S.No Name Brief Details

1 ITIL

2 ISO 20000

3 ISO 27000 Information Security

IT service management ITIL V3

The Information Technology Infrastructure Library (ITIL), is a set of best-practices for IT service management (ITSM) that focuses on aligning IT services with the needs of the business.Is “best practice” in IT Service Management, developed by OGC and supported by publications, qualifications and an international user groupAssist organisations to develop a framework for IT Service ManagementWorldwide, most widely used best practice for IT Service ManagementConsists of a series of Core books giving guidance on the provision of quality IT servicesCovers service management and operations

Service management operation

The Standard is divided into two distinct parts:Part 1 provides the requirements for IT service management to gain certificationThis is relevant to those responsible for initiating, implementing or maintaining IT service management in their organizationSenior Management are responsible and accountable for ensuring all requirements of Part One are met if Certification is soughtPart 2 - Code of Practice for Service ManagementProvides guidance to internal auditors and assists service providers planning service improvements or preparing for audits against ISO 20000Part 3 - Scope & ApplicabilityAdvice on scoping for service managementPlanning & improvements

This is the specification for an information security management system (an ISMS) which replaced the old BS7799-2 standard

ISO 27001

ISO 27002

ISO 27003

ISO 27004

ISO 27005

The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the specification for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certification is granted. Today in excess of a thousand certificates are in place, across the world.

The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001.

The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself.

Published in December 2009, ISO 27004 provides guidance on the development and use of measures and measurement for the assessment of the effectiveness of an implemented information security management system and controls, as specified in ISO 27001. The appendix of the document also suggests metrics which were selected to align with ISO 27002.

ISO 27005 is the name of the prime 27000 series standard covering information security risk management. The standard provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system defined by ISO 27001.

ISO 270064 SOX 4045 SAS 70

6 COBIT

This is the standard which offers guidelines for the accreditation of organizations which offer certification and registration with respect to an ISMS. Again it was overseen by ISO's committee SC 27. The previous standard related to this issue was EA 7/03. This has effectively been replaced by the new standard, to meet market demands to better support ISO 27001. It effectively documents the requirements additional to those specified within standard ISO 17021, which identified the more generic requirements.

COBIT is a widely-utilized framework containing best practices for both ITGC and application controls. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.

Control OBjectives for Information and related TechnologyOriginally released in 1996 by the Information Systems Audit and Control Foundation (ISACF)Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc.The above sources were used to formulate COBIT to “be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.”

7 ITGC

8 COSO9 CMMI

Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met.

ITGC represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provide a similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate.

10

PCI-DSS version 2 released in october 2010

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

Areas covered Checklist

Service Support-- Incident Management-- Problem Management-- Change Management-- Release Management-- Configuration ManagementService Delivery-- Service level management-- Availability Management-- Capacity Management-- IT service continuity management-- Finanacial management for IT servicesService desk - ITIL function

Management Systems - Management Responsibility, Documentation Requirements, Competences, Awareness & TrainingPlanning and implementation - Planning new services

The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate

Change management proceduresSource code/document version controlSoftware development life cycle Logical Access Incident ManagementProblem management Technical SupportHardware/softwareDisaster recoveryPhysical Security

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processesMaintain an Information Security Policy 12. Maintain a policy that addresses information security

Service Delivery ProcessesCapacity ManagementService Continuity &Availability Management

Planning & Implementation

Planning New Services

Management Systems Management Responsibility, Documentation Requirements, Competences, Awareness & Training

Plan, Implement, Monitor, Improve(Plan…. Do…. Check….. Act……)

Planning & Implementing New or Changed Services

Service Level ManagementService Reporting

Information Security ManagementBudgeting & Accounting for IT Services

Control ProcessesConfiguration Management

Change Management

Release Processes Relationship ProcessesResolution Processes

Release ManagementIncident ManagementProblem Management

Business Relationship ManagementSupplier Management

Service Delivery ProcessesCapacity ManagementService Continuity &Availability Management

Planning & Implementation

Planning New Services

Management Systems Management Responsibility, Documentation Requirements, Competences, Awareness & Training

Plan, Implement, Monitor, Improve(Plan…. Do…. Check….. Act……)

Planning & Implementing New or Changed Services

Service Level ManagementService Reporting

Information Security ManagementBudgeting & Accounting for IT Services

Control ProcessesConfiguration Management

Change Management

Release Processes Relationship ProcessesResolution Processes

Release ManagementIncident ManagementProblem Management

Business Relationship ManagementSupplier Management

PO1 - Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage ProjectsAI1 Identify Automated SolutionsAI2—Acquire and Maintain Application SoftwareAI3—Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6—Manage ChangesAI7 Install and Accredit Solutions and ChangesDS1—Define and Manage Service LevelsDS2—Manage Third—party ServicesDS3—Manage Performance and CapacityDS4—Ensure Continuous ServiceDS5—Ensure Systems SecurityDS6 – Identify and Allocate CostsDS7—Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage OperationsME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Compliance With External RequirementsME4 Provide IT Governance

PCI DSS Audit Questions and ChecklistsDate:

Location:

No Basic Requirement Status

Comply

1

23 Protect stored cardholder data

45 Use and regularly update anti-virus software

6

Develop and maintain secure systems and applications

7

89 Restrict physical access to cardholder data

1011 Regularly test security systems and processes

12

Maintain a policy that addresses information security

No Audit Checklist Status

Comply

1

Who has access to a specified file or other resource?

2

3

4

56 That duplicate accounts do not exist?

Assessor:

Not Comply

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Encrypt transmission of cardholder data across open, public networks

Restrict access to cardholder data by business need-to-know

Assign a unique ID to each person with computer access

Track and monitor all access to network resources and cardholder data

Not Comply

Who has had access to a given file or other resource in the past?

What resources a given individual has access to across your entire enterprise?

That password policies and other directory settings are correct and have remained so over time?

That inactive accounts were deleted within the allowed timeframe?

7

8

9

10

11

12

13

Audit logs with all access by all users to all resources?

14

Audit logs with all actions taken by administrators?

15

Audit logs with all access to auditing information?

16 Audit logs with all invalid access attempts?

17

18

Audit logs with all initialization (clearing) of audit logs?

19

20

21

22

23

That account removal, modification, and addition is performed according to policies and requirements?

What security settings are currently in effect in your environment?

What security settings have been in effect in your environment in the past?

That security settings are consistently applied throughout the environment?

What changes have been made to security settings over time?

What privileges have been exercised by users, particularly administrative users?

Audit logs with all use of authentication mechanisms such as Active Directory?

Audit logs with all creation and deletion of system-level objects?

Proof that all systems are up-to-date with the latest service releases?

That you can detect unpatched systems and either correct the problem or alert an administrator to do so?

That the correct policies are in place to ensure secure transmission of cardholder data?

That secure transmission policies have remained in effect continuously?

PCI DSS Audit Questions and Checklists

Notes

Notes

Auditing Application Controls

Application Software

Approach to Auditing Application Software

The first question to ask in an application software review is, "What does the application software do; what business function or activity does it perform?"

Application Software Audit Methodology

The information systems audit of application software should mainly cover the following areas:

Adherence to business rules in the flow and accuracy in processingValidations of various data inputsLogical access control and authorizationException handling and logging

The steps to be performed in carrying out an application software review are as follows:

Application software is the software that processes business transactions. The application software could be a payroll system, a retail banking system, an inventory system, a billing system or, possibly, an integrated ERP (enterprise resource planning) system. It is the application software that understands data with reference to their business context. The rules pertaining to the business processes are implemented in the application software.

Most users interact with the computer systems only through the application software. The application software enables and also limits the actions that a user can do.

It is very important to subject application software to a thorough audit because the business processes and transactions involving money, material and services flow through the application software package.

In this context it is very necessary for the IS auditor to know the business. For application reviews, the IS auditor's knowledge of the intricacies of the business is as important, if not more so, as the technical knowledge. Hence the first step in an application review is to understand the business function/activity that the software serves. This can be done through the study of the operating/work procedures of the organization or other reference material. The other alternative is by interviewing the personnel.

Once this is done, it is necessary to identify the potential risks associated with the business activity/function served by the application (what can go wrong?) and to see how these risks are handled by the software (what controls it?).

Study and review of documentation relating to the application. However, the IS auditor may find situations in real life where documentation is not available or is not updated. In such cases, the auditor should obtain technical information about the design and architecture of the system through interviews.

Study key functions of the software at work by observing and interacting with operating personnel during work. This gives an opportunity to see how processes actually flow and also observe associated manual activities that could act as complementary controls.

Run through the various menus, features and options to identify processes and options for conformance to business rules and practices. (Studying the documentation before this can significantly hasten the activity.) To illustrate with an example, it is a well accepted rule in financial accounting that once an accounting transaction has been keyed in and confirmed on the system to update the ledgers it should not be edited or modified. The correct method would be to pass a fresh reversal transaction to correct errors, if any. However, if the IS auditor observes that there is an option in the software to "edit/modify transactions," this would be noted as a control deficiency for correction.

This kind of run-through can be done more effectively if a development/test system is made available to the IS auditor. In the absence of such a facility, the auditor only can watch the system run by the system administrator and make notes. The auditor is advised not to do any testing on a production system as this could affect adversely a "live" system.

Validate every input to the system against the applicable criteria. Such validations go a long way in eliminating errors and ensuring data integrity. Apart from simple validations for numeric, character and date fields, all inputs should be validated with range checks, permissible values, etc. Validation checks that are built on application-specific logic can act as powerful controls not only for ensuring data accuracy but also to prevent undesirable data manipulations. The IS auditor can check validations by actually testing them out in the development/test system. Alternatively, looking at the database definitions, the associated triggers and stored procedures would be the way for a technically savvy IS auditor to review the validations.

Verify access control in application software. This consists of two aspects--the inherent design of the access control module and the nature of access granted to various users and its maintenance. Every application software has a number of modules/options/menus that cater to the different functionality provided by the software. Different users will need access to various features based on their responsibilities and job descriptions. All access should be strictly based on the need to know and do. The design of the access control module may be of varied types. Most software would check a combination of user id and passwords before allowing access. Access may be controlled for each module, menu option, each screen or controlled through objects. Often the matrix of users versus the options/actions becomes too large and complex to maintain hence it is normal to define certain roles for different classes of employees and group them together and assign them similar access. The IS auditor should review the design of the access control module keeping in mind the criticality of the functions/actions possible in the software and evaluate whether the design provides the level of control and granularity to selectively and strictly allows access as per the job requirements of all the users.

Having done this, the auditor should proceed to verify whether all existing users have appropriate access as evidenced by their job descriptions and whether access to certain critical activities are allowed only to select personnel duly authorized.

It also is necessary to verify who has administrator/superuser rights and how such rights are used/controlled. Ideally no one in the IT/development group should have any access to the production data. All actions on the data by the superuser should be logged and verified by the data owners regularly.

Verify how errors and exceptions are handled. In many activities software provides options and ways to reverse transactions, correct errors, allow transactions under special circumstances, etc. Each one of these is special to the business and based on the rules and procedures defined by the organization for these. The IS auditor needs to see how the software handles these. Are these circumstances properly authorized in the software? Does it capture the user id and time stamp for all transactions to provide suitable trails? Are the exceptions and critical activities like updates to global parameters logged for independent review later?

Correct any weaknesses found at the end of an applications review in the software that could lead to errors or compromises in security. These would need to be corrected by either changes in design and/or some recoding. While this would be addressed by the IT department, the user or owner of the application from the functional area would want to know if any of these weaknesses have been exploited by anyone and whether there have been any losses. To provide an answer to this question the IS auditor should download all the data for the period in question and run a series of comprehensive tests using an audit software and determine if any error or fraud really occurred or not.

Evaluate the environment under which the application runs. The audit of the application software alone is not enough. Generally, it is prudent to conduct a security review of the operating system and the database in which the application runs while doing an application review.

All critical applications used in an organization need to be subjected to detailed review by an IS auditor. This is one of the most important aspect of IS audit for a business. The job of application review becomes more complex as the application becomes larger and integrated. While auditing complex applications, it is always good to start with a generic industry-based template of an audit work program and slowly customize the work program to the specific situation as the audit progresses.

The IS Auditing Guideline issued by ISACA® on Application Systems Review under Performance of Work contains detailed guidelines on planning the review, application risks, documenting the flow of transactions, and identifying and testing the application system controls and reporting. The matter contained in these guidelines have not been reproduced in this article but can be invaluable for an IS auditor seeking guidance or clarifications on application reviews. The guidelines can be seen on ISACA's web site, www.isaca.org, under standards.

Input controls Penetration testing

Output controls

processing controls Functional, UAT

usability, GUI, compatibility, performance

integrity

and management trail

URL

S.No Parameter

1 Title Tag

1.1

1.2 It should be specific keywords and phrases.

1.3

1.4

1.5

1.6

2 The main body text

2.1

2.2

2.3

It should always appear immediately after the opening <head> tag.

6 - 12 words ( less than 60 characters ) is a good length for a title tag.

Keep the words in title case ( eg: Professional Marketing Tips )

Strive for a keyword density of 25-35% for each keyword.

Try to keep title tags as unique as possible in each pages in your website.

Keyword prominence: Make sure to put the most important keywords into a carefully crafted paragraph at the beginning of your HTML page. Prominence is how close to the start of the area that the keyword appears. In general, a keyword that appears closer to the top of the page or area will be more relevant.

Keyword Density: If the page contains less than 500 words, keeping 1%-3% of those words is better. If the page contains more than 500 words, keep 3%-5% of the overall content.

Try to provide a minimum word count of 250 and a maximum of 750 words on each page.

2.4

2.5

3 Meta tags

1. Write it in sentence structure.

Use 'Alt' tag to describe the image.ALT tag defines the text to display for a image if the user has graphics turned off, or if they put the cursor over it in Internet Explorer. Some search engines including google will look for keywords in the ALT tags. eg: <IMG SRC=”image.jpg” ALT=”Blue Widgets, Red Widgets,and GreenWidgets”</a>

Insert comments tag in your page, it is hidden and not visible to the user. A couple of search engines will read this text, so you may wish to include keywords in these tags. eg: <!-- Blue Widgets, Red Widgets, and Green Widgets -->

META Description Tag <META name="Description" content="Your descriptive sentence goes here.">

2. Should be relevant to the similar 25-30 word (under 150 characters) description of the first text within the visible page.

3. Do not repeat your keywords more than 3 times in description tag. If you need, make alternatives (e.g. 'prescription' and 'prescriptions' can be used 3 times each).

4. Minimize the use of "stop words" such as "and, the, of".

5. Keyword phrases that appear earliest in the Meta description will generally receive higher ranking value.

8. Strive for 6%-20% keyword density.9. Use different Meta description tag for each pages.

1. Keep 100 to 250 characters to get better results.

3. Use keywords/Phrases4. Do not repeat any word more than 3 times.

5. Do not place repeated keywords close together.

10. Strive for 4%-10% keyword density.

4 Spider Friendly Navigation

7. Avoid using JavaScript links

6. Try to include this tag in all pages by describing the content and it should be unique.

7. Don't load your Meta description with only keywords.

META Keyword Tag <META name="keywords" content="your keywords, go here, separated by a comma">

2. Start with the most important and then proceed to less important.

6. If your site has content of interest to a specific geographic location be sure to include the actual location in your keyword Meta.

7. Use keywords that are actually on the page and reflect the essence of your content.

8. Try to use keywords in your Meta keywords tag with comma, not by space.

9. Try to use small case in keyword/phrases (eg: replace the keyword phrase - "Website Design" with "website design")

1. Use keyword/phrase that best describes the target page.

2. Always use your primary keywords in the link text least one or more on the page.

3. Try to place your primary keywords at the starting of a link text if possible.

4. Try to use Title Attribute in the text links. eg: <a href="yourpage.html" title="Describe this page.">The link label goes here</a>

5. Avoid using image maps, if needed make it sure to add text links at the bottom of all pages

6. Do not use long text; limit 40-50 characters in a link text.

8. Create text links and use a common navigational menu for all the pages.

5

2. Incoming links should use your keyword phrase.3. Link to others with higher Page Rank

9. Make sure the pages on your site to be linked to one another, especially the home page.

10. Try to include a Site map if you have more than 30 pages.

11. Submit an XML site map to Google. (Visit: Google Sitemaps)

12. Limit the number of links per page to less than 20 for better results.

13. If your Website using Flash, make it sure to add text links at the bottom of the page as a supplement to the Flash navigation. (Google now takes links from Flash)

14. Try to use keyword phrases in the HTML and image file names

15. Keep your file names hyphenated (eg: http://www.hotels-kochi.htm)

1. Try to get reciprocal links between your site and others in the same industry.

4. Include your reciprocal page link from the main page of your Website.

5. Avoid using the link text such as "links", "link exchange" use "Resources" instead.

6. Try to build link category that best match to your site content.

7. Do not provide more than 20 links per page, if needed try to split it into additional page.

8. Try to use brief text along with links describing the content of the outbound link page.

Observation

www.Mazars.co.in

The title tag at present is Home Mazars India, it does not provide short description of the page or nature of the site like E& Y which has title tag as "Advisory, Assurance, Tax, Transaction Services - Ernst & Young India - Ernst & Young - India"

The keywords describing the nature of the site have not been defined.

No Alt Tag defined for the image

Meta tags haven not been defined appropriately.

The current meta description is "Home Page" which does not tell anything about services provided by Mazars and nature of the site

Not defined

The title tags have not been defined in the links provided on the website due to which the crawlers may not navigate through the site completely.

No site map

Ideal

The Title tag is an important part of a Website. It is a short description of the page, and the most important words should go first. Every HTML (web page) should have a Title tag and all Title tags should be unique. Don't use the same Title tag for multiple documents. It should be inserted into the header of your web page

This carries score of 1.5 and is very essential for search engines to crawl and index your website.

Meta tags are tags, which are embedded in the HTML code of a page, You should insert the META tag element at the top of your document, just after the <TITLE> element.

The basic syntax for Meta Tags is:

<HEAD><TITLE>Your Page Title Goes Here</TITLE><META name=”description” content=”type your description here”><META name=”keywords” content=”type, your, keywords, keyword phrase here”></HEAD>

PCAOB Audit Standard 5 Public company accounting oversight board section 3190.16

0.17

0.18

IT provides potential benefits of effectiveness and efficiency for an entity’s internal control because it enables an entity to—

0.19

IT also poses specific risks to an entity’s internal control, including—

0.2

0.3

An entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. For example, an entity may use IT as part of discrete systems that support only particular business units, functions, or activities, such as a unique accounts receivable system for a particular business unit or a system that controls the operation of factory equipment. Alternatively, an entity may have complex, highly integrated systems that share data and that are used to support all aspects of the entity’s financial reporting, operations, and compliance objectives.

The use of IT also affects the fundamental manner in which transactions are initiated, recorded, processed, and reported. fn 8 In a manual system, an entity uses manual procedures and records in paper format (for example, individuals may manually record sales orders on paper forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in such a system also are manual and may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Alternatively, an entity may have information systems that use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in systems that use IT consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. An entity’s mix of manual and automated controls varies with the nature and complexity of the entity’s use of IT.

·         Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

·         Enhance the timeliness, availability, and accuracy of information.

·         Facilitate the additional analysis of information.

·         Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.

·         Reduce the risk that controls will be circumvented.

·         Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.

·         Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.

·         Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

·         Unauthorized changes to data in master files.

·         Unauthorized changes to systems or programs.

·         Failure to make necessary changes to systems or programs.

·         Inappropriate manual intervention.

·         Potential loss of data.

The extent and nature of these risks to internal control vary depending on the nature and characteristics of the entity’s information system. For example, multiple users, either external or internal, may access a common database of information that affects financial reporting. In such circumstances, a lack of control at a single user entry point might compromise the security of the entire database, potentially resulting in improper changes to or destruction of data. When IT personnel or users are given, or can gain, access privileges beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can occur. This could result in unauthorized transactions or changes to programs or data that affect the financial statements. Therefore, the nature and characteristics of an entity’s use of IT in its information system affect the entity’s internal control.

0.31

0.32

0.77

0.78

0.79

In making a judgment about the understanding of internal control necessary to plan the audit, the auditor also considers IT risks that could result in misstatements. For example, if an entity uses IT to perform complex calculations, the entity receives the benefit of having the calculations consistently performed. However, the use of IT also presents risks, such as the risk that improperly authorized, incorrectly defined, or improperly implemented changes to the system or programs performing the calculations, or to related program tables or master files, could result in consistently performing those calculations inaccurately. As an entity's operations and systems become more complex and sophisticated, it becomes more likely that the auditor would need to increase his or her understanding of the internal control components to obtain the understanding necessary to design tests of controls, when applicable, and substantive tests.

The auditor should consider whether specialized skills are needed for the auditor to determine the effect of IT on the audit, to understand the IT controls, or to design and perform tests of IT controls or substantive tests. A professional possessing IT skills may be either on the auditor’s staff or an outside professional. In determining whether such a professional is needed on the audit team, the auditor considers factors such as the following:

·         The complexity of the entity’s systems and IT controls and the manner in which they are used in conducting the entity’s business

·         The significance of changes made to existing systems, or the implementation of new systems

·         The extent to which data is shared among systems

·         The extent of the entity’s participation in electronic commerce

·         The entity’s use of emerging technologies

·         The significance of audit evidence that is available only in electronic form

Procedures that the auditor may assign to a professional possessing IT skills include inquiring of an entity’s IT personnel how data and transactions are initiated, recorded, processed, and reported and how IT controls are designed; inspecting systems documentation; observing the operation of IT controls; and planning and performing tests of IT controls. If the use of a professional possessing IT skills is planned, the auditor should have sufficient IT-related knowledge to communicate the audit objectives to the professional, to evaluate whether the specified procedures will meet the auditor’s objectives, and to evaluate the results of the procedures as they relate to the nature, timing, and extent of other planned audit procedures. fn 9

In designing tests of automated controls, the auditor should consider the need to obtain evidence supporting the effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a “user review of an exception report of credit sales over a customer’s authorized credit limit” as a direct control related to an assertion. In such cases, the auditor should consider the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report (for example, the general controls).

Because of the inherent consistency of IT processing, the auditor may be able to reduce the extent of testing of an automated control. For example, a programmed application control should function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor should consider performing tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them.

To test automated controls, the auditor may need to use techniques that are different from those used to test manual controls. For example, computer-assisted audit techniques may be used to test automated controls or data related to assertions. Also, the auditor may use other automated tools or reports produced by IT to test the operating effectiveness of general controls, such as program change controls, access controls, and system software controls. The auditor should consider whether specialized skills are needed to design and perform such tests of controls.

Execution -- Configuration Management Testing - 4 -- Business logic testing - 8 -- Authentication Testing - 4 -- Authorization Testing - 4 -- Session Management Testing - 3 -- Data Validation Testing - 6 -- Testing for Denial of Service - 3 -- Web Services Testing - 4