Measures of Central Tendency: Mean, Median and Mode
ICAB - ITK Chapter 5 Set 2 - Internal Control in IT Systems
1. IT KNOWLEDGE
CA Professional Stage - Knowledge Level, ICAB
Tutor: Mohammad Abdul Matin
Chapter 5
Internal Control in Computer
Based Business System
2. Chapter Outline
Control, IT Internal Control, IT Internal Audit
Responsibility of Control
Control Objectives and Techniques
Control over Acquisition, Implementation and Changes
Risk Assessment
Business Continuity Plan
Overview of ERP
3. Control Objectives for IT (COBIT)
Developed in 1996 as generally accepted information
technology control objectives for day-to-day use.
COBIT 4.1 has around 34 high level processes and
covers 201 control objectives in four domains:
– Planning & Organization
– Acquisition & Implementation
– Delivery & Support
– Monitoring & Evaluation
4. Control Objectives for IT (COBIT)
A complete COBIT package contains:
Executive Summary: Summary, principles, concepts, synopsis of
the framework, etc.
Framework: Defines the different (34) high level and other IT
processes in four domains. Also defines the Information criteria.
Control Objectives: Defines the (210) control objectives in the
form of statements throughout the high level processes.
Management & Implementation Guidelines: Composed of
Maturity Models to help defining and comparing expectations,
CSFs, KPIs, Key Goals Indicators, industry norms, etc.
5. Control Objectives for IT (COBIT)
IT Assurance Guide: Tools to assess if the IT controls linked to the
respective control objectives are achieving results. Compatible
with ISACA’s (Information System Audit and Control Association)
and ITAF’s (Information Technology Assurance Framework)
standards.
6. Audit Trails
Logs that are designed to record activity at the system
application and user levels to provide detective control
related to security, issue finding, etc.
Audit Trail Objectives:
– Detecting unauthorized access
– Facilitating reconstruction of failure events or problems
– Establishing personal accountability
7. Controls – IS Selection, Acquisition
Strategic Master Plan
A strategic master plan to ensure appropriateness and priority
Project Control
Project Management, resource and time planning with responsibilities
Data Processing Schedule
Backend tasks to be distributed and scheduled to maximize resource
usage
System Performance Measurement
Throughput and time based utilization measurements
Post-Implementation Review
Compare the cost and benefit between plan and implementation
8. Post Implementation Review (PIR)
Post Implementation Review (PIR) of an initiative is
performed to mainly assess if the following were met as per
expectation / plan:
– Business Objectives (budget, deadline, benefits, etc.)
– User Expectations (friendliness, workload, reliability, etc.)
– Technical Requirements (expandability, ease of operation,
interconnectivity with external systems, etc.)
PIR is typically performed after any project is completed, has
become stable and not being significantly changed/modified
as a result of errors or realizations.
PIR should be performed by independent IS
consultant/team who had not been involved in the original
initiative/project/development.
9. Business Continuity Planning (BCP)
Key Objectives of a BCP
– Safety of people at the time of a disaster
– Continue critical business operations
– Minimize the duration of disruption of regular operations
– Minimize immediate damage or losses (data and equipment)
– Establishing management succession and emergency powers
– Facilitate effective coordination of recovery tasks
– Reduce the complexity in recovery
– Identify critical lines of business and supporting functions
10. Business Continuity Planning (BCP)
Eight Phases of Developing a BCP
i. Pre-planning activities
ii. Vulnerability assessment
iii. Business impact analysis
iv. Definitions of requirements
v. Plan development
vi. Testing program
vii. Maintenance program
viii. Plan testing and implementation
11. Enterprise Resource Planning (ERP)
ERP system is a fully integrated business management
system covering different functional areas of an
enterprise.
ERP systems can be general or industry specific.
Components integrated within a ERP system can vary
depending on the organizational needs and priority.
Examples of ERP systems: SAP, Oracle EBS, Dynamics AX,
IFS, Glovia, Infor, Sage, etc.
12. Enterprise Resource Planning (ERP)
Benefits of a ERP System
– Integrated Financial Systems
– Standardized Processes
– Shared, Real-time Information
Implementation of ERP Systems
– Corporate culture
– Process change
– Management support
– Project Manager competence
– The ERP Team
– Project Methodology
– Training
– Commit to the change
13. ERP Example: SAP
World’s most used tier one ERP system developed by
SAP AG, a German company.
SAR R/3 System Architecture:
– Presentation layer
– Application layer
– Database layer
Can run on many different O/S and Database platforms
Can be distributed into multiple systems for load
management and other objectives.
15. Exam Questions
What is control? What are the purposes of internal
control? Explain the five key components required for
effective internal control.
What is Audit Trail? Explain its objectives.
Describe Post Implementation Review (PIR).
Why is information system security important?
Explain “vulnerability management” and “threat
management” in management of IT security
What is disaster recovery plan? Describe major areas of
a disaster recovery planning document.
What is ERP? Explain SAP as a ERP system.