Auditing
1 like477 views
This document provides an overview of the new CA Final syllabus for Information Systems and controls that will be applicable from November 2014 exams. It discusses the relevance of the paper to the CA final course and provides a breakdown of the 10 topics that will be covered, including information systems concepts, systems development lifecycle methodology, controls objectives, testing and auditing standards and guidelines. It also provides exam preparation tips, noting that students will need both conceptual and applied knowledge. The document outlines the exam format of 7 questions worth 100 marks over 3 hours and advises students not to rule out any topics as questions may cover multiple chapters.
Auditing
- 1. CA. R Vittal Raj 1
- 2. This Webcast On Current Syllabi Also Discuss Shortcomings Found by Examiners - Points to Take Care New Syllabus – Study Material Would be Hosted in Sep, 13 (First Week) Applicable from November, 2014 Exams Details available on Institute Website - http://220.227.161.86/30545bos20300.pdf 2
- 3. Relevance of the Paper in CA Final Course Understanding layout of topics Some key perspective to topics General pattern of Exam Questions & Exam Preparation tips Fundamentals you should know before you start 3
- 4. 1 • Information Systems Concepts 2 • Systems Development Life Cycle Methodology 3 • Control Objectives 4 • Testing – General & Automated Controls 5 • Risk Assessment Methodologies and Applications 6 • Business Continuity Planning and Disaster Recovery Planning 7 • Overview of ERP: IS Auditing Standards, Guidelines and Best Practices 8 • IS Auditing Standards, Guidelines , Best Practices 9 • Drafting of IS Security Policy, Audit Policy, IS Audit Reporting - A Practical Perspective 10 • Information Technology (Amendment) Act, 2008 4
- 6. Value of Information to Business IT – not mere enabler but a business driver Business risks arising from use of IT Need for managing multi risks from IT 6
- 7. Role of IT in effectively achieving business as well as governance objectives Auditors’ Role in providing assurance Audit Risk arising from ignorance/ inappropriate understanding of impact of IT in planning, designing and performing audit procedures 7
- 8. Two Volumes • Volume 1 – Study Material • Volume 2 – Practice Manual Topics – 10 Learning Objective Sub topics 8
- 9. Not merely conceptual knowledge but applied knowledge A final student is expected to have conceptual knowledge but also applied knowledge & capability Conceptual Knowledge – Volume 1 & Other sources Applied Knowledge - Volume 2, other sources and Practical exposure, field visits, ‘look beyond’ Pre-supposes knowledge of IT fundamental concepts (IPCC Material) Jargons! Technical! Managerial/Control Concepts 9
- 11. Key Topics: • Definition of a System • Types of System • Systems Model & Environment • Information • Information Systems role in management • Operational Support Systems - TPS, MIS, ERP, • Management Support Systems – DSS, EIS, Expert Systems, • Office Automation Systems 11 Overview of Learning Objective: Expert understanding of information, systems, their elements, types and their application in day to day business life
- 12. Key Topics: • Systems Development Process • Systems Development Methodologies • Systems Development Life Cycle • In Depth understanding of Phases • Preliminary Study, Systems Requirements Analysis, Systems Design, Systems Acquisition, Systems Development, Systems Testing, Systems Implementation, Post Implementation Review and Systems Maintenance, Documentation • Auditors Role in SDLC 12 Overview of Learning Objective: In depth understanding of concepts, and approaches in SDLC, Phases, tools, Auditors Role in SDLC
- 13. Key Topics: • IS Controls and their need • Considerations arising from use of computers – Internal Control & Audit perspective • Overview of IS Audit Process, audit objectives vs. control objectives • IS Control Techniques, types, roles and responsibilities • End User Controls • Controls in SDLC - Systems Development and Acquisition, Change Management, Quality Assurance, Systems Implementation & Maintenance 13 Overview of Learning Objective: In depth understanding of Internal Controls , control objectives, controls & techniques of control across various facets of systems protection, role of IS audit
- 14. Key Topics: • Controls over Data Integrity, Privacy and Security • Security concepts and techniques • Data Security and Public Networks, Unauthorised Intrusion, Hacking • Logical Access Controls, Malware & related controls • Physical & Environmental Controls 14
- 15. Key Topics: • Testing – Concepts, need and types • Audit Planning Considerations for testing • Audit Testing – IS Controls identification, Prioritising, Performing tests • General Controls vs. Application Controls • Audit Testing techniques • Testing of Technical Controls – Hardware, Systems Software, Network • Concurrent or Continuous Audit and Embedded Audit Module • Audit Reporting 15 Overview of Learning Objective: Expert Knowledge of testing concepts, types, methods, audit planning
- 16. Key Topics: • Indepth understanding of Risk Management Concepts • Asset, Threats, Vulnerabilities, Severity and Likelihood, Exposure, Countermeasures, Acceptable Risk, Residual Risk • Understanding of Threats in Computerised Environments • Risk Assessment vs. Risk Management • Risk Identification, Ranking, Mitigation and role of Controls 16 Overview of Learning Objective: Working Knowledge on concepts and application of Risk Management, components thereof and phases in Risk Management, Controls
- 17. Key Topics: • Goals and objectives of BCP • Steps to developing a BCP • Types of Plans • Emergency, Backup, Recovery • Business Impact Analysis & Risk Assessment • Backup Techniques • Full, Incremental, Differential, Mirror • Alternate Processing Arrangements • Cold, Hot, Warm Site, Reciprocal Arrangement • Disaster Recovery Procedures • Insurance • BCP Testing Objectives and Steps • Audit of Disaster Recovery/Business Resumption Plan 17 Overview of Learning Objective: In depth understanding of purpose and objectives of BCP/DRP, phases thereof and role of audit
- 18. Key Topics: • ERP Fundamentals • Definition, Evolution, Features, Benefits • Business Process Re-Engineering • A Critical success factor for ERP, • ERP Implementation • Key considerations, Methodology, Phases • Post Implementation Issues • Risk Governance Issues in ERP • ERP & E-Commerce • Overview of some popular products and Case studies 18 Overview of Learning Objective: Role of ERP in business, Goals & Benefits, Challenges and Risks, Phases in Implementation, Importance of BPR
- 19. Key Topics: • ICAI Standards – SA 315, SA 330 • ISO 27001 – Information Security Management Standard • Capability Maturity Model (CMM) • COBIT – IT Governance Framework • CoCo Guidance – Criteria of Control Model (CICA) • ITIL (IT Infrastructure Library) • Systrust and Webtrust from AICPA • HIPAA • SA 402 19 Overview of Learning Objective: Gain overview and relevance of global standards in IS Control, Security, Audit and It Governance
- 20. Key Topics: • Importance of Information Security to Enterprise • Information Security Policy • Purpose, scope, types, allocation of roles and responsibilities • Asset Classification, Access Control, Physical Security, SDLC, BCP • Audit Policy • Purpose, Scope, Competence, Audit Framework, Testing Approach, Frequency, Linkage to IT Governance Framework, Audit Communication • Audit Working Papers and Documentation • Planning Documentation, Gathering and Organising Information, Writing Documentation • IS Audit Reports • Structure, Format, Distribution, Context, Objectives, Findings, Opinion, Substantiation, Evidence 20 Overview of Learning Objective: Expert knowledge in drafting of Information Systems Security Policy, Audit Policy and Audit Documentation and Reporting
- 21. Key Topics: • IT Act 2000 & the Amendment Act, 2008 • Purpose, Definitions • Authentication, Digital & Electronic Signature • Obligations of Subscribers, Body Corporates, Intermediaries and users • Electronic Governance • Electronic Contracts • Certifying Authorities • Penalties, Adjudication and Authorities under the Act • Offences 21 Overview of Learning Objective: Working Knowledge on Purpose of the Act, knowledge of key provisions, application of certain provisions
- 22. Don’t rule out any topic, Questions may test concepts across chapters. Marks weightage may vary by chapter (not necessarily a set pattern) Questions may test concepts as well as applied understanding One Question may test concepts from more than one chapter Both conceptual as well as applied knowledge is tested 22
- 23. Total Marks – 100 No. of Questions – 7. One Compulsory Question and 5 out of 6 others to be answered Hours - 3 Questions based on Scenario/Brief Case Study Questions directly testing conceptual understanding Questions testing practical application Short notes ( 4 of 5 Questions) 23
- 24. Cyberphobia and allergy with technical terms/jargons! Technical perspective than risk perspective Inability to relate the IT concept to Business & Audit Risk Last moment rushing through material without reading and seeing it apply in real life Memorising concepts without understanding Reading material without devoting adequate time to solving sample/past question papers Writing lengthy/irrelevant answers, not answering to the point and not organising your answers 24
- 25. 25
- 26. 26