to computer systems, facilities & sensitive data can lead to destruction of assets. 4) Value of Computer Hardware, Software & Personnel: These critical resources have credible impact on its infrastructure & business competitiveness. 5) High Costs of Computer Error: In a computerized enterprise environment a data error during entry/process would cause great damage. 6) Maintenance of Privacy: Data collected contains private information about an individual that needs to be maintained. 7) Controlled evolution of computer Use: Use of Technology & reliability of complex computer systems cannot be guaranteed & the consequences of using unreliable systems can be destructive. Effect of Computer on Audit Changes to Evidence Collection: 1) Data retention & storage: Client’s storage capabilities may restrict the amount of historical data that can be retained “on-line” & readily accessible to the auditor due to which the auditor may not be able to review a whole reporting period transactions on the computer system. 2) Absence of input documents: Transaction data may be entered into the computer directly without the presence of supporting documentation resulting in less paperwork being available for audit examination. 3) Non-availability of audit trail: Audit trails may exist in computer system for short period, which makes auditor’s job very difficult. 4) Lack of availability of printed output: In the absence of physical output, it may be necessary for the auditor to directly access the electronic data retained on the client’s computer. 5) Audit evidence: Certain transactions may be generated automatically by computer system. 6) Legal issues: Making use of Electronic Data Interchange (EDI) & electronic trading over the Internet can create problems with contracts. Changes to Evidence Evaluation: (MT: SAS) 1) System generated transactions: Financial systems may have the ability to initiate, approve & record financial transactions. 2) Automated transaction processing systems: It can cause the auditor problems. E.g: when gaining assurance that a transaction was properly authorised in accordance with delegated authorities. 3) Systemic Error: Computers are designed to carry out processing on a consistent basis. Given the same inputs & programming, they invariably produce the same output. www.akpune.com © Compiled By: Akshay R Yadav 25 88881 44446 98817 51563
IS Auditor Skill set of IS Auditor: (Or Responsibility of IS Auditor) 1) Sound knowledge of business operations, practices & compliance requirements. 2) Should possess the requisite professional technical qualification & certifications. 3) Good knowledge of Professional Standards & Best Practices of IT controls. 4) Knowledge of IT strategies, policy & procedural controls. (SPP) 5) Good understanding of information Risks & Controls. 6) Ability to understand technical & manual controls. Functions of IS Auditor: (Or Risks reviewed relating to IT systems & process as part of functions) (M17) 1) Inadequate information security controls (E.g. missing/out of date antivirus controls, open systems without password or weak passwords) 2) Inefficient use of resources or poor governance (E.g. huge spending on unnecessary IT projects like printing resources, storage devices) 3) Ineffective IT strategies, policies & practices (SPP) (E.g. lack of Internet usage policies, Security practices etc.) 4) IT-related frauds (including phishing, hacking etc.) Role of IS Auditor: 1) In Physical Access Controls: Auditing physical access requires the auditor to review the physical access risk & controls to form an opinion on the effectiveness of the physical access controls. This involves the following: a) Risk Assessment: Auditor must satisfy him/herself that the risk assessment procedure adequately covers periodic & timely assessment of all assets, physical access threats, vulnerabilities of safeguards & exposures there from. b) Controls Assessment: Auditor based on the risk profile evaluates whether the physical access controls are in place & adequate to protect the IS assets against the risks. c) Review of Documents: It requires examination of relevant documentation such as - Security policy & procedures, premises/building plans, inventory list & cabling diagrams. 2) In Environmental Controls: i) Audit Planning & Assessment: As part of risk assessment: i) Risk profile should include different environmental risks both natural & man-made. ii) Profile should be periodically reviewed to ensure updating with newer risks that may arise. iii) Controls assessment must ascertain that controls safeguard the organization against all acceptable risks. iv) Security policy should be reviewed to assess policies & procedures that safeguard the org. v) Building plans & wiring plans need to be reviewed. vi) Administrative procedures need to be reviewed. ii) Audit of Environmental Controls: Auditor should verify that: (M18) i) IPF (Infrastructure Planning & Facilities) & the construction. ii) Presence of water & smoke detectors, power supply arrangements & testing logs. iii) Location of fire extinguishers, firefighting equipment. iv) Emergency procedures, evacuation plans & marking of fire exists. v) Documents for compliance with legal & regulatory requirements. vi) Power sources & conduct tests to assure the quality of power, effectiveness of the power conditioning equipment & generators. vii) Identify undesired activities such as smoking, consumption of eatables etc. iii) Documentation: a) IS auditor should also document all findings. b) Working papers could include audit assessments, audit plans, audit procedures, questionnaires, interview sheets, inspection charts etc. www.akpune.com © Compiled By: Akshay R Yadav 26 88881 44446 98817 51563
Concurrent or Continuous Audit It enables auditors to significantly reduce & eliminate time b/w occurrence of the client's events & auditor's assurance services thereon. Continuous auditing techniques(CAT) use 2 bases for collecting audit evidence: a) Use of embedded modules in the system to collect, process, & print audit evidence. b) Special audit records used to store the audit evidence collected. TYPES OF AUDIT TOOLS: (MT: SIS CA) {Or Continuous audit techniques (CAT)} 1) Snapshots: Tracing a transaction is a computerized system can be performed with the help of snapshots. Snapshot software is built into the system at those points where material processing occurs which takes images of the flow of any transaction. 2) Integrated Test Facility (ITF): (M18) ITF technique involves the creation of a dummy entity in the application system files & processing of audit test data against the entity as a means of verifying processing authenticity, accuracy & completeness. 3) System Control Audit Review File (SCARF): SCARF technique involves embedding audit software modules within a host application system to provide continuous monitoring of the system’s transactions. Auditors might use SCARF to collect the following types of information: i) Application System Errors: SCARF provides an independent check on the quality of system processing. ii) Policy & Procedural Variances: SCARF can be used to check when variations from these policies, procedures & standards have occurred. iii) System Exception: SCART can be used to monitor different types of application system exceptions. iv) Statistical Sample: SCARF provides a convenient way of collecting all the sample information together & use analytical review tools. v) Snapshots & Extended Records: It can be written into the SCARF file & printed when required. vi) Profiling Data: Auditors can use embedded audit routines to collect data to build profiles of system users. vii) Performance Measurement: Useful for measuring/improving the performance of an application system. 4) Continuous & Intermittent Simulation (CIS): This is a variation of the SCART continuous audit technique. It can be used to trap exceptions whenever the application system uses a DBMS. During application system processing, CIS executes in the following way: i) DBMS reads application system transaction. It is passed to CIS. CIS then determines whether it wants to examine the transaction further. ii) CIS replicates/simulates the application system processing. iii) Every update to the database that arises from processing the selected transaction will be checked by CIS to determine whether discrepancies exist. iv) Exceptions identified by CIS are written to an exception log file. v) Advantage of CIS - It does not require modifications to the application system & yet provides an online auditing capability. 5) Audit hooks: There are audit routines that flag suspicious transactions. E.g. Internal auditors at Insurance Company determined that their policyholder system was vulnerable to fraud every time a policyholder changed his/her name/address & then subsequently withdrew funds from the policy. They devised a system of audit hooks to tag records with a name/address change & will investigate these tagged records for detecting fraud. This approach of real-time notification displays a message on the auditor’s terminal. www.akpune.com © Compiled By: Akshay R Yadav 27 88881 44446 98817 51563
Advantages of continuous audit techniques (CAT): a) Timely, Comprehensive & Detailed Auditing: Evidence would be available more timely & in a comprehensive manner. b) Surprise test capability: Auditors can gather evidence without the systems staff & application system users being aware that evidence is being collected at that particular moment. c) Information to system staff on meeting of objectives: Evaluate whether application system meets the objectives of asset safeguarding, data integrity, effectiveness, & efficiency. d) Training for new users: Using the ITFs, new users can submit data to the application system & obtain feedback on mistakes. Disadvantages (Limitations) of continuous audit techniques (CAT): a) Auditors should be able to obtain resources required from the organization to support development, implementation, operation, & maintenance of CAT. b) These are more likely to be used if auditors are involved in the development work associated with a new application system. c) Auditors need the knowledge & experience of working with computer systems to use CAT effectively & efficiently. d) CAT is used where the audit trail is less visible & the costs of errors & irregularities are high. e) It is unlikely to be effective unless they are implemented in an application system that is relatively stable. Potential benefits of Continuous Audit: a) Reducing the cost of the basic audit assignment by enabling auditors to test a larger sample & examine data faster & more efficiently. b) Reducing the amount of time & costs. c) Increasing the quality of audits by allowing auditors to focus more on understanding a client's business, industry & its internal control structure. d) Specifying transaction selection criteria to choose transactions & perform both tests of controls & substantive tests throughout the year on an ongoing basis. Audit Standards & Best Practices 1) ISACA (Information Systems Audit & Control Association): It is a global leader in information governance, control, security & audit. To assist IS auditor it has issued - 16 auditing standards - 39 auditing guidelines - 11 IS auditing procedures & - COBIT good business practices relating to IT. 2) ISO 27001: (Refer same point for Cpt.7) ISO 27001 is the international best practice & certification standard for an Information Security Management System (ISMS). 3) Internal Audit Standards: IIA (The Institute of Internal Auditors) is an international professional association. This association provides dynamic leadership for the global profession of internal auditing. 4) Standards on Internal Audit issued by ICAI: ICAI has issued various standards which highlight the process to be adopted by internal auditor in specific situation. 5) Information Technology Infrastructure Library (ITIL): (Refer same point for Cpt.7) ITIL is a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 & ITIL 2011 edition). ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage. www.akpune.com © Compiled By: Akshay R Yadav 28 88881 44446 98817 51563
PERFORMING IS AUDIT STEPS: 1) Basic Plan: i) Planning is one of the primary & important phases in an IS Audit. ii) Extent of planning will vary according to the size of the entity, complexity of the audit & auditor’s experience with the entity. iii) Obtaining knowledge of the business is an important part of planning the work. iv) Auditor’s knowledge of the business assists in the identification of events, transactions & practices which may have a material effect on the FS. v) Auditor may discuss overall audit plan with the entity’s audit committee to improve the effectiveness & efficiency of the audit. vi) Auditor should develop & document an overall audit plan describing the expected scope & conduct of the audit. vii) Auditor is expected to modify the audit plan as per circumstances. 2) Preliminary Review: (KUUL RAM) A) Knowledge of Business: i) General economic factors & industry conditions. ii) Nature of Business, its products & services. iii) General exposure to business. iv) Its clientele, vendors & strategic business partners. v) Level of competence of the Top management & IT Management. vi) Set up & organization of IT department. B) Understanding the Technology: (M17, MTP1-N18) i) Analysis of business processes & level of automation. ii) Assessing the extent of dependence of entity on IT to carry on businesses. iii) Understanding technology architecture. iv) Studying network diagrams to understand physical & logical network connectivity. v) Understanding extended enterprise architecture. vi) Knowledge of various technologies & their advantages & limitations vii) Studying IT policies, standards, guidelines & procedures. C) Understanding Internal Control Systems: For gaining understanding of Internal Controls emphasis to be placed on compliance & substantive testing. D) Legal Considerations & Audit Standards: i) Auditor should carefully evaluate the legal as well as statutory implications. ii) IS audit work could be required as part of a statutory requirement in which case he should take into consideration the related stipulations, regulations. iii) Statutes/regulatory framework may impose stipulations as regards minimum set of control objectives to be achieved by the subject organisation. iv) IS Auditor should also consider the Audit Standards. E) Risk Assessment & Materiality: Risk Assessment is a critical & inherent part of the IS Auditor’s planning & audit implementation. risk assessment will aid in planning decisions such as: i) The nature, extent & timing of audit procedures. ii) The areas or business functions to be audited. iii) The amount of time & resources to be allocated to an audit. Key steps that can be followed for a risk-based approach(RBA) to make an audit plan: (N16/17) i) Inventory the IS in use in the organization & categorize them. ii) Determine which systems impact critical functions/assets. iii) Assess what risks affect these systems & the severity of the impact on the business. iv) Based on the above assessment decide audit priority, resources, schedule & frequency. www.akpune.com © Compiled By: Akshay R Yadav 29 88881 44446 98817 51563
Categories of Risk: (N16) 1) Inherent Risk: It is the susceptibility of information resources or resources controlled by the IS to material theft, destruction, disclosure, unauthorized modification. E.g. Inherent risk is high risk in net banking in comparison to branch banking. 2) Control Risk: It is the risk that could occur in an audit area, & which could be material, individually or in combination with other errors, will not be prevented/detected & corrected on a timely basis by the internal control system. 3) Detection Risk: It is the risk that the IT auditor’s substantive procedures will not detect an error which could be material, individually or in combination with other errors. AUDIT TRAIL Audit trails are logs that can be designed to record activity at system, application, & user level. Audit trails provide an important detective control. Audit Trail Objectives: (N 16/17, MTP2-N18)) 1) Detecting Unauthorized Access: It can occur in real time/after the fact. Primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. 2) Reconstructing Events: Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. 3) Personal Accountability: Audit trails can be used to monitor user activity at the lowest level of detail. Application Security Layer A) Operational Layer: (M18) i) User Accounts & Access Rights: This includes defining unique user accounts & providing them access rights appropriate to their roles & responsibilities. ii) Password Controls: Auditor needs to check whether there are applications where password controls are weak. In case such instances are found, then auditor may look for compensating controls against such issues. iii) Segregation of Duties: As frauds due to lack of segregations increase. It is a basic internal control that prevents/detects errors & irregularities. E.g. a) Record keeper of asset must not be asset keeper. b) Maker must not be checker. B) Tactical Layer: i) Timely updates to user profiles, like creating/deleting & changing of user accounts. ii) IT Risk Management: It includes the following activities: a) Assessing risk over key application controls. b) Conducting a regular security awareness programme. c) Enabling application users to perform a self-assessment. d) Reviewing application patches before deployment. e) Monitoring peripheral security e.g. updating antivirus software. iii) Interface Security: This relates to application interfaced with another application in an org. iv) Audit Logging & Monitoring: Regular monitoring the audit logs is required. C) Strategic Layer: At this layer, top management takes action, in form of drawing up security policy, security training, security guideline & reporting. A comprehensive Information security programme fully supported by top management & communicated well to the organization is of paramount importance to succeed in information security. www.akpune.com © Compiled By: Akshay R Yadav 30 88881 44446 98817 51563
Chapter 8: Emerging Technologies GRID COMPUTING (GC) It is a network of computing or processor machines managed with a kind of software such as middleware, in order to access & use the resources remotely. Reason for popularity of Grid Computing: It has ability to make use of unused computing Power. This enables heterogeneous resources of computers to work cooperatively & collaboratively to solve a scientific problem. CLOD COMPUTING (CC) CC means use of computing resources as a service through networks, typically the internet. CC is both, a combination of hardware & software. It helps users to access database resources from anywhere at any-time without worrying about maintenance/management of actual resources. CLOUD Vs GRID COMPUTING: 1) Similarities: a) Cloud & Grid computing both are scalable. b) Both computing involves multi-tenancy & multi-tasking, meaning that many customers can perform different tasks, accessing a single/multiple application instances. 2) Differences: (M17) Cloud Computing (CC) 1) CC can store from 1 byte to several Grid Computing(GC) 1) GC is not economically suited for terabytes 2) CC offers 2 types of instances: storing small objects such as 1 byte. 2) GC focuses on computationally i) Standard ii) high-CPU. intensive operations. GOALS OF CLOUD COMPUTING: 1) To create a highly efficient IT ecosystem, where resources are pooled together. 2) To access services & data from anywhere at any time. 3) To scale IT ecosystem quickly, easily & cost-effectively based on the business needs. 4) To consolidate IT infrastructure into more integrated & manageable environment. 5) To reduce costs related to IT energy/power consumption. 6) To enable/improve \"Anywhere Access“(AA) for ever increasing users. 7) To enable rapidly provision resources as needed. CHARACTERISCTICS OF CLOUD COMPUTING: 1) High Scalability: It enables servicing for larger audiences through high scalability. 2) Agility: It works in ‘distributed mode’ & shares resources among users & tasks, improves efficiency & agility (responsiveness). 3) High Availability & Reliability: Availability of servers is supposed to be high & more reliable as the chances of infrastructure failure are minimal. 4) Multi-sharing: Multiple user & applications can work more efficiently with cost reductions by sharing common infrastructure. 5) Services in Pay-Per-Use Mode: SLA’s b/w the provider & user must be defined when complexity of services is offered in pay per use mode. 6) Virtualization: It allows server & storage device to increasingly share & utilize applications, by easy migrate from one physical server to another. 7) Performance: It is monitored & consistent & loosely coupled architecture are constructed using web services. 8) Maintenance: They are easier because they are not to be installed on each user system & can be accessed from different places. www.akpune.com © Compiled By: Akshay R Yadav 31 88881 44446 98817 51563
CLOUD COMPUTING ARCHITECTURE: (M17) 1) Front End Architecture: Front end of the cloud computing system comprises of the client’s devices & some applications needed for accessing the cloud computing system. E.g. Firefox, Microsoft’s internet explorer or Apple’s Safari. 2) Back End Architecture: Back end refers to some service facilitating peripherals. In cloud computing, the back end is cloud itself, which may include various computer machines, data storage systems & servers. ADVANTAGES OF CLOUD COMPUTING: (MT: AB QU CA) 1) Cost Efficiency: It is the most cost efficient method to use, maintain & upgrade. 2) Almost Unlimited Storage: Cloud gives us almost unlimited storage capacity. So no need to worry about running out of storage space. 3) Backup & Recovery: As the data is stored in the cloud, backing it up & restoring the same is relatively easier than storing the same on a physical device. 4) Automatic Software Integration: Software integration occurs automatically & no additional efforts to customize & integrate the applications as per our preferences. 5) Easy Access to Information: One can access the information from anywhere, where there is an internet connection. 6) Quick Deployment: In case of quick deployment the entire system can be fully functional in a matter of few minutes. ISSUES RELATING TO CLOUD COMPUTING:- I) SECURITY ISSUES/CHALLENGES TO CLOUD COMPUTING: 1) Confidentiality: It refers to the prevention of the unauthorized disclosure of the data. 2) Integrity: Integrity refers to the prevention of the unauthorized modification of data 3) Availability: Availability refers to the prevention of the unauthorized withholding of data. 4) Governance: Due to the lack of control over the employees & services, it creates problems relating to design, implementation, testing & deployment. So, there is a need of governance model. 5) Trust: Cloud has still failed to build trust b/w client & service provider. 6) Privacy: Most important issue & is embedded in each phase & risk of privacy must be decreased. 7) Audit: Auditing is type of checking that ‘what is happening in the Cloud environment’. 8) Data Stealing: Some Cloud providers do not use their own server, instead use from other service providers & risk of data stealing occurs. 9) Architecture: Its reliable & scalable infrastructure is dependent on the design & implementation to support the overall framework. 10) Incident Response: It ensures that the Cloud provider has a transparent response process in place & sufficient mechanisms to share information during & after an incident. 11) Software Isolation: To understand virtualization & other logical isolation technique. 12) Application Security: Security issues relating to application security still apply when applications move to a cloud platform. II) IMPLEMENTATION/ADAPTATION ISSUES OF CLOUD COMPUTING: 1) Threshold Policy: This involves the checking how the policy enables to detect sudden increases in the demand & results in the creation of additional instances to fill in the demand. 2) Interoperability: If a company outsources or creates applications with one cloud computing vendor, the company may find it difficult to change to another computing vendor that has different formats for importing & exporting data. 3) Hidden Costs: Service providers do not reveal ‘what hidden costs are’. 4) Unexpected Behaviour: It is important to test the application in the cloud with a pilot study to check for unexpected behaviour. 5) Software Development in Cloud: To develop software using high-end databases, the most likely choice is to use cloud server pools at the internal data corporate centre. 6) Environment Friendly Cloud Computing: Cloud computing is more environment friendly as it reduces the no. of hardware components needed to run the application. www.akpune.com © Compiled By: Akshay R Yadav 32 88881 44446 98817 51563
CLOUD COMPUTING ENVIRONMENT I) PRIVATE CLOUD: It resides within the boundaries of an organization. It is used exclusively for the organizations benefits. Also called Internal Clouds/Corporate Clouds. Private Cloud can either be private to organisation & a) managed by the single organisation (On- Premise Private Cloud) or b) managed by 3rd party (Outsourced Private Cloud) A) CHARACTERISTICS: 1) Secure: Private cloud is secure as it is developed & managed by organisation itself. 2) Central Control: There is no need for org. to rely on anybody & is controlled by org. itself. 3) Weak SLA: SLA are agreement b/w user & service provider. In private cloud either formal SLA’s do not exist or are weak in private cloud. B) ADVANTAGES: 1) It improves average server utilization. 2) It provides a high level of security & privacy. 3) It is small in size, easy to controlled & maintained by organization. C) LIMITATIONS: 1) Budget is constraint. 2) They also have loose SLA’s. D) Differences between On-Premise & Outsourced Private Cloud: Basis On-Premise Private Cloud Outsourced Private Cloud Management Managed by the org organization itself. Managed by the 3rd party. SLA’s SLAs are defined b/w the organization These are usually followed strictly as it Network & its users. is a 3rd party organization. Performance Network management & network issue Cloud is fully deployed at 3rd party site & Location resolving are easier. orgs connect either through dedicated connection/Internet. Performance depends on the network & Performance depends on the 3rd party. resources. Data is usually stored in the same Cloud is located off site & when there is geographical location where the cloud a change of location the data need to users are present. be transmitted through long distances. II) PUBLIC CLOUD: It is used by general public. This includes individuals, corporations & other types of organizations. Public clouds are administered by 3rd parties or vendors over the internet & the services are offered on pay per use basis. These are also called Provider Clouds. A) CHARACTERISTICS: (May 2018) 1) Highly scalable: Resources being large in number & service providers make sure that all request are granted. 2) Affordable: User has to pay only for what they are using. 3) Less Secure: since offered & controlled by 3rd party, it is less secure. 4) Highly available: Anybody from any part of the world can access the public cloud with proper permission. 5) Stringent SLA’s: SLA’s are strict & violation are avoided. www.akpune.com © Compiled By: Akshay R Yadav 33 88881 44446 98817 51563
B) ADVANTAGES: 1) It is widely used in development, deployment & management of enterprise applications at affordable costs. 2) There is no need of infrastructure required for maintaining the cloud. 3) Strict SLA’s are followed. 4) No limit for the no. of users. C) LIMITATIONS: 1) Security assurance is low. 2) Privacy & organizational autonomy are not possible. III) HYBRID CLOUD: It is a combination of both at least one private & one public cloud. It is a private cloud extended to the public cloud & aims at utilizing the power of the public cloud by retaining the properties of the private cloud. A) CHARACTERISTICS: 1) Scalable: Hybrid cloud with the help of its public counterpart is also scalable. 2) Partially Secure: Private cloud is secured but public cloud has high risk of security breach, so it is partially secure. 3) Stringent SLAs: Overall the SLAs are more stringent than private cloud. 4) Complex Cloud Management: Because it involves more than one type of deployment models & no. of users is high. B) ADVANTAGES: 1) It is highly scalable & gives the power of both private & public clouds. 2) It provides better security than public cloud. C) LIMITATIONS: 1) Security features are not as good as public cloud. 2) It is complex to manage. IV) COMMUNITY CLOUD: (May 2017) A Private cloud shared b/w several organizations. E.g. mission security requirements. A) CHARACTERISTICS: 1) Collaborative & Distributive Maintenance: Being distributive, better cooperation provides better results. 2) Partially secure: Since cloud is shared by organization, there is possibility of leakage of data from one organization to another, though it is safe from external world. 3) Cost effective: Cloud is being shared, so it’s cost effective too. B) ADVANTAGES: 1) It allows establishing a low-cost private cloud. 2) It allows collaborative work on the cloud. 3) It allows sharing of responsibilities among the organizations. 4) Better security than the public cloud. C) LIMITATIONS: 1) Autonomy of the organization is lost. 2) Security features are not as good as the private cloud. 3) Not suitable where there is no collaboration. www.akpune.com © Compiled By: Akshay R Yadav 34 88881 44446 98817 51563
CLOUD COMPUTING SERVICE MODELS I) Infrastructure as a Service: (IaaS) It is a hardware-level service, provides computing resources such as processing power, memory, storage, & networks for cloud users to run their application on-demand. E.g. Amazon Web Services (AWS), Google Compute Engine. A) Characteristics of IaaS: 1) Web access to the resources: IaaS enables the IT users to access infrastructure resources over the internet. 2) Centralized management: Ensures effective resource management & utilization. 3) Elasticity & Dynamic Scaling: Provide the resources & elastic services where the usage of resources can be increased/decreased as per requirements. 4) Shared infrastructure: one-to-many delivery model & allows multiple IT users to share the same physical infrastructure. 5) Metered Services: Allows IT users to rent the computing resources instead of buying it & charges is based on amount of usage. B) Services offered by IaaS: (MT: BSNL i.e. CSNL) 1) Compute: Virtual CPU & virtual memory for the virtual machines (VMs). 2) Storage: Provides Back-end storage for VM images & storing files. 3) Network: Provides virtual networking such as virtual router, switch, & bridge. 4) Load Balancers: Provide load balancing capability at infrastructure layer. C) Different instances of IaaS: 1) Network as a Service (NaaS): Provides needed data communication capacity to accommodate bursts in data traffic during data-intensive activities. 2) Storage as a Service (STaaS): Provides storage infrastructure on a subscription basis at low-cost & convenient way to store data, synchronize data, manage off-site backups, mitigate risks, & preserve records. 3) Database as a Service (DBaaS): Provides seamless mechanisms to create, store, & access databases at a host site on demand. 4) Backend as a Service (BaaS): Provides web & mobile app developers a way to connect their application to backend cloud storage with added services. 5) Desktop as a Service (DTaaS): Provides ability to the end users to use desktop virtualization without buying & managing their own infrastructure. II) Platform as a Service: (PaaS) PaaS provides the users the ability to develop & deploy an application on the development platform provided by the service provider. E.g. Google App Engine, Windows Azure Computer etc. A) Characteristics of PaaS: (MT: WO ABCD) 1) All in One: Offer services like develop, test, deploy, host & maintain applications in the same Integrated Development Environment (IDE). 2) Web Access to the development platform: Provides web access to the development platform that helps the developers to create, modify, test, & deploy different applications on the same platform. 3) Offline Access: Sync data with local IDE & develop locally the app & deploy it online when connected to internet. 4) Built-in Scalability: Ensures that application is capable of handling varying loads efficiently. 5) Collaborative Platform: Enables collaboration among developers, most for project planning & communication. 6) Diverse Client Tools: Offers a wide variety of client tools like Web User Interface (UI), Application Programming Interface (API) etc. www.akpune.com © Compiled By: Akshay R Yadav 35 88881 44446 98817 51563
B) Services offered by PaaS: 1) Programming Languages: Provides variety of programming languages like Java, PHP, Python, Ruby etc. for the developers to develop applications. 2) Application Frameworks: Provides application development framework like Joomla, WordPress, Sinatra etc. for application development. 3) Database: Provide databases like ClearDB, Cloudant, Redis etc. to communicate with database. 4) Other Tools: Provides all tools that are required to develop, test, & deploy an application. III) Software as a Service: (SaaS) It provides ability to the end users to access an application over the Internet that is hosted & managed by the service provider. E.g. Own word document in google doc, edit photo online in pixlr. A) Characteristics of SaaS: 1) One to Many: A single instance of the application can be shared by multiple customers. 2) Web Access: Allows to access the application from any location when device is connected to the Internet. 3) Centralized Management: Since hosted & managed from the central location, it provides automatic updates to ensure that each customer is accessing the most recent version. 4) Multi-device Support: Can be accessed from any end user devices such as desktops, laptops, tablets, smartphones etc. 5) Better Scalability: It ensures better scalability than traditional software by deployment of PaaS & IaaS. 6) High availability: Ensure 99.99% availability of user data. 7) API Integration: Capable of integrating with other software/services through standard API. B) Services offered by SaaS: 1) Business Services: Provide a variety of business services to start-up companies that includes ERP, CRM, billing, sales, & human resources. 2) Social Networks: Since the no. of users of the social networking sites is increasing exponentially, cloud computing is the perfect match for handling the variable load. 3) Document Management: provide services to create, manage, & track electronic documents as most of the enterprises extensively use electronic documents. 4) Mail Services: To handle the unpredictable no. of users & the load on email services, most of the email providers offer their services as SaaS services. C) Different instances of SaaS: 1) Testing as a Service (TaaS: This provides users with software testing capabilities such as generation of test data & test cases, execution of test cases & test result evaluation. 2) API as a Service (APIaaS): This allows users to explore functionality of Web services such as Google Maps, Payroll processing, & credit card processing services etc. 3) Email as a Service (EaaS): This provides users with an integrated system of emailing, office automation, spam blocking, malware protection, & compliance features. IV) OTHER CLOUD SERVICE MODELS: 1) Communication as a Service (CaaS): It is an outsourced enterprise communication solution that can be leased from a single vender. E.g. Voice over IP (VolP), Instant Messaging (IM), Collaboration Videoconferencing. 2) Data as a Service (DaaS): It provides data on demand to a diverse set of users, systems or application. Data may include text, images, sounds, & videos. Data encryption & operating system authentication are commonly provided for security. www.akpune.com © Compiled By: Akshay R Yadav 36 88881 44446 98817 51563
3) Security as a Service (SECaaS): It is a new approach to security in which cloud security is moved into the cloud itself whereby cloud service users will be protected from within the cloud using a unified approach to threats. 4 mechanisms are Email filtering, Web content filtering, Vulnerability management & Identity management. 4) Identity as a Service (IDaaS): It enables users to access the authentication infrastructure that is built, hosted, managed & provided by the 3rd party service provider. It includes directory services, authentication services, risk & event monitoring, single sign-on services, & identity & profile management. MOBILE COMPUTING It refers to the technology that allows transmission of data via a computer without having to be connected to a fixed physical link. Mobile voice communication is widely established throughout the world & has had a very rapid increase in the no. of subscribers to the various cellular networks over the last few years. COMPONENTS OF MOBILE COMPUTING : 1) Mobile Communication: It refers to the infrastructure put in place to ensure that seamless & reliable communication goes on. 2) Mobile Hardware: This includes mobile devices or device components that receive or access the service of mobility. (E.g. Tablet PCS, Laptops, Smart phones Personal Digital Assistants-(PDA)). 3) Mobile Software: It is the actual programme that runs on the mobile hardware & deals with the characteristics & requirements of mobile applications. (E.g. Operating System). TANGIBLE BENEFITS OF MOBILE COMPUTING : 1) It provides mobile workforce with remote access to work order details. 2) It enables mobile sales personnel to update work order status in real-time. 3) It facilitates access to corporate services & information at any time, from anywhere. 4) It provides remote access to the corporate Knowledgebase at the job location. 5) It enables to improve management effectiveness by enhancing information quality, information flow, & ability. LIMITATIONS OF MOBILE COMPUTING (MT: SP HP IT) (Nov 2016) 1) Insufficient Bandwidth: Mobile Internet access is generally slower than direct cable connections. 2) Security Standards: Security is major concern, since one can easily attack the VPN through a huge no. of networks interconnected through the line. 3) Power consumption: When power outlet/portable generator is not available, mobile computer rely on battery power. 4) Transmission interferences: Weather, terrain, & the range from the nearest signal point can all interfere with signal reception. 5) Potential health hazards: People who use mobile devices while driving are often distracted from driving are thus assumed to be more likely involved in traffic accidents. 6) Human interface with device: Screens & keyboards tend to be small, which may make them hard to use. HOW MOBILE COMPUTING WORKS? 1) User enters/access data using the application on handheld computing device. 2) Using connecting technologies, the new data are transmitted from handheld to site’s IS. 3) Now both systems (handheld & site’s computer) have the same information & are in sync. 4) Process work the same way starting from the other direction. www.akpune.com © Compiled By: Akshay R Yadav 37 88881 44446 98817 51563
ISSUES IN MOBILE COMPUTING: (MT: SB LP RR) 1) SECURITY ISSUES: a) Confidentiality: Preventing unauthorized users from gaining access to critical information. b) Integrity: Prevention of unauthorized modification, destruction, creation of information. c) Availability: Ensuring authorized users getting the access they require d) Legitimate: Ensuring that only authorized users have access to services) e) Accountability: Ensuring that the users are held responsible for their security related activities. 2) BANDWIDTH: Bandwidth utilization can be improved by logging (bulk operations against short requests) & compression of data before transmission. 3) LOCATION INTELLIGENCE: Mobile computing must be able to switch from infrared mode to radio mode as it moves from indoors to outdoors. Also cellular mode of operation to satellite mode when moving from urban to rural areas. 4) POWER CONSUMPTION: Mobile Computers will rely on their batteries. Power consumption should be minimized to increase battery life. 5) REVISING THE TECHNICAL ARCHITECTURE: To provide complete connectivity among users; the current communication technology must be revised to incorporate mobile connectivity. 6) RELIABILITY, COVERAGE, CAPACITY & COST: Wireless network is less reliable, have less geographic coverage & reduced bandwidth, are slower & cost more than the wired-line network services. 7) BUSINESS CHALLENGES: Business challenges due to the lack of trained professionals to bring the mobile technology to the general people & development. BRING YOUR OWN DEVICE (BYOD) It refers to business policy that allows employees to use their preferred computing devices, like smart phones & laptops for business purposes. It means employees are welcome to use personal devices to connect to the corporate network to access information & application. EMERGING BYOD THREATS (MT: NADI) 1) Network Risks: It is normally exemplified & hidden in ‘Lack of Device Visibility’. In case of company owned device, it has complete visibility of devices connected to the network which helps to analyze traffic & data exchanged over internet. 2) Device Risks: It is normally exemplified & hidden in ‘Loss of Devices’. Lost or stolen device can result in an enormous financial & reputational embarrassment to an organization. 3) Application Risks: It is normally exemplified & hidden in ‘Application Viruses & Malware’. Majority of employee’s phones & smart devices that were connected to corporate network weren’t protected by security software. 4) Implementation Risks: It is normally exemplified & hidden in ‘Weak BYOD Policy’. Effective implementation of the BYOD program should not only cover the technical issues mentioned above but also mandate the development of a robust implementation policy. ADVANTAGES OF BYOD (MT: IT HL IE) (Nov 2016) 1) Happy Employees: Employees love to use their own devices when at work. 2) Lower IT Budgets: Employees could involve financial savings to the organization since Employees would be using the devices they already possess. 3) IT reduces support requirement: IT department does not have to provide end user support & maintenance for all these devices resulting in cost savings. 4) Easy Adoption of new technologies: Employees are generally proactive in adoption of new technologies that result in enhanced productivity of employees. 5) Increased employee efficiency: Efficiency of employees is more when the employee works on his/her own device. www.akpune.com © Compiled By: Akshay R Yadav 38 88881 44446 98817 51563
GREEN COMPUTING (GREEN IT) It refers to the study & practice of establishing/using computers & IT resources in a more efficient & environmentally friendly & responsible way. OBJECTIVES OF GREEN COMPUTING: (Not IMP) 1) Reduce the use of hazardous materials. 2) Maximize energy efficiency during the product’s lifetime. 3) Promote the recyclability of defunct products & factory waste. GREEN COMPUTING BEST PRACTICES/STEPS FOR GREEN IT: 1) Develop a sustainable Green Computing plan: 1) Involve stakeholders to include checklists, recycling policies, recommendations for purchase & disposal of green computer. 2) Encourage IT community to use best practices. 3) Ongoing communication & campus recruitment to produce notable results. 4) Use cloud computing. 2) Recycle: 1) Dispose e-waste per regulations. 2) Discard in an environmental friendly manner. 3) Recycle computers through manufacturers recycling services. 4) Manufacturers must offer safe end-of-life management & recycling options when products become unusable. 3) Make environmentally sound purchase decisions: 1) Purchase of desktop computers, notebooks & monitors based on environmental attributes. 2) Provide a clear, consistent set of performance criteria for the design of products. 3) Eliminate environmental sensitive materials. 4) Use server & storage virtualization. 4) Reduce Paper Consumption: 1) Use e-mail & electronic archiving. 2) Use ‘track changes’ features rather than redline corrections on papers. 3) Use online marketing rather than paper based marketing. 4) While printing use both sides of papers. 5) Conserve Energy: 1) Use LCD rather than CRT monitors. 2) Use notebook computers rather than desktop computers. 3) Use the power-management features to turn off hard drives & displays when no activity done. 4) Power-down the CPU & all peripherals during inactivity. 5) Employ alternative energy sources. Green IT Security Services & Challenges: (Not IMP) 1) If administered properly with other green computing technologies, green security can be a cost-efficient & lucrative green IT service for solution providers. 2) Basic aim is to increase the customer's energy savings through green security services. 3) Green IT services present many benefits for clients as well as providers, but knowing ‘how to evaluate a client's infrastructure to accommodate green technology is really a vital issue’. www.akpune.com © Compiled By: Akshay R Yadav 39 88881 44446 98817 51563
WEB 2.0 Web 2.0 is the term given to describe a 2nd generation of the World Wide Web that is focused on the ability for people to collaborate & share information online. Two major contributors of web 2.0 are - Technological advances by AJAX - Other application – RSS, Eclipse. APPICATIONS OF WEB 2.0: 1) Social Media: It is an important application of web 2.0 as it provides a fundamental shift in the way people communicate & share information. 2) Marketing: Web 2.0 offers excellent opportunities for marketing by engaging customers in various stages of the product development cycle. 3) Education: Helps students & faculty with more opportunities to interact & collaborate with their peers in an educations scenario. COMPONENTS OF WEB 2.0 FOR SOCIAL NETWORKS: 1) Communities: These are an online space formed by a group of individuals to share their thoughts, ideas. 2) RSS-generated Syndication: RSS is a format for syndicating web content that allows feed the freshly published web content to the users through the RSS reader. 3) Blogging: Blog is a journal, diary or personal website that is maintained on the internet. 4) Wiki: Wiki is a set of co-related pages on a particular subject & allow users to share content. 5) Usage of Ajax & other new technologies: Ajax is a way of developing web applications that combines XHTML & CSS standards-based presentation. 6) Folksonomy: It allows free classification of information available on web using tagging approach. 7) File Sharing/Podcasting: This is the facility, which helps users to send their media files & related content online for other people of the network to see & contribute. 8) Mash-ups: People on internet can congregate services from multiple vendors to create a completely new service. Benefits & Challenges for Social Networks using Web 2.0: I) Benefits: 1) It provides a platform where users need not to worry about the implementation or underlying technology at a very affordable cost & a very easy pickup time. 2) Concepts of Web 2.0 like blogging are some things that people do on a day-to-day basis & no new knowledge skills are required. 3) Web 2.0 techniques are very people centric activities & thus, adaptation is very fast. 4) People are coming much closer to another & all social & geographical boundaries are being reduced. 5) Web 2.0 also increases the social collaboration. II) Challenges: 1) Data security & privacy as there is huge chance of data leak & confidentiality loss. 2) Privacy of individual users also arises & can create a huge problem if malicious users somehow manage to perpetuate the social networks. 3) For bringing offline to online social networks, a lot of education & advertising needs to be done. - cost burden 4) Huge amount of effort would be needed to promote social networks in undeveloped area. www.akpune.com © Compiled By: Akshay R Yadav 40 88881 44446 98817 51563
Types & Behaviour of Social Networks: 1) Social Contact Networks: These types of networks are formed to keep contact with friends & family. E.g. Facebook, Twitter etc. 2) Study Circles: These are social networks dedicated for students, where they can have areas dedicated to student study topics, placement related queries & advanced research opportunity gathering. E.g. Fledge Wing, College Tonight, CA Club India. 3) Social Networks for Specialist Groups: These types of social networks are specifically designed for core field workers like doctors, scientists, engineers. E.g. LinkedIn. 4) Networks for Fine Arts: These types of social networks are dedicated to people linked with music, painting & related arts. 5) Police & Military Networks: These types of networks, though not on a public domain, operate much like social networks on a private domain due to the confidentiality of information. 6) Sporting Networks: These types of social networks are dedicated to people of the sporting fraternity. E.g. Athlinks. 7) Mixed Networks: It is a heterogeneous social network serving multiple types of social collaboration. 8) Social Networks for the 'inventors': These are the social networks for the people who have invented the concept of social networks & are the developers for the social networks. E.g. Mash-up centres. 9) Shopping & Utility Service Networks: Present world of huge consumerism has triggered people to invest in social networks, which will try to analyze the social behaviour & send related information for the same to respective marts & stores. 10) Others: Apart from the networks outlined above, there are multiple other social N etnetworks, which serve huge no. of the internet population in multiple ways. Life Cycle of Social Networks: 1) Concept of social networks & the components of Web 2.0, which are significant for social networks have been outlined above. 2) Next, we will see how Web 2.0 gets linked with the entire life cycle of a social network. 3) For any social network, there are a no. of steps in its life cycle. 4) In each of the life cycle step of an online social network, Web 2.0 concepts have a great influence. 5) For all the steps in the life cycle, Web 2.0 provides tools & concepts, which are not only cost effective but very easy to implement. 6) Web 2.0 provides excellent communication mechanism concepts like Blogging & individual email filtering to keep everyone in the network. WEB 3.0 The term Web 3.0, also known as the Semantic Web. It describes sites wherein the computers will be generated raw data on their own without direct user interaction. COMPONENTS OF WEB 3.0: (Nov 2016) 1) Semantic Web: This provides the web user a common framework that could be used to share & reuse the data across various applications, enterprises, & community boundaries. 2) Web Services: It is a software system that supports computer-to-computer interaction over the Internet. www.akpune.com © Compiled By: Akshay R Yadav 41 88881 44446 98817 51563
CA Final: Summary Notes Part: II Information Systems Control and Audit (ISCA) INDEX Ch. Chapter Name Page no No. of No. pages 1 Concepts of Governance & Management of Information Systems 1-14 14 3 Protection Of Information Systems 15-35 21 14 5 Acquisition, Development & Implementation of Information 36-49 18 systems 7 Information Technology Regulatory Issues 50-67 ©Compiled by: Akshay Ramdas Yadav 9881751563
www.akpune.com Compiled By: Akshay R Yadav
Chapter 1: Concepts of Governance & Management of Information Systems Key Concepts of Governance: 1) Governance: Derived from the Greek verb meaning “to steer”. It refers to all means & mechanisms that will enable multiple stakeholders to have an organized mechanism for evaluating options, setting direction & monitoring compliance & performance. 2) Enterprise Governance: Defined as “The set of responsibilities & practices exercised by the board & executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately. Enterprise Governance has two dimensions: a) Corporate Governance/Conformance: (RTP-M17, MTP-N16) i) System by which enterprise is directed & controlled to achieve the objective of increasing shareholder value by enhancing economic performance. ii) It refers to the structures & processes for the direction & control of companies. iii) It provides a historic view. iv) It focuses on regulatory requirements. v) It is monitored by the audit committee. vi) E.g. Sarbanes Oxley Act of US, Clause 49 listing requirement of SEBI. b) Business Governance/Performance: i) It is pro-active in its approach. ii) It is business oriented. iii) It takes a forward looking view. iv) It focuses on strategy & value creation.67yy66 v) It is advisable to develop appropriate best practices, tools & techniques. Best practices of “Corporate Governance” include the following: 1) Clear assignment of responsibilities & decision-making authorities, 2) Establishment of a mechanism for interaction & cooperation among the BOD, senior management & auditors. 3) Implementing strong internal control systems. 4) Special monitoring of risk exposures. 5) Financial & managerial incentives to act in an appropriate manner offered to senior management, in the form of compensation, promotion & other recognition. 6) Appropriate information flows internally & to the public. Information Technology (IT) & Governance: Use of IT covering all key aspects of business processes of an enterprise impacts not only ‘how information is processed’ but also ‘how computerized information systems are used for strategic & competitive advantage’. Benefits of Governance: (i.e. define the role of IT, IT Architecture, IT Infrastructure.) 1) Achieving enterprise objectives by ensuring that each element of the mission & strategy are assigned with a clearly understood & transparent decision rights. 2) Defining & encouraging desirable behavior in the use of IT. 3) Implementing & integrating business processes into enterprise. 4) Providing stability & overcoming the limitations of organizational structure. 5) Improving customer, business & internal relationships & satisfaction. 6) Enabling effective & strategically aligned decision making. Corporate Governance (CG) & IT Governance (ITG): 1) IT provides critical inputs to meet the information needs of all the required stakeholders. Hence, CG drives & sets ITG. 2) Overall objective of ITG is very much similar to CG but with the focus on IT. 3) There is an inseparable relationship b/w CG & ITG 4) ITG is a sub-set of Corporate/Enterprise Governance. www.akpune.com © Compiled By: Akshay R Yadav 1 88881 44446 98817 51563
IT Governance (ITG) & Governance of enterprise IT (GEIT) IT Governance & (GEIT) are used inter-changeably. GEIT is more macro & broader in its scope of coverage. A) IT Governance: It refers to the system in which directors of the enterprise evaluate, direct & monitor IT management to ensure effectiveness, accountability & compliance of IT. Key practices to determine status of IT Governance: 1) Who makes directing, controlling & executing decisions? 2) How the decisions are made? 3) What information is required to make the decisions? 4) What decision-making mechanisms are required? 5) How exceptions are handled? 6) How the governance results are monitored & improved? Benefits of IT Governance: (N15/16, RTP-N18, MTP-N18) . 1) Increased value delivered through enterprise IT. 2) Increased user satisfaction with IT services. 3) IT is becoming an enabler for change rather than an inhibitor. 4) Better cost performance of IT. 5) More optimal utilization of IT resources. 6) Improved agility in supporting business needs. 7) Improved management & mitigation of IT-related business risk. 8) Improved transparency & understanding of IT’s contribution to the business. 9) Improved compliance with relevant laws, regulations & policies. B) Governance of enterprise IT (GEIT): (RTP-N16) IT is a sub-set of corporate governance & facilitates implementation of a framework of IS controls within an enterprise as relevant & encompassing all key areas. Benefits of GEIT: (M16, RTP-N16) 1) It provides a consistent approach integrated with the enterprise governance approach. 2) It ensures that IT-related decisions are made in line with the enterprise's strategies & objectives. 3) It ensures that IT-related processes are overseen effectively & transparently. 4) It confirms compliance with legal & regulatory requirements. 5) It ensures that the governance requirements for board members are met. Key Governance Practices of GEIT: (MTP-N18) 1) Evaluate the Governance System: 2) Continually identify & understanding of the requirements. Make judgment on the current & future design of GEIT. 2) Direct the Governance System: Inform leadership & obtain their support. Guide the structures, processes & practices in line with agreed governance design principles, decision-making models. 3) Monitor the Governance System: Monitor the effectiveness & performance of the enterprise’s governance of IT. Assess whether the governance system & implemented mechanisms are operating effectively. Enterprise Risk Management (ERM): ERM is a process, effected by an entity’s BOD, mgt. & other personnel, applied in strategy setting & across the enterprise, designed to identify potential events that may affect the entity & manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. www.akpune.com © Compiled By: Akshay R Yadav 2 88881 44446 98817 51563
Internal Control US Security & Exchange Commission (SEC’s) define “Internal Control over financial reporting” as a “process designed by, or under the supervision of, the company’s principal executive & principal financial officers. Company’s Management must provide reasonable assurance regarding the reliability of financial reporting & the preparation of financial statements for external purposes in accordance with GAAP & includes those policies & procedures that: i) Pertain to the maintenance of records with reasonable detail accurately. ii) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with GAAP, iii) Company’s annual report must include “An Internal Control report of mgt.” Company’s annual report must include “An Internal Control report of management” that contains: i) A statement of management’s responsibility for establishing & maintaining adequate internal control over financial reporting for the company. ii) A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting. iii) Management’s assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year. iv) Management is not permitted to conclude that the company’s internal control over financial reporting is effective if there are one or more material weaknesses in the company’s internal control over financial reporting. v) A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.” A) Responsibility for Implementing Internal Controls: 1) SOX made a major change in internal controls by holding CEOs & CFOs personally & criminally liable for the quality & effectiveness of their organization’s internal controls. 2) Internal controls expected to provide only a reasonable assurance. 3) An organization ensure that its financial statements comply with Financial Accounting Standards (FAS) & International Accounting Standards (IAS) B) Internal Controls as per COSO: (Exam N14, M18; RTP N15,M17; MTP N18) 1) Control Environment: For each business process, an organization needs to develop & maintain a control environment including categorizing the criticality & materiality of each business process. 2) Risk Assessment: Each business process comes with various risks. A control environment must include an assessment of the risks associated with each business process. 3) Control Activities: Control activities must be developed to manage, mitigate, & reduce the risks associated with each business process. 4) Information & Communication: These are associated with control activities regarding information & communication systems. These enable an organization to capture & exchange the information needed to conduct, manage, & control its business processes. 5) Monitoring: IC process must be continuously monitored with modifications made as warranted by changing conditions. C) Clause 49: Clause 49 of the listing agreements issued by SEBI mandates implementation of enterprise risk mgt. & IC & holds the senior mgt. legally responsible for such implementation. www.akpune.com © Compiled By: Akshay R Yadav 3 88881 44446 98817 51563
1.7 - Role of IT in Enterprises: (MTP-N18 - M-4) 1) In an increasingly digitized world, enterprises are using IT not merely for data processing but more for strategic & competitive advantage too. 2) IT deployment has progressed from data processing to MIS to DSS to online transactions/services. 3) IT has not only automated the business processes but also transformed the way business processes are performed. 4) Way in which business processes are performed/services rendered & how an organization is structured could be transformed through right deployment of IT. 5) It is needless to emphasize that IT is used to perform business processes, activities & tasks. 6) Extent of technology deployment also impacts the way internal controls are implemented in an enterprise. 7) Extensive organization restructuring may be facilitated through IT deployments. Business & IT Strategy: 1) Management Strategy determines at the macro level the path & methodology of rendering services by the enterprise. 2) Strategy formulated by the senior management. 3) Based on the strategy adapted, relevant policies & procedures are formulated. 4) From business strategy perspective, IT is affecting the way in which enterprises are structured, managed & operated. 5) There is the fusion of IT strategy with business strategy. 6) Enterprises can no longer develop business strategy separate from IT strategy & vice versa. IT Steering Committee: Depending on the size & needs of the enterprise, the senior management may appoint a high-level committee to provide appropriate direction to IT deployment. Key functions of the committee: (M17, RTP-N18) 1) To ensure that long & short-range plans of the IT department are in tune with enterprise goals & objectives. 2) To establish size & scope of IT function & sets priorities. 3) To review & approve major IT deployment projects. 4) To approve & monitor key projects by measuring result of IT projects in terms of ROI. 5) To review the status of IS plans & budgets & overall IT performance. 6) To review & approve standards, policies & procedures.(SPP) 7) To make decisions on IT deployment & implementation. 8) To facilitate implementation of IT security within enterprise. 9) To facilitate & resolve conflicts in deployment of IT. 10) To report to the BOD on IT activities. www.akpune.com © Compiled By: Akshay R Yadav 4 88881 44446 98817 51563
Search
Read the Text Version
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114