Direct study report on Information system (IS) audit
-
Upload
rajib-kumar-hyoju -
Category
Documents
-
view
219 -
download
0
Transcript of Direct study report on Information system (IS) audit
-
7/29/2019 Direct study report on Information system (IS) audit
1/47
TRIBHUVAN UNIVERISTY
Department of Mechanical Engineering
INSTITUTE OF ENGINEERING
Pulchowk Campus
Directed Study Report
On
Information System (IS) Audit
9th October, 2012
Submitted By:
Rajendra Bahadur Thapa
(068/MsTIM/156)
Rajib Kumar Hyoju
(068/MsTIM/157)
Sudan Kayastha
(068/MsTIM/163)
Sudip Joshi
(068/MsTIM/165)
Submitted to:Prof. Amrit Man Nakarmi
Co-ordinator,
Master of Science in Technology and
Innovation Management (MsTIM),
Department of Mechanical Engineering.
-
7/29/2019 Direct study report on Information system (IS) audit
2/47
ii
ACKNOWLDEGEMENT
We wish to express our sincere gratitude to Prof. Amrit Man Nakarmi, Co-ordinator of
Master of Science in Technology and Innovation Management (MsTIM) program and
core group members of MsTIM program for providing us an opportunity on studying
directed study on the topic "Information System (IS) Audit" as a core course of Study in
third semester of MsTIM. We sincerely thank to our other professors and lecturers for
their valuable feedbacks and encouragement in carrying out this directed study work.
Last but not the least, we wish to avail ourselves of this opportunity, express a sense of
gratitude and love to our friends for their manual support, strength, help and for
everything.
Sincerely,
Rajendra Bahadur Thapa
Rajib Kumar Hyoju
Sudan Kayastha
Sudip JoshiMsTIM-2011
-
7/29/2019 Direct study report on Information system (IS) audit
3/47
iii
Abstract
The strength of organization is measured from the strength information system which
integrates knowledge, capability, maturity models, product and services delivery
processes, etc possesses by the organization. The information system must be flawlessand be aware of possible risks and should have good measures of risks hazards. For
this information system must be certified or audited to check the level of performance
and enhancing the system. Information systems audit is a part of the overall audit
process, which is one of the facilitators for good corporate governance. Information
systems are the lifeblood of any large business. The purpose of IS audit is to review and
provide feedback, assurances and suggestions for the availability, confidentiality and
integrity of the information systems. The COBIT framework for IS Audit, incorporates the
business-focused, process-oriented, controls-based and measurement-driven
characteristics. NRB has issued the IT Guidelines to be implemented by the commercial
banks of Nepal. Thus, due to increase in the complexity in the Information System, IS
Audit is necessary to be done for avoiding risk hazards and enhance the performance of
the Information Systems to yield more efficiency and competitive advantages.
Key Words: Information System, Information Technology, IT Audit, IS Audit, COBIT,
COBIT Framework, NRB Guidelines, Nepal
-
7/29/2019 Direct study report on Information system (IS) audit
4/47
iv
Table of Contents
ACKNOWLDEGEMENT ...................................................................................................ii
Abstract ........................................................................................................................... iii
List of Abbreviations ........................................................................................................ v
1. Background .............................................................................................................. 1
1.1 Introduction ........................................................................................................ 1
1.2 Significance of the Study .................................................................................... 2
1.2.1 General Significance ................................................................................... 2
1.2.2 Specific Significance .................................................................................... 2
1.3 Statement of Purpose ........................................................................................ 3
1.4 Theoretical Framework/Model ............................................................................ 3
1.4.1 Control Objectives for Information and related Technology (COBIT): .......... 5
2. Literature Review ..................................................................................................... 6
2.1 Elements of IS Audit ........................................................................................... 6
2.2 Need for a Control Framework in Information System ....................................... 7
2.3 Procedures ....................................................................................................... 11
2.4 Control Objectives for Information and related Technology (COBIT) ............... 12
2.4.1 Vision ......................................................................................................... 12
2.4.2 How COBIT Meets the Need ..................................................................... 12
2.4.3 COBIT Framework Model .......................................................................... 21
2.4.1 Overall COBIT Framework ........................................................................ 24
2.5 Information Security and Technical Security Risks .......................................... 25
2.5.1 Information Security ................................................................................... 25
2.5.2 Technical Security Risks ............................................................................ 26
3. IS Audit in Nepal Scenario ..................................................................................... 32
-
7/29/2019 Direct study report on Information system (IS) audit
5/47
v
3.1 NRB guidelines ................................................................................................ 32
3.2 Challenges for Nepal in implementing IS Audit ................................................ 36
4. Discussion and Recommendation .......................................................................... 37
4.1 Discussion ........................................................................................................ 37
4.2 Recommendation ............................................................................................. 38
5. Conclusion ............................................................................................................. 39
6. References and Bibliography ................................................................................. 40
List of Abbreviations
IT Information Technology
IS Information System
ISACA Information System Audit
ITGI IT Governance Institute
CISA Certified Information Systems Auditors
ATM Automatic Teller Machine
COBIT Control Objectives for Information and related TechnologyNRB Nepal Rastra Bank
ISACA Information Systems Audit and Control Association
ITSEC Information Technology Security Evaluation Criteria
TCSEC Trusted Computer System Evaluation Criteria
COSO Committee of Sponsoring Organizations
CMMI Capability Maturity Model Integration
ITIL Information Technology Infrastructure LibraryPMBOK Project Management Body of Knowledge
SEI Software Engineering Institute
-
7/29/2019 Direct study report on Information system (IS) audit
6/47
1
1.Background
1.1 Introduction
This 21st century is the age of information and knowledge management. The strength oforganization is measured from the strength of knowledge, capability, maturity models,
product and services delivery processes, etc possesses by the organization. For this,
organizations/firms should have efficient and reliable information system. To achieve
the best information system, the organizations are in rat race competitions to use cutting
edge technologies. It is indeed necessary for all the organizations and firms to comply
with the new technology and show good performance in the market for getting
competitive advantages among the rival companies.
Adapting the information system has increased more risks among the organization if
any flaws are there. These days, if any flaw is there in the system the bad impression
can be followed to the whole world within a few seconds. Any delay on the services and
flaw in the product may be tweeted (following the messages in the social networking
sites like tweeter, facebook, etc) by the customers. So, the product and services must
be perfect and should satisfy all the customers.
To achieve the main goal of business by satisfying the customers, the information
system must be flawless and be aware of possible risks and should have good
measures of risks hazards. For this information system must be certified or audited to
check the level of performance for enhancing the system.
Information systems audit is a part of the overall audit process, which is one of the
facilitators for good corporate governance. While there is no single universal definition
of IS audit, Ron Weber has defined it as "the process of collecting and evaluating
evidence to determine whether a computer system (information system) safeguards
assets, maintains data integrity, achieves organizational goals effectively and consumes
resources efficiently."
Information systems are the lifeblood of any large business. As in years past, computer
systems do not merely record business transactions, but actually drive the key business
-
7/29/2019 Direct study report on Information system (IS) audit
7/47
2
processes of the enterprise. In such a scenario, senior management and business
managers do have concerns about information systems. The purpose of IS audit is to
review and provide feedback, assurances and suggestions. These concerns can be
grouped under three broad heads:
Availability: Will the information systems on which the business is heavily dependent be
available for the business at all times when required? Are the systems well protected
against all types of losses and disasters?
Confidentiality: Will the information in the systems be disclosed only to those who have
a need to see and use it and not to anyone else?
Integrity: Will the information provided by the systems always be accurate, reliable and
timely? What ensures that no unauthorized modification can be made to the data or the
software in the systems?
There is also a lot of competition in the business firms and organization in Nepal. Every
businesses firm is aware of the benefits of the Information sector. The banking sectors
are prominent in the use of best information system with their capacity. There has been
a Guidelines for Information Technology audit introduced by Nepal Rastra Bank (Central
bank of Nepal). Still IT audit must be introduced by other firm for better performance,
which will be gradually increased in coming days.
1.2 Significance of the Study
1.2.1 General Significance
The general significance is to study the effective management processes of Information
System.
1.2.2 Specific SignificanceThe specific significance of the study can be stated as follows:
To study the importance of Information System for an organization, firms, orbusinesses.
To study the management of philosophy, operating style, and risk assessmentpractices for Information System.
-
7/29/2019 Direct study report on Information system (IS) audit
8/47
3
To study the processes for auditing Information system adapted in worldwide.
To study the security hazards and technical risks in Information System
To relate the Information System audit in the context of Nepal.
1.3 Statement of Purpose
Like air is necessary for human beings, these days in every business, organizations and
institutions, information system is necessary for smooth operation. There are many
issues on using information system.
High tech manpower is needed to implement the information system in an
effective way.
Many companies, organizations, etc are bearing a huge loss while implementing
the information system.
Information system is integrated to the whole business process. Information
Technology department must be responsible for the smooth operation of the
information system.
So, there is need to control on the implementation of Information system for prosperous
overall business performance. Hence we are focusing our study to the control
framework for Information governance which is also known as Information System
Auditing.
1.4 Theoretical Framework/Model
Governance over information technology and its processes with the business goal of
adding value, while balancing risk versus return ensures delivery of information to the
business that addresses the required Information Criteria. This is measured by Key
Goal Indicators enabled by creating and maintaining a system of process control
excellence appropriate for the business. It directs and monitors the business valuedelivery of IT considers Critical Success Factors that leverage all IT Resources and is
measured by Key Performance Indicators. [ IT Governance Institute, 2004]
Critical success factor
-
7/29/2019 Direct study report on Information system (IS) audit
9/47
4
IT governance activities are integrated into the enterprise governance process
and leadership behaviors IT governance focuses on the enterprise goals,
strategic initiatives, the use of technology to enhance the business and on the
availability of sufficient resources and capabilities to keep up with the business
demands.
IT governance activities are defined with a clear purpose, documented and
implemented, based on enterprise needs and with unambiguous accountabilities
Management practices are implemented to increase efficient and optimal use of
resources and increase the effectiveness of IT processes.
Organizational practices are established to enable: sound oversight; a control
environment/culture; risk assessment as standard practice; degree of adherence
to established standards; monitoring and follow up of control deficiencies and
risks
Control practices are defined to avoid breakdowns in internal control and
oversight
Key Goal indicators Enhanced performance and cost management
Improved return on major IT investments
Improved time to market
Increased quality, innovation and risk management
Appropriately integrated and standardized business processes
Reaching new and satisfying existing customers
Availability of appropriate bandwidth, computing power and IT delivery
mechanisms
Meeting requirements and expectations of the customer of the process on budget
and on time
Adherence to laws, regulations, industry standards and contractual commitments
Transparency on risk taking and adherence to the agreed organizational risk
profile
Benchmarking comparisons of IT governance maturity
-
7/29/2019 Direct study report on Information system (IS) audit
10/47
5
Creation of new service delivery channels
key performance indicators
Improved cost-efficiency of IT processes (costs vs. deliverables) Increased number of IT action plans for process improvement initiatives
Increased utilization of IT infrastructure
Increased satisfaction of stakeholders (survey and number of complaints)
Improved staff productivity (number of deliverables) and morale (survey)
Increased availability of knowledge and information for managing the enterprise
Increased linkage between IT and enterprise governance
Improved performance as measured by IT balanced scorecards
In recent years, it has become increasingly evident that there is a need for a reference
framework for security and control in IT. Successful organizations require an
appreciation for and a basic understanding of the risks and constraints of IT at all levels
within the enterprise in order to achieve effective direction and adequate controls.
Based on the compliance testing carried out in the prior phase, we develop an audit
program detailing the nature, timing and extent of the audit procedures. In the Audit
Plan various Control Tests and Reviews can be done.
1.4.1 Control Objectives for Information and related Technology (COBIT):
The Control Objectives for Information and related Technology (COBIT) is a set of best
practices (framework) for information (IT) management created by the Information
Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI)
in 1992.
COBIT provides managers, auditors, and IT users with a set of generally acceptedmeasures, indicators, processes and best practices to assist them in maximizing the
benefits derived through the use of information technology and developing appropriate
IT governance and control in a company.
-
7/29/2019 Direct study report on Information system (IS) audit
11/47
6
2.Literature Review
2.1 Elements of IS Audit
An information system is not just a computer. Today's information systems are complex
and have many components that piece together to make a business solution.
Assurances about an information system can be obtained only if all the components are
evaluated and secured. The proverbial weakest link is the total strength of the chain.
The major elements of IS audit can be broadly classified:
Physical and environmental reviewthis includes physical security, power supply, air
conditioning, humidity control and other environmental factors.
System administration reviewthis includes security review of the operating systems,database management systems, all system administration procedures and compliance.
Application software review the business application could be payroll, invoicing, a
web-based customer order processing system or an enterprise resource planning
system that actually runs the business. Review of such application software includes
access control and authorizations, validations, error and exception handling, business
process flows within the application software and complementary manual controls and
procedures. Additionally, a review of the system development lifecycle should be
completed.
Network security reviewReview of internal and external connections to the system,
perimeter security, firewall review, router access control lists, port scanning and
intrusion detection are some typical areas of coverage.
Business continuity reviewthis includes existence and maintenance of fault tolerant
and redundant hardware, backup procedures and storage, and documented and testeddisaster recovery/business continuity plan.
Data integrity reviewthe purpose of this is scrutiny of live data to verify adequacy of
controls and impact of weaknesses, as noticed from any of the above reviews. Such
-
7/29/2019 Direct study report on Information system (IS) audit
12/47
7
substantive testing can be done using generalized audit software (e.g., computer
assisted audit techniques).
All these elements need to be addressed to present to management a clear assessment
of the system. For example, application software may be well designed andimplemented with all the security features, but the default super-user password in the
operating system used on the server may not have been changed, thereby allowing
someone to access the data files directly. Such a situation negates whatever security is
built into the application. Likewise, firewalls and technical system security may have
been implemented very well, but the role definitions and access controls within the
application software may have been so poorly designed and implemented that by using
their user IDs, employees may get to see critical and sensitive information far beyond
their roles.
It is important to understand that each audit may consist of these elements in varying
measures; some audits may scrutinize only one of these elements or drop some of
these elements. While the fact remains that it is necessary to do all of them, it is not
mandatory to do all of them in one assignment. The skill sets required for each of these
are different. The results of each audit need to be seen in relation to the other. This will
enable the auditor and management to get the total view of the issues and problems.
2.2 Need for a Control Framework in Information System
In recent years, it has become increasingly evident that there is a need for a reference
framework for security and control in IT. Successful organizations require an
appreciation for and a basic understanding of the risks and constraints of IT at all levels
within the enterprise in order to achieve effective direction and adequate controls.
MANAGEMENT has to decide what to reasonably invest for security and control in IT
and how to balance risk and control investment in an often unpredictable IT
environment. While information systems security and control help manage risks, they do
not eliminate them. In addition, the exact level of risk can never be known since there is
always some degree of uncertainty.
-
7/29/2019 Direct study report on Information system (IS) audit
13/47
8
Ultimately, management must decide on the level of risk it is willing to accept. Judging
what level can be tolerated, particularly when weighted against the cost, can be a
difficult management decision. Therefore, management clearly needs a framework of
generally accepted IT security and control practices to benchmark the existing and
planned IT environment.
There is an increasing need for USERS of IT services to be assured, through
accreditation and audit of IT services provided by internal or third parties, that adequate
security and control exists. At present, however, the implementation of good IT controls
in information systems, be they commercial, non-profit or governmental, is hampered by
confusion. The confusion arises from the different evaluation methods such as ITSEC,
TCSEC, IS0 9000 evaluations, emerging COSO internal control evaluations, etc. As a
result, users need a general foundation to be established as a first step.
Frequently, AUDITORS have taken the lead in such international standardization efforts
because they are continuously confronted with the need to substantiate their opinion on
internal control to management. Without a framework, this is an exceedingly difficult
task. Furthermore, auditors are increasingly being called on by management to
proactively consult and advice on IT security and control-related matters.
Why
Increasingly, top management is realizing the significant impact that information can
have on the success of the enterprise. Management expects heightened understanding
of the way IT is operated and the likelihood of its being leveraged successfully for
competitive advantage. In particular, top management needs to know if information is
being managed by the enterprise so that it is:
Likely to achieve its objectives Resilient enough to learn and adapt
Judiciously managing the risks it faces
Appropriately recognizing opportunities and acting upon them
-
7/29/2019 Direct study report on Information system (IS) audit
14/47
9
Successful enterprises understand the risks and exploit the benefits of IT and find ways
to deal with:
Aligning IT strategy with the business strategy
Assuring investors and shareholders that a standard of due care aroundmitigating IT risks is being met by the organisation
Cascading IT strategy and goals down into the enterprise
Obtaining value from IT investments
Providing organisational structures that facilitate the implementation of strategy
and goals
Creating constructive relationships and effective communication between the
business and IT, and with external partners
Measuring ITs performance
Enterprises cannot deliver effectively against these business and governance
requirements without adopting and implementing a governance and control framework
for IT to:
Make a link to the business requirements
Make performance against these requirements transparent
Organize its activities into a generally accepted process model
Identify the major resources to be leveraged
Define the management control objectives to be considered
Furthermore, governance and control frameworks are becoming a part of IT
management good practice and are an enabler for establishing IT governance and
complying with continually increasing regulatory requirements.
IT good practices have become significant due to a number of factors:
Business managers and boards demanding a better return from IT investments,
i.e., that IT delivers what the business needs to enhance stakeholder value
Concern over the generally increasing level of IT expenditure
-
7/29/2019 Direct study report on Information system (IS) audit
15/47
10
The need to meet regulatory requirements for IT controls in areas such as
privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in
specific sectors such as finance, pharmaceutical and healthcare
The selection of service providers and the management of service outsourcing
and acquisition
Increasingly complex IT-related risks, such as network security
IT governance initiatives that include adoption of control frameworks and good
practices to help monitor and improve critical
IT activities to increase business value and reduce business risk
The need to optimize costs by following, where possible, standardized, rather
than specially developed, approaches
The growing maturity and consequent acceptance of well-regarded frameworks,
such as COBIT, IT Infrastructure Library (ITIL), ISO 27000 series on information
security-related standards, ISO 9001:2000 Quality Management Systems
Requirements, Capability Maturity Model Integration (CMMI), Projects in
Controlled Environments 2 (PRINCE2) and A Guide to the Project Management
Body of Knowledge (PMBOK)
The need for enterprises to assess how they are performing against generally
accepted standards and their peers (benchmarking)
Who
A governance and control framework needs to serve a variety of internal and external
stakeholders, each of whom has specific needs:
Stakeholders within the enterprise who have an interest in generating value from
IT investments:
Those who make investment decisions Those who decide about requirements
Those who use IT services
Internal and external stakeholders who provide IT services:
Those who manage the IT organization and processes
-
7/29/2019 Direct study report on Information system (IS) audit
16/47
11
Those who develop capabilities
Those who operate the services
Internal and external stakeholders who have a control/risk responsibility:
Those with security, privacy and/or risk responsibilities
Those performing compliance functions
Those requiring or providing assurance services
What
To meet the requirements listed in the previous section, a framework for IT governance
and control should:
Provide a business focus to enable alignment between business and IT objectives
Establish a process orientation to define the scope and extent of coverage, with a
defined structure enabling easy navigation of content
Be generally acceptable by being consistent with accepted IT good practices and
standards and independent of specific technologies
Supply a common language with a set of terms and definitions that are generally
understandable by all stakeholders
Help meet regulatory requirements by being consistent with generally acceptedcorporate governance standards (e.g., COSO) and IT controls expected by regulators
and external auditors. [IT Governance Institute, 2007]
2.3 Procedures
The preparation before commencing an audit involves collecting background
information and assessing the resources and skills required to perform the audit. This
enables staff with the right kind of skills to be allotted to the right assignment.
It always is a good practice to have a formal audit commencement meeting with the
senior management responsible for the area under audit to finalize the scope,
understand the special concerns, if any, schedule the dates and explain the
methodology for the audit. Such meetings get senior management involved, allow
-
7/29/2019 Direct study report on Information system (IS) audit
17/47
12
people to meet each other, clarify issues and underlying business concerns, and help
the audit to be conducted smoothly.
Similarly, after the audit scrutiny is completed, it is better to communicate the audit
findings and suggestions for corrective action to senior management in a formalmeeting using a presentation. This will ensure better understanding and increase buy-in
of audit recommendations. It also gives auditors an opportunity to express their
viewpoints on the issues raised. Writing a report after such a meeting where
agreements are reached on all audit issues can greatly enhance audit effectiveness.
For these procedures, standardization has been developed by Information Systems
Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992,
which is a set of best practices (framework for information (IT) management which isknown as e Control Objectives for Information and related Technology (COBIT).
2.4 Control Objectives for Information and related Technology
(COBIT)
2.4.1 Vision
To research, develop, publicize and promote an authoritative, up-to-date, internationally
accepted IT governance control framework for adoption by enterprises and day-to-day
use by business managers, IT professionals and assurance professionals.
2.4.2 How COBIT Meets the Need
In response to the needs described in the previous section 2.2, the COBIT framework
was created with the main characteristics of being business-focused, process-oriented,
controls-based and measurement-driven.
2.4.2.1 Business FocusedBusiness orientation is the main theme of COBIT. It is designed not only to be employed
by IT service providers, users and auditors, but also, and more important, to provide
comprehensive guidance for management and business process owners.
The COBIT framework is based on the following principle (figure below):
-
7/29/2019 Direct study report on Information system (IS) audit
18/47
13
To provide the information that the enterprise requires to achieve its objectives, the
enterprise needs to invest in and manage and control IT resources using a structured
set of processes to provide the services that deliver the required enterprise information.
Managing and controlling information are at the heart of the COBIT framework and helpensure alignment to business requirements.
Figure 1 Basic COBIT Principle
COBIT's Information criteria are to satisfy business objectives, information needs to
confirm to certain control criteria, which COBIT refers to a business requirements for
information. These are effectiveness, efficiency, confidentiality, integrity, availability,
compliance and reliability.
Business Goals and IT Goals:
Whilst information criteria provide a generic method for defining the business
requirements, defining a set of generic business and IT goals provides a business-
related and more refined basis for establishing business requirements and developingthe metrics that allow measurement against these goals. Every enterprise uses IT to
enable business initiatives, and these can be represented as business goals for IT.
-
7/29/2019 Direct study report on Information system (IS) audit
19/47
14
Figure 2 Managing IT Resources to Deliver IT Goals
IT Resources:
The IT organization delivers against these goals by a clearly defined set of processes
that use people skills and technology infrastructure to run automated business
applications while leveraging business information.
The IT resources identified in COBIT can be defined as follows:
Applications are the automated user systems and manual procedures that process
the information.
Information is the data, in all their forms, input, processed and output by the
information systems in whatever form is used by the business.
Infrastructure is the technology and facilities (i.e., hardware, operating systems,
database management systems, networking, multimedia, and the environment that
houses and supports them) that enable the processing of the applications.
People are the personnel required to plan, organize, acquire, implement, deliver,
support, monitor and evaluate the information systems and services. They may be
internal, outsourced or contracted as required.
-
7/29/2019 Direct study report on Information system (IS) audit
20/47
15
2.4.2.2 Process OrientedCOBIT defines IT activities in a generic process model within four domains. These
domains are Plan and Organize, Acquire and Implement, Deliver and Support, and
Monitor and Evaluate. The domains map to ITs traditional responsibility areas of plan,
build, run and monitor.
The COBIT framework provides a reference process model and common language for
everyone in an enterprise to view and manage IT activities. Incorporating an operational
model and a common language for all parts of the business involved in IT is one of the
most important and initial steps toward good governance. It also provides a framework
for measuring and monitoring IT performance, communicating with service providers
and integrating best management practices. A process model encourages process
ownership, enabling responsibilities and accountability to be defined.
To govern IT effectively, it is important to appreciate the activities and risks within IT that
need to be managed. They are usually ordered into the responsibility domains of plan,
build, run and monitor. Within the COBIT framework, these domains, as shown in figure
below, are called:
Figure 3 The Four Interrelated Domains of COBIT
Plan and Organise (PO)Provides direction to solution delivery (AI) and service
delivery (DS)
Acquire and Implement (AI)Provides the solutions and passes them to be turned
into services
-
7/29/2019 Direct study report on Information system (IS) audit
21/47
16
Deliver and Support (DS)Receives the solutions and makes them usable for end
users
Monitor and Evaluate (ME)Monitors all processes to ensure that the direction
provided is followed
2.4.2.3 Controls BasedCOBIT defines control objectives for all 34 processes, as well as overarching process
and application controls.
PROCESSES NEED CONTROLS
Control is defined as the policies, procedures, practices and organizational structures
designed to provide reasonable assurance that business objectives will be achievedand undesired events will be prevented or detected and corrected.
IT control objectives provide a complete set of high-level requirements to be considered
by management for effective control of each IT process. They:
Are statements of managerial actions to increase value or reduce risk
Consist of policies, procedures, practices and organizational structures
Are designed to provide reasonable assurance that business objectives will be
achieved and undesired events will be prevented or detected and corrected
Enterprise management needs to make choices relative to these control objectives by:
Selecting those that are applicable
Deciding upon those that will be implemented
Choosing how to implement them (frequency, span, automation, etc.)
Accepting the risk of not implementing those that may apply
Guidance can be obtained from the standard control model shown in figure below. It
follows the principles evident in this analogy: When the room temperature (standard) for
the heating system (process) is set, the system will constantly check (compare) ambient
room temperature (control information) and will signal (act) the heating system to
provide more or less heat.
-
7/29/2019 Direct study report on Information system (IS) audit
22/47
17
Each of COBITs IT processes has a process description and a number of control
objectives. As a whole, they are the characteristics of a well-managed process. The
control objectives are identified by a two-character domain reference (PO, AI, DS and
ME) plus a process number and a control objective number. In addition to the control
objectives, each COBIT process has generic control requirements that are identified by
PCn, for process control number.
PC1 Process Goals and Objectives
PC2 Process Ownership
PC3 Process Repeatability, etc
PC4 Roles and Responsibilities
Figure 4 Control Model
IT GENERAL CONTROLS AND APPLICATION CONTROLS
General controls are controls embedded in IT processes and services. Examples
include:
Systems development
Change management
Security
Computer operations
Controls embedded in business process applications are commonly referred to as
application controls. Examples include:
-
7/29/2019 Direct study report on Information system (IS) audit
23/47
18
Completeness
Accuracy
Validity
Authorization
Segregation of duties
The following list provides a recommended set of application control objectives. They
are identified by ACn, for application control number.
AC1 Source Data Preparation and Authorisation
AC2 Source Data Collection and Entry
AC3 Accuracy, Completeness and Authenticity Checks
AC4 Processing Integrity and Validity, etc
2.4.2.4 Measurement DrivenA basic need for every enterprise is to understand the status of its own IT systems and
to decide what level of management and control the enterprise should provide. To
decide on the right level, management should ask itself: How far should we go, and is
the cost justified by the benefit?
Obtaining an objective view of an enterprises own performance level is not easy. What
should be measured and how? Enterprises need to measure where they are and where
improvement is required, and implement a management tool kit to monitor this
improvement.
COBIT deals with these issues by providing:
Maturity models to enable benchmarking and identification of necessary
capability improvements
1. Performance goals and metrics for the IT processes, demonstrating how
processes meet business and IT goals and are used for measuring internal
process performance based on balanced scorecard principles
2. Activity goals for enabling effective process performance
MATURITY MODELS
-
7/29/2019 Direct study report on Information system (IS) audit
24/47
19
Senior managers in corporate and public enterprises are increasingly asked to consider
how well IT is being managed. In response to this, business cases require development
for improvement and reaching the appropriate level of management and control over the
information infrastructure. While few would argue that this is not a good thing, they need
to consider the cost-benefit balance and these related questions:
3. What are our industries peers doing, and how are we placed in relation to them?
4. What is acceptable industry good practice, and how are we placed with regard to
these practices?
5. Based upon these comparisons, can we be said to be doing enough?
6. How do we identify what is required to be done to reach an adequate level of
management and control over our IT processes?
It can be difficult to supply meaningful answers to these questions. IT management is
constantly on the lookout for benchmarking and self-assessment tools in response to
the need to know what to do in an efficient manner. Starting from COBITs processes, the
process owner should be able to incrementally benchmark against that control objective.
This responds to three needs:
1. A relative measure of where the enterprise is
2. A manner to efficiently decide where to go3. A tool for measuring progress against the goal
Maturity modeling for management and control over IT processes is based on a method
of evaluating the organization, so it can be rated from a maturity level of non-existent (0)
to optimized (5). This approach is derived from the maturity model that the Software
Engineering Institute (SEI) defined for the maturity of software development capability.
Although concepts of the SEI approach were followed, the COBIT implementation differs
considerably from the original SEI, which was oriented toward software product
engineering principles, organizations striving for excellence in these areas and formal
appraisal of maturity levels so that software developers could be certified. In COBIT, a
generic definition is provided for the COBIT maturity scale, which is similar to CMM but
interpreted for the nature of COBITs IT management processes. A specific model is
-
7/29/2019 Direct study report on Information system (IS) audit
25/47
20
provided from this generic scale for each of COBITs 34 processes. Whatever the model,
the scales should not be too granular, as that would render the system difficult to use
and suggest a precision that is not justifiable because, in general, the purpose is to
identify where issues are and how to set priorities for improvements. The purpose is not
to assess the level of adherence to the control objectives.
The maturity levels are designed as profiles of IT processes that an enterprise would
recognize as descriptions of possible current and future states. They are not designed
for use as a threshold model, where one cannot move to the next higher level without
having fulfilled all conditions of the lower level. With COBITs maturity models, unlike the
original SEI CMM approach, there is no intention to measure levels precisely or try to
certify that a level has exactly been met. A COBIT maturity assessment is likely to result
in a profile where conditions relevant to several maturity levels will be met, as shown in
the example graph in below.
Figure 5 Possible maturity level of an IT processHowever, process management capability is not the same as process performance. The
required capability, as determined by business and IT goals, may not need to be applied
to the same level across the entire IT environment, e.g., not consistently or to only a
limited number of systems or units. Performance measurement, as covered in the next
-
7/29/2019 Direct study report on Information system (IS) audit
26/47
21
paragraphs, is essential in determining what the enterprises actual performance is for
its IT processes. 13
0 Non-existentComplete lack of any recognizable processes. The enterprise has not
even recognised that there is an issue to be addressed.
1 Initial/Ad Hocthere is evidence that the enterprise has recognized that the issues
exist and need to be addressed. There are, however, no standardized processes;
instead, there are ad hocapproaches that tend to be applied on an individual or case-
by-case basis. The overall approach to management is disorganized.
2 Repeatable but IntuitiveProcesses have developed to the stage where similar
procedures are followed by different people undertaking the same task. There is no
formal training or communication of standard procedures, and responsibility is left to the
individual. There is a high degree of reliance on the knowledge of individuals and,
therefore, errors are likely.
3 Defined ProcessProcedures have been standardized and documented, and
communicated through training. It is mandated that these processes should be followed;
however, it is unlikely that deviations will be detected. The procedures themselves are
not sophisticated but are the formalization of existing practices.
4 Managed and MeasurableManagement monitors and measures compliance with
procedures and takes action where processes appear not to be working effectively.
Processes are under constant improvement and provide good practice. Automation and
tools are used in a limited or fragmented way.
5 OptimizedProcesses have been refined to a level of good practice, based on the
results of continuous improvement and maturity modeling with other enterprises. IT is
used in an integrated way to automate the workflow, providing tools to improve quality
and effectiveness, making the enterprise quick to adapt.
2.4.3 COBIT Framework Model
The COBIT framework, therefore, ties the businesses requirements for information and
governance to the objectives of the IT services function. The COBIT process model
-
7/29/2019 Direct study report on Information system (IS) audit
27/47
22
enables IT activities and the resources that support them to be properly managed and
controlled based on COBITs control objectives, and aligned and monitored using
COBIT's goals and metrics. [IT Governance Institute, 2007]
Figure 6 COBIT Management, Control, Alignment and Monitoring
To summarize IT resources are managed by IT processes to achieve IT goals that respond to thebusiness requirements. This is the basic principle of the COBIT framework, as illustrated by the COBITcube.
Figure 7 the COBIT Cube
COBITs General Acceptability
-
7/29/2019 Direct study report on Information system (IS) audit
28/47
23
COBIT is based on the analysis and harmonization of existing IT standards and good
practices and conforms to generally accepted governance principles. It is positioned at
a high level, driven by business requirements, covers the full range of IT activities, and
concentrates on what should be achieved rather than how to achieve effective
governance, management and control. Therefore, it acts as an integrator of IT
governance practices and appeals to executive management; business and IT
management; governance, assurance and security professionals; and IT audit and
control professionals. It is designed to be complementary to, and used together with,
other standards and good practices.
To achieve alignment of good practice to business requirements, it is recommended
that COBIT be used at the highest level, providing an overall control framework based
on an IT process model that should generically suit every enterprise. Specific practices
and standards covering discrete areas can be mapped up to the COBIT framework, thus
providing a hierarchy of guidance materials.
COBIT appeals to different users:
1. Executive managementTo obtain value from IT investments and balance risk
and control investment in an often unpredictable IT environment.
2. Business managementTo obtain assurance on the management and controlof IT services provided by internal or third parties
3. IT managementTo provide the IT services that the business requires to
support the business strategy in a controlled and managed way
4. AuditorsTo substantiate their opinions and/or provide advice to management
on internal controls
-
7/29/2019 Direct study report on Information system (IS) audit
29/47
24
2.4.1 Overall COBIT Framework
Figure 8 Overall COBIT Framework [IT Governance Institute, July2000]
-
7/29/2019 Direct study report on Information system (IS) audit
30/47
25
2.5 Information Security and Technical Security Risks
2.5.1 Information Security
Security relates to the protection of valuable assets against loss, misuse, disclosure or
damage. In this context, valuable assets are the information recorded on, processed by,
stored in, shared by, transmitted from or retrieved from an electronic medium. The
information must be protected against harm from threats leading to different types of
impacts such as loss, inaccessibility, alteration or wrongful disclosure. Threats include
errors and omissions, fraud, accidents and intentional damage.
The objective of information security is protecting the interests of those relying oninformation and the systems and communications that deliver the information from harm
resulting from failures of availability, confidentiality and integrity. The impact of the
Internet and the growth of the networked economy have added the need for trust in
electronic transactions.
Overall, for most computer users the security objective is met when:
1. Information systems are available and usable when required, and can
appropriately resist attacks and recover from failures (availability)
2. Information is observed by or disclosed to only those who have a right to know
(confidentiality)
3. Information is protected against unauthorized modification or error so accuracy,
completeness and validity are maintained (integrity)
4. Business transactions and information exchanges between enterprises,
customers, suppliers or partners can be trusted (authenticity and no repudiation)
The relative priority and significance of availability, confidentiality, integrity and trust vary
according to the value and type of information and the context in which the information
is used. For example, integrity of management information is especially important to a
business that relies on critical strategy related decisions, and integrity of an online
purchase is very important to the home user doing Internet shopping.
-
7/29/2019 Direct study report on Information system (IS) audit
31/47
26
The amount of protection required depends on how likely a security risk might occur,
and how big an impact it would have if it did occur. Protection is achieved by a
combination of technical and nontechnical safeguards. For the home user, this means
installation of reputable security tools, maintenance of up-to-date software, and care
with backups, and being careful and alert to the hazards of using computers and
connecting to the Internet. For large enterprises, protection will be a major task with a
layered series of safeguards such as physical security measures, background checks,
user identifiers, passwords, smart cards, biometrics and firewalls.
In the ever-changing technological environment, security that is state-of-the-art today
may be obsolete tomorrow. Therefore, security protection must keep pace with these
changes.
Information security provides the management processes, technology and assurance
to allow businesses management to ensure business transactions can be trusted;
ensure IT services are usable and can appropriately resist and recover from failures due
to error, deliberate attacks or disaster; and ensure critical confidential information is
withheld from those who should not have access to it. Dr. Paul Dorey, director,
Digital Business Security, BP Plc. [IT Governance Institute, 2004]
2.5.2 Technical Security Risks
Information security is a key aspect of information technology governance, and it is an
important issue for all computer users to understand and address. As computer systems
have become more and more commonplace in all walks of life, from home to school and
office, unfortunately so too have the security risks.
The widespread use of the Internet, handheld and portable computer devices, and
mobile and wireless technologies has made access to data and information easy and
affordable. On the other hand, these developments have provided new opportunities for
information technology related problems to occur, such as theft of data, malicious
attacks using viruses, hacking, denial-of-service (DoS) attacks and even new ways to
commit organized crime. These risks, as well as the potential for careless mistakes, can
all result in serious financial, reputational and other damages. Recognizing the need for
-
7/29/2019 Direct study report on Information system (IS) audit
32/47
27
better security guidance, this booklet has been developed to provide essential advice
and practical tools to help protect computer users from these risks. [IT Governance
Institute, 2004]
Trojan Horse programs:
Trojan Horse programs are a common way for intruders to trick the user (sometimes
referred to as social engineering) into installing back door programs, which can allow
intruders easy access to the users computer without his/her knowledge, change the
system configurations or infect the computer with a computer virus.
Back door and remote administration programs:
On computers using a Windows operating system, intruders commonly use threetoolsBack Orifice, Netbus and SubSevento gain remote access to the computer.
These back door or remote administration programs, once installed, allow other people
to access and control the computer. The CERT vulnerability note about Back Orifice
should be reviewed. Other computer platforms may be vulnerable and the user needs to
monitor vulnerability reports and maintain the system.
Denial-of-service (DOS) attacks
Another form of attack is called a denial-of-service attack. This type of attack causes the
computer to crash or become so busy processing data that the user is unable to use it.
In most cases, the latest patches will prevent the attack.
Being an intermediary for another attack:
Intruders frequently use compromised computers as launching pads for attacking other
systems. The use of distributed denial-of-service (DDoS) tools is an example of this.
The intruders would install an agent (frequently through a Trojan Horse program) that
runs on the compromised computer awaiting further instructions. Then, when many
agents are running on different computers, a single handler can instruct all of them to
launch a denial-of-service attack on another system. Thus, the end target of the attack
-
7/29/2019 Direct study report on Information system (IS) audit
33/47
28
is not the original users computer, but someone elsesthe original users computer is
just a convenient tool in a larger attack. [IT Governance Institute, 2004]
Unprotected Windows networking shares:
Intruders can exploit unprotected Windows networking shares in an automated way to
place tools on large numbers of Windows-based computers attached to the Internet.
Because site security on the Internet is interdependent, a compromised computer not
only creates problems for the computer's owner, but it is also a threat to other sites on
the Internet.
Mobile code (Java/JavaScript/ActiveX):
There have been reports of problems with mobile code (e.g., Java, JavaScript and
ActiveX). These programming languages let web developers write code that is executed
by the organization's web browser. Although such code is generally useful to the
organization, intruders also use it to gather information (such as which web sites the
user visits) or run malicious code on the computer. It is possible to disable Java,
JavaScript and ActiveX in the web browser, but the user should be aware that this may
limit legitimate browser functionality. Also, the user should be aware of the risks
involved in the use of mobile code within e-mail programs. Many e-mail programs use
the same code as web browsers to display HTML. Thus, vulnerabilities that affect Java,
JavaScript and ActiveX are often applicable to e-mail and web pages.
Cross-site scripting:
A malicious web developer may attach a script to something sent to a web site, such as
a URL, an element in a form or a database inquiry. Later, when the web site responds,
the malicious script is transferred to the browser. This can potentially expose the web
browser to malicious scripts by:
Following links in web pages, e-mail messages or newsgroup postings without
knowing where they link Using interactive forms on an untrustworthy site
Viewing online discussion groups, forums or other dynamically generated pages
where users can post text containing HTML tags
-
7/29/2019 Direct study report on Information system (IS) audit
34/47
29
E-mail spoofing
E-mail spoofing is when an e-mail message appears to have originated from one source
when it actually was sent from another source. E-mail spoofing is often an attempt to
trick the user into making a damaging statement or releasing sensitive information (suchas passwords). Spoofed e-mail can range from harmless pranks to social engineering
ploys. Examples of the latter include:
E-mail claiming to be from a system administrator requesting users to change
their passwords to a specified string and threatening to suspend their account if
they do not comply
E-mail claiming to be from a person in authority requesting users to send a copy
of a password file or other sensitive information
E-mail-borne viruses:
Viruses and other types of malicious code are often spread as attachments to e-mail
messages. Before opening any attachments, the user should be aware of the source of
the attachment. It is not enough that the e-mail originated from a recognised address.
For example, the Melissa virus spread precisely because it originated from a familiar
address. Also, malicious code might be distributed in amusing or enticing programs.
Many recent viruses use these social engineering techniques to spread. Examples
include W32/Sircam and W32/Goner.
Hidden file extensions:
Windows operating systems contain an option to hide file extensions for known file
types. The option is enabled by default, but a user may choose to disable this option to
have file extensions displayed by Windows. Multiple e-mail-borne viruses are known to
exploit hidden file extensions.The first major attack that took advantage of a hidden file
extension was the VBS/LoveLetter worm that contained an e-mail attachment named
LOVE-LETTER-FOR-YOU.TXT.vbs. Other examples include Downloader
(MySis.avi.exe or uickFlick.mpg.exe), VBS/CoolNote
(COOL_NOTEPAD_DEMO.TXT.vbs), and VBS/OnTheFly (AnnaKournikova.jpg.vbs).
-
7/29/2019 Direct study report on Information system (IS) audit
35/47
30
The files attached to the e-mail messages sent by these viruses may appear to be
harmless text (.txt), MPEG (.mpg), AVI (.avi) orother file types, when in fact the file is a
malicious script or executable (.vbs or .exe). [IT Governance Institute, 2004]
Chat clients:
Internet chat applications, such as instant messaging applications and Internet relay
chat (IRC) networks, provide a mechanism for information to be transmitted bi-
directionally between computers on the Internet. Chat clients provide groups of
individuals with the means to exchange dialogue, web URLs and, in many cases, files of
any type. Because many chat clients allow for the exchange of executable code, they
present risks similar to those of e-mail clients. As with e-mail clients, the chat clients
ability to execute downloaded files should be limited. As always, the user should bewary of exchanging files with unknown parties.
Packet sniffing:
A packet sniffer is a program that captures data from information packets as they travel
over the network. These data may include user names, passwords and proprietary
information that travel over the network in clear text. With perhaps hundreds orthousands of passwords captured by the packet sniffer, intruders can launch
widespread attacks on systems. Installing a packet sniffer does not necessarily require
administrator-level access. Relative to DSL and traditional dial-up users, cable modem
users have a higher risk of exposure to packet sniffers, since entire neighborhoods of
cable modem users are effectively part of the same LAN. A packet sniffer installed on
any cable modem user's computer in a neighborhood may be able to capture data
transmitted by any other cable modem in the same neighborhood.
Identity theft:
Information stored on a home computer may provide a hacker with enough personal
data to apply for a credit card or identification in the users name.
-
7/29/2019 Direct study report on Information system (IS) audit
36/47
31
Tunneling:
When employees work at home and transfer files to a computer at the office, there is
potential that someone could remotely gain access to the home PC and place a secret
file in a document that ends up on the company system.
Zombies:
Automatic programs search for systems that are connected to the Internet, but are
unprotected; take them over without the owners knowledge; and use them for malicious
purposes.
Spyware:
Innocent looking software (e.g., P2p-agent software used in popular peer-to-peer
communications software) can include or hide software that collects information about
the system and the user, and can send this information to third parties without the
legitimate user knowing.
Among these, new and new programs targeting naive users are coming and becoming
a huge treats to the Information system. So Information Security is a key issue for theInformation Audit System. [IT Governance Institute, 2004]
-
7/29/2019 Direct study report on Information system (IS) audit
37/47
32
3.IS Audit in Nepal Scenario
3.1 NRB guidelines
Figure 9 NRB IT Guidelines
NRB IT
GUIDELINES
1 IT
GOVERNANCE
2.
Information
Security
3.
Information
Security
Education
4.
Information
Disclosure
AndGrievance
Handling
5.
Outsourcing
Management
6. IT
Operation
7.Information
Systems
Acquisition,
Development
and
Implementatio
n
8.Business
Continuity
And Disaster
Recovery
Planning
9.IS Audit
10.Fraud
Management
-
7/29/2019 Direct study report on Information system (IS) audit
38/47
33
APPLICABILITY OF THE GUIDELINES
The objectives of NRB (Nepal Rastra Bank, central bank of Nepal)'s IT guideline are to
promote sound and robust technology risk management and to strengthen system
security, reliability, availability and business continuity in commercial banks of Nepal.
Banks should compulsorily comply with this guideline within two years from the date of
issuance. The Action Plan (along with time frame for each action) for the
implementation of the guidelines should be developed and provided to Bank
Supervision Department, Nepal Ratra Bank within six month from the issuance. The
extent of compliance of this guideline will be examined during the periodic onsite/offsite
supervision from NRB. The guidelines cover the 10 different points which are as follows.
[Bank Supervision Department, 2012]
1. IT GOVERNANCE
IT has been adopted by most of the commercial banks to some degree from branch
automation to providing alternate delivery channels. This pervasive nature of IT has
increased the challenge on governing it. Since IT is very critical in supporting and
enabling business goals and is strategic for business growth, due diligence on its
governance is essential. IT governance is a continuous process where IT strategy
drives the process using necessary resources.
2. INFORMATION SECURITY
Robust information is crucial to achieve business goals and for managing risk prudently
in banks. Accuracy, integrity, consistency, completeness, validity, timeliness,
accessibility, usability and auditability are requirement of information processed and
stored electronically. To achieve these qualities of data, banks should develop and
maintain comprehensive information security program.
3. INFORMATION SECURITY EDUCATION
With the introduction of electronic delivery channe ls, customers dont require to visit the
bank branches physically to conduct banking. This has intensified the challenges of
-
7/29/2019 Direct study report on Information system (IS) audit
39/47
34
authenticating customers. Moreover; fraudsters are designing and using more advanced
techniques to impersonate users and make illegal access to customers account. To
defend illegal users from accessing banking system, it has become essential to well
educate customers to conduct banking operation securely. To create effective
information security practice, it is also important to educate other stakeholders including
its employees.
4. INFORMATION DISCLOSURE AND GRIEVANCE HANDLING
Bank should clearly provide information about the services, cost, security features, risk
and benefits of electronic banking environment. Precise information about
responsibilities, obligations and rights of customers and bank regarding electronic
transaction should be delivered to customers.
5. OUTSOURCING MANAGEMENT
It has become quite common for Nepalese banks to outsource some or all of IT
functions. Inter-branch communication, software, hardware and other technical and
administrative functions are commonly outsourced by Nepalese banks. Emerging
technologies such as virtualization, Data Centre and Disaster Recovery SiteOutsourcing are also becoming popular. Whatever the reasons of outsourcing, bank has
responsibility to ensure that their service providers are capable of delivering the level of
performance, service reliability, capability and security need that is at least as stringent
as it would expect for its own operations.
6. IT OPERATIONS
IT infrastructures have been developed and grown in banks over few years and has
been used to support processing and storage of information in banks. IT should be
operated to ensure timely, reliable, secure information.
7. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND
IMPLEMENTATION
-
7/29/2019 Direct study report on Information system (IS) audit
40/47
35
Many software fails due to inadequate system testing and bad system design.
Application that handles financial information of customers' data should, inter-alia,
satisfy security requirements.
Deficiencies in system design should be recognized at early stage of softwaredevelopment and during software testing.
8. BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING
The role of banking sector in economic growth and stability is vital and requires
continuous service and reliable service. The introduction of electronic delivery channels
and 24/7 services availability has increased the demand of Business Continuity
Planning (BCP) framework comprising of all critical aspects of people, process and
technology. Business Continuity should be formed to minimize financial, operational,
legal, reputational and other risks and it includes policies, standards and procedures to
ensure continuity, resumption and recovery of business processes and minimizes the
impact of disaster. A business continuity plan generally incorporates business Impact
analysis, recovery strategies, business continuity plan as well as testing, training,
awareness, communication and crisis management program.
9. IS AUDIT
Since the increasing complexity of IT environment in banks has created significant risk,
comprehensive risk management comprising of various standard internal control
framework, bank's own requirement and NRB requirement. To ensure the effectiveness
of implemented controls framework and adequacy of the adopted security plan and
procedures, banks should conduct IS audit annually.
10. FRAUD MANAGEMENT
Nepalese banks are using electronic delivery channels to provide banking services.
Increased use of Internet banking, mobile banking, payment card (debit and credit card),
ATM is also creating risk of electronic fraud in banking system. [Bank Supervision
Department, 2012]
-
7/29/2019 Direct study report on Information system (IS) audit
41/47
36
3.2 Challenges for Nepal in implementing IS Audit
Nepal is a developing country. Although Nepal is backward in other infrastructure, it has
achieved a significant development in the IT sector. Most of the government and non-
government sectors in the country have incorporated IT for the Information system. Now
a days, information system has taken a role model in every sector of the country like
government sector, banking sector, business sector etc. With the advent of IT, it brings
both the opportunity and the risk. Although the most of the company uses IT as main
backend for the information system, they are either unaware of the risk involved in it or
they are ignoring the risk because of lack of IT guidelines and policy in the information
system. The unseen risk in the IT system has posed a great threat in the Information
System. The threat on the information system is not limited to country geographical
boundary. Since IT has connected the information system across the whole globe the
threat can be originated from any place across the world. Therefore one must be
prepared to tackle the unseen risk in the information system.
To list out, the challenges of implementing IS audit in Nepal are as follows:
To model the suitable information system audit guidelines, which are appropriate
for Nepal and can be well implemented in context of Nepal.
o If we try to implement the model form around the world, then it may be notexactly fit here in Nepal. Because some sector may not be able to install
high cost IT infrastructure. In addition, due to the ongoing energy crisis in
country, it may require high investment in the backup setup for the supply
of uninterrupted power to IT devices.
To find out skilled manpower who can carry out the information system audit in
well manner.
Although the country has lots of skilled manpower in IT field, it lacks the
professional people who can conduct the audit in information system.
To convinced higher authority level personnel who are in decision making
process.
-
7/29/2019 Direct study report on Information system (IS) audit
42/47
37
It is hard to convince the higher authority level personnel who are form non
technical background and who are not much acquaintance with contemporary IT
savvy world.
4.Discussion and Recommendation
4.1 Discussion
The standardized framework of IT governance is very important to minimize the risk and
get the maximum output from the Information systems. Information Systems are
integrated in overall business processes. The performance of any firm is reflected from
the excellence use of Information Systems. To check the compliance of the information
system to avoid risk hazards, time to time IS audit is necessary. The COBIT
incorporates the business-focused, process-oriented, controls-based and
measurement-driven characteristics.
The information system must not be deviated from the mission, objectives and core
values of the firms to achieve the long term vision of the firm / organization. These
systems are for enhancing the processes in an efficient way to minimize cost and time.
By using IS, the quality of the product and services must be upgraded. These all
effectiveness and enhancement must be measureable too.
Though Nepal is backward in other infrastructure, the achievement in the development
of an IT sector is very significant and praise worthy. Most of the government and non-
government sectors in the country have incorporated IT for the Information system.
Nowadays, information system has taken a role model in every sector of the country like
government sector, banking sector, business sector etc.
With the advent of IT, it brings both the opportunity and the risk. Although the most ofthe company uses IT as main backend for the information system, they are either
unaware of the risk involved in it or they are ignoring the risk because of lack of IT
guidelines and policy in the information system. The unseen risk in the IT system has
posed a great threat in the Information System. The threat on the information system is
-
7/29/2019 Direct study report on Information system (IS) audit
43/47
38
not limited to country geographical boundary. Therefore one must be prepared to tackle
the unseen risk in the information system. Proper guidelines for IS audit should be
made and IS audit must be implemented to all sectors not only to the banking sectors of
Nepal.
4.2 Recommendation
It is not doubt that proper using of the Information Systems will enhance the overall
performance of the businesses, organizations and firms. Any flaws, inefficiency in the
information systems are much more risky than what benefits were being achieved. To
reduce the risk hazards from the Information System, proper guidelines of IS audit must
be adopted in the businesses, organizations and firms.
IS Audit must be compliance with the current environment of the country. The governing
body must make standard guidelines, so that the firms under that body can adapt the
similar models. The framework of IS Audit is very important to know by all the managers
as Information Systems are being the backbone of all the organizations.
For the case of Nepal, IS Audit is a totally new concept. The need of IS Audit is
increasing due to increase in complex information systems adopted by the
organizations and firms. Some recommendations are as follows:
Government policies must be made to increase IS Audit human resources.
Appropriate and feasible to implement models of Information System Audit
guidelines must be prepared for the context of Nepal.
Training programs for IS Audit must be introduced to the IT professionals.
Higher authority levels must be aware to the Information System Auditing.
-
7/29/2019 Direct study report on Information system (IS) audit
44/47
39
5.Conclusion
Nowadays, the use of Information System is found everywhere. With the advent of IS, it
brings both the opportunity and the risk. The standardized framework of IT governance
is very important to minimize the risk and get the maximum output from the Informationsystems. Information Systems are integrated in overall business processes. The
performance of any firm is reflected from the excellence use of Information Systems. To
check the compliance of the information system to avoid risk hazards, time to time IS
Audit is necessary.
The COBIT incorporates the business-focused, process-oriented, controls-based and
measurement-driven characteristics. The information system must not be deviated from
the mission, objectives and core values of the firms to achieve the long term vision ofthe firm / organization. These systems are for enhancing the processes in an efficient
way to minimize cost and time. By using IS, the quality of the product and services must
be upgraded. These all effectiveness and enhancement must be measureable too.
NRB has issued the IT Guidelines to be implemented by the commercial banks of Nepal.
The objectives of NRB (Nepal Rastra Bank, central bank of Nepal)'s IT guideline are to
promote sound and robust technology risk management and to strengthen system
security, reliability, availability and business continuity in commercial banks of Nepal.Banks should compulsorily comply with this guideline within two years from the date of
issuance. The Action Plan (along with time frame for each action) for the
implementation of the guidelines should be developed and provided to Bank
Supervision Department, Nepal Ratra Bank within six month from the issuance.
Hence, due to increase in the complexity in the Information System, IS Audit is
necessary to be done for avoiding risk hazards and enhance the performance of the
Information Systems to yield more efficiency and competitive advantages.
-
7/29/2019 Direct study report on Information system (IS) audit
45/47
40
6.References and Bibliography
1. IT Governance Institute. (2004). COBIT Student Book. Cobit in Academia.
2. AllinsonCaroline. (2001). Information Systems Audit Trails in Legal Proceedings
as Evidence. Computer & Security, 20, 409-421.
3. Bank Supervision Department. (2012). Nepal Rastra Bank Information
Technology Guidelines. Kathamndu: Nepal Rastra Bank.
4. BDO USA LLP. (January 24, 2012). Audit of Information Technology Support for
Export-Import Bank's Mission. New York, USA: Office of Inspector General
Export-Import Bank of the US.
5. BOONBOTHA AND J.A.HANNER. (2003 vol 53 pp 23-38). The Information
Audit: Principles and Guidelines. Libri.
6. ChamplainJ.Jack. (2003 second edition). Auditing Information Systems. John
Wiley & Sonx, Inc.
7. Dale StoelHavelka, Jeffrey W. MerhoutDouglas. (2011). An analysis of attributes
that impact information technology audit quality: A study of IT and fiancnial audit
practitioners. International Journal of Accounting Information System(13), 60-79.
8. DefenceGovernment Department ofAustralian. (January 2011 V (11.1)).
Information System Audit Guide.
9. Department of Information Technology. (2001). Information Systems audit policy
for the banking and financial sector. Mumbai: Reserve Bank of India.
10. ElkySteve. (2007). An Introduction to Information System Risk Management.
SANS Institute.
11. Ernst & Young Ford Rhodes Sidat Hyder. ( 2009). The Information Systems Audit.
Ernst & Young Ford Rhodes Sidat Hyder.
-
7/29/2019 Direct study report on Information system (IS) audit
46/47
41
12. Evi MariaHaryaniEndang. (2011). AUDIT MODEL DEVELOPMENT OF
ACADEMIC INFORMATION SYSTEM: CASE STUDY ON ACADEMIC
INFORMATION SYSTEM OF SATYA WACANA. Journals of Arts, Science &
Commerce, II (2).
13. Hyo-Jeong KimMannino, Robert J. NieschwietzMicheal. (2009). Information
technology acceptance in the internal audit profession: Impact of technology
features and commplexity. International Journal of Accounting Information
Systems, 214-228.
14. (2008). Information Technology Audit of the Directorate of Education.
Government of NCT Delhi.
15. ISACA. (16 August, 2010). IT Standards, Guidelines, and Tools and Techniques
for Audit and Assurance and Control Professionals. IL, USA: ISACA.
16. ISACA. (2010). IT Standards, Guidelines, and Tools and Techniques for Audit
and Assurance and Control Professionals. Rolling Meadows, IL 60008 USA.
17. IT Governanace Institute. (2005). Aligning COBIT, ITIL and ISO 17799 for
Business Benefit: Management Summary. IL, USA: IT Governance Institute.
18. IT Governance Institute. (July 2000). COBIT 3rd Edition Control Objectives. IL,
USA: COBIT Steering Committee and the IT Governance Institute.
19. IT Governance Institute. (2007). COBIT 4.1. IL, USA: IT Governance Institute.
20. IT Governance Institute. (2004). COBIT Security Baseline. IL, USA: IT
Governance Institute.
21. Jacky AkokaComyn-WattiauIsabelle. (2010). A FRAMEWORK FOR AUDITING
WEB-BASED INFORMATION SYSTEMS. 18th European Conference on
Information Systems.
22. Jericho Forum. (January 2009). IT Audit and Compliance. Jericho Forum-COA
Position Paper.
-
7/29/2019 Direct study report on Information system (IS) audit
47/47
23. Migual A. MartinezLasheras, Eduardo Fernandez-Medina, Amrosio Toval, Mario
PiattiniJoaquin. (2010). A Personal Data Audit Method through Requirements
Engineering. Computer Starndars and Interfaces, 166-178.
24. NVijayendraKaul. IT Audit Process & Methodology. Manual of InformationTechnology Audit.
25. Office of the Auditor General Western Australia. (June 2012). Information
Systems Audit Report. Perth, Australia: Office of The Auditor General Western
Australia.
26. Paolo GuardaZannoneNicola. (2008). Towards the development of privacy-
aware sytem. Science Direct.
27. Prakash KumarMaheshworiSajeev. IT Security & Audit Policy. Ref Date:
2012/9/25: http://it.delhigovt.nic.in: http://www.nsit.ac.in/pdf/itsa_policy.pdf
28. Progestic international Inc. (Janury, 2005). Audit of Information Technology.
Ottawa: Natural Sciences and Engineering Research Council of Canada.
29. RafeqA. (May, 2003). Practical Approach to Information System Audit.
30. Steven BuchananGibbforbes. (2008). The information audit: Methodologyselection. International Journal of Information Management, 28 (1), 3-11.
31. Steven BuchananGibbForbes. (June 2008). The information audit: Theory versus
practice. International Journal of Information Management, 28 (3), 150-160.
32. WrightCraig. (2008). The Information Systems Audit program. The IT Regulatory
and Standards Compliance Handbook, 43-58.