CA. R Vittal Raj

1

This Webcast

On Current Syllabi Also Discuss Shortcomings Found by Examiners - Points to Take Care

New Syllabus – Study Material Would be Hosted in Sep, 13 (First Week)

Applicable from November, 2014 Exams Details available on Institute Website - http://220.227.161.86/30545bos20300.pdf

2

Relevance of the Paper in CA Final Course

Understanding layout of topics

Some key perspective to topics

General pattern of Exam Questions & Exam Preparation tips

Fundamentals you should know before you start

3

1 • Information Systems Concepts

2 • Systems Development Life Cycle Methodology

3 • Control Objectives

4 • Testing – General & Automated Controls

5 • Risk Assessment Methodologies and Applications

6 • Business Continuity Planning and Disaster Recovery Planning

7 • Overview of ERP: IS Auditing Standards, Guidelines and Best Practices

8 • IS Auditing Standards, Guidelines , Best Practices

9 • Drafting of IS Security Policy, Audit Policy, IS Audit Reporting - A Practical Perspective

10 • Information Technology (Amendment) Act, 2008

4

Before You Start!

5

Value of Information to Business

IT – not mere enabler but a business driver

Business risks arising from use of IT

Need for managing multi risks from IT

6

Role of IT in effectively achieving business as well as governance objectives

Auditors’ Role in providing assurance

Audit Risk arising from ignorance/ inappropriate understanding of impact of IT in planning, designing and performing audit procedures

7

Two Volumes

• Volume 1 – Study Material

• Volume 2 – Practice Manual

Topics – 10

Learning Objective

Sub topics

8

Not merely conceptual knowledge but applied knowledge

A final student is expected to have conceptual knowledge but also applied knowledge & capability

Conceptual Knowledge – Volume 1 & Other sources

Applied Knowledge - Volume 2, other sources and

Practical exposure, field visits, ‘look beyond’

Pre-supposes knowledge of IT fundamental concepts (IPCC Material)

Jargons! Technical! Managerial/Control Concepts

9

From Exam Perspective

10

Key Topics: • Definition of a System • Types of System • Systems Model & Environment • Information • Information Systems role in management • Operational Support Systems - TPS, MIS, ERP, • Management Support Systems – DSS, EIS, Expert Systems, • Office Automation Systems

11

Overview of Learning Objective: Expert understanding of information, systems, their elements, types and their application in day to day business life

Key Topics:

• Systems Development Process • Systems Development Methodologies • Systems Development Life Cycle • In Depth understanding of Phases

• Preliminary Study, Systems Requirements Analysis, Systems Design, Systems Acquisition, Systems Development, Systems Testing, Systems Implementation, Post Implementation Review and Systems Maintenance, Documentation

• Auditors Role in SDLC

12

Overview of Learning Objective: In depth understanding of concepts, and approaches in SDLC, Phases, tools, Auditors Role in SDLC

Key Topics: • IS Controls and their need • Considerations arising from use of computers – Internal Control &

Audit perspective • Overview of IS Audit Process, audit objectives vs. control objectives • IS Control Techniques, types, roles and responsibilities • End User Controls • Controls in SDLC - Systems Development and Acquisition, Change

Management, Quality Assurance, Systems Implementation & Maintenance

13

Overview of Learning Objective: In depth understanding of Internal Controls , control objectives, controls & techniques of control across various facets of systems protection, role of IS audit

Key Topics: • Controls over Data Integrity, Privacy and Security • Security concepts and techniques • Data Security and Public Networks, Unauthorised

Intrusion, Hacking • Logical Access Controls, Malware & related controls • Physical & Environmental Controls

14

Key Topics: • Testing – Concepts, need and types • Audit Planning Considerations for testing • Audit Testing – IS Controls identification, Prioritising, Performing tests • General Controls vs. Application Controls • Audit Testing techniques • Testing of Technical Controls – Hardware, Systems Software, Network • Concurrent or Continuous Audit and Embedded Audit Module • Audit Reporting

15

Overview of Learning Objective: Expert Knowledge of testing concepts, types, methods, audit planning

Key Topics: • Indepth understanding of Risk Management Concepts

• Asset, Threats, Vulnerabilities, Severity and Likelihood, Exposure, Countermeasures, Acceptable Risk, Residual Risk

• Understanding of Threats in Computerised Environments • Risk Assessment vs. Risk Management • Risk Identification, Ranking, Mitigation and role of Controls

16

Overview of Learning Objective: Working Knowledge on concepts and application of Risk Management, components thereof and phases in Risk Management, Controls

Key Topics: • Goals and objectives of BCP • Steps to developing a BCP • Types of Plans

• Emergency, Backup, Recovery • Business Impact Analysis & Risk Assessment • Backup Techniques

• Full, Incremental, Differential, Mirror • Alternate Processing Arrangements

• Cold, Hot, Warm Site, Reciprocal Arrangement • Disaster Recovery Procedures • Insurance • BCP Testing Objectives and Steps • Audit of Disaster Recovery/Business Resumption Plan

17

Overview of Learning Objective: In depth understanding of purpose and objectives of BCP/DRP, phases thereof and role of audit

Key Topics: • ERP Fundamentals

• Definition, Evolution, Features, Benefits • Business Process Re-Engineering

• A Critical success factor for ERP, • ERP Implementation

• Key considerations, Methodology, Phases • Post Implementation Issues • Risk Governance Issues in ERP • ERP & E-Commerce • Overview of some popular products and Case studies

18

Overview of Learning Objective: Role of ERP in business, Goals & Benefits, Challenges and Risks, Phases in Implementation, Importance of BPR

Key Topics: • ICAI Standards – SA 315, SA 330 • ISO 27001 – Information Security Management Standard • Capability Maturity Model (CMM) • COBIT – IT Governance Framework • CoCo Guidance – Criteria of Control Model (CICA) • ITIL (IT Infrastructure Library) • Systrust and Webtrust from AICPA • HIPAA • SA 402

19

Overview of Learning Objective: Gain overview and relevance of global standards in IS Control, Security, Audit and It Governance

Key Topics: • Importance of Information Security to Enterprise • Information Security Policy

• Purpose, scope, types, allocation of roles and responsibilities • Asset Classification, Access Control, Physical Security, SDLC, BCP

• Audit Policy • Purpose, Scope, Competence, Audit Framework, Testing Approach, Frequency,

Linkage to IT Governance Framework, Audit Communication • Audit Working Papers and Documentation

• Planning Documentation, Gathering and Organising Information, Writing Documentation

• IS Audit Reports • Structure, Format, Distribution, Context, Objectives, Findings, Opinion,

Substantiation, Evidence

20

Overview of Learning Objective: Expert knowledge in drafting of Information Systems Security Policy, Audit Policy and Audit Documentation and Reporting

Key Topics: • IT Act 2000 & the Amendment Act, 2008 • Purpose, Definitions • Authentication, Digital & Electronic Signature • Obligations of Subscribers, Body Corporates, Intermediaries and users • Electronic Governance • Electronic Contracts • Certifying Authorities • Penalties, Adjudication and Authorities under the Act • Offences

21

Overview of Learning Objective: Working Knowledge on Purpose of the Act, knowledge of key provisions, application of certain provisions

Don’t rule out any topic, Questions may test concepts across chapters.

Marks weightage may vary by chapter (not necessarily a set pattern)

Questions may test concepts as well as applied understanding

One Question may test concepts from more than one chapter

Both conceptual as well as applied knowledge is tested

22

Total Marks – 100

No. of Questions – 7. One Compulsory Question and 5 out of 6 others to be answered

Hours - 3

Questions based on Scenario/Brief Case Study

Questions directly testing conceptual understanding

Questions testing practical application

Short notes ( 4 of 5 Questions)

23

Cyberphobia and allergy with technical terms/jargons!

Technical perspective than risk perspective

Inability to relate the IT concept to Business & Audit Risk

Last moment rushing through material without reading and seeing it apply in real life

Memorising concepts without understanding

Reading material without devoting adequate time to solving sample/past question papers

Writing lengthy/irrelevant answers, not answering to the point and not organising your answers

24

25

26