2. model answer for case study 2 -responding to proposal for is audit of application

7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application

1/28


2/28

Case study 2Case study details

You are CA in practice with the ISA Certification.

Your firm has received an inquiry from a Public Sector

Ban for submittin! a proposal for IS Audit.


3/28

"ey hi!hli!hts of the details provided by the clientcoverin! scope and ob#ectives of IS Audit are provided in

the case study.Softwae Pa!"a#es to $eaudited

Cate#oy A% De&elo'ed I()*ouse +Sta(dalo(e,

Bills

$emittance

%ostro Accounts


4/28

Preventive &onitorin! System

Cate#oy -% +Outsou!ed,

Cash &ana!ement Services

Centralised Banin! SolutionII. S!o'e of Audit

'valuation of 'ffectiveness ( 'ffectiveness of thepaca!e vis)a)vis business process and requirements


5/28

Application Security ( Controls review

*atabase Security and Inte!rity review

$eview of Interface Controls with other applications

$eview of +etwor ( Communications controls of the

application paca!e


6/28

A$o&e s!o'e s*all i(!ludes followi(#

1. ,hether desi!n of the software conforms to the

$equirements Specification.

2. -b#ectives of the application whether these have been

fulfilled/ liely to be fulfilled by implementation.

3. ,hether ban0s systems ( procedures are bein!

followed in the application.

4. ,hat are the controls built in the application1 ,hether

these tae care of ban0s systems and procedures.


7/28

5. ,hat are the security features available / built into the

application paca!e and whether these are sufficient

to tae care of the riss in a financial transaction.

A$o&e s!o'e i(!ludes followi(#

6. ,hat is the relative efficiency of the application in

conduct of transactions vis)a)vis the performance in

similar paca!es1

7. 2estin! robustness of the application paca!e byrunnin! a specified number of transactions on int.

8. Assessment of the $is component in the paca!e.


8/28

9. 2o test and verify for any bu!s in the application

paca!e.

Dis!uss t*ese i( you #ou' a(d 'e'ae

'ese(tatio( !o&ei(#

1. Additional information required for submittin!

the proposal and the methodolo!y of !ettin!the information.

2o specify clearly methodolo!y to be adopted in carryin!out each of the above steps.


9/28

2. Prepare detailed step)by)step methodolo!y3

which will be adopted by you for carryin! out

the assi!nment.

3. Identify sill)sets of audit team and estimated

time for completin! the assi!nment.

4. 4ist the standards and !uidelines to be used

for the assi!nment and e5plain how these how

these would be adopted and used.


10/28

4ist the desired deliverables and proposed draft formats of the IS

Audit report.&odel Answer


11/28

Note% T*is /odel a(swe is i(di!ati&e i(

(atue a(d is 'o&ided fo #uida(!e.Additio(ali(fo/atio( e0uied fo su$/itti(# t*e 'o'osala(d /et*odolo#y of #etti(# t*e i(fo/atio(

1. 2echnolo!y platform of the software such as -peratin!

system3 *atabase and platform in which software isdeveloped.

2. 2ype of application software sin!le)user or multi)userand if multi)user3 appro5imate no. of user of eachapplication software.

3. 4ist of features and functionalities of software.

4. *etails of vendor in case of outsourced software.


12/28

5. 4ist of documentation available for both software.

6. 4ist of references where such software is deployed.

7. 6acility for havin! wal)throu!h of software with relateddocumentation.

8. Current status of application software ) deployed orproposed to be deployed and brief details of proposeddeployment.


13/28

Any other information which may be relevant.Ste')$y)ste'

/et*odolo#y w*i!* will $eado'ted $y you fo !ayi(# out t*e assi#(/e(t

1. *iscussions with the I2 department3 users and otherstaeholders as required.

2. $eview of documentation of System softwaresuch as operation system and database

3. '5amination of -S and database access ri!hts


14/28

4. $eview of Application Software user manuals

5. -bservation of the 7sers and the systems in operation


15/28

$eview of Application Software in detail by walin! throu!h each of

the functionsSte')$y)ste' /et*odolo#y w*i!* will $eado'ted $y you fo !ayi(# out t*e assi#(/e(t6. 2estin! of all ey parameters such as user access profiles

7. 2estin! of software by usin! test data in a test environment

for testin! validations3 processin! and reportin!.

8. 7se CAA2s as required for testin! processin!

9. Identifyin! areas of control weaness and discuss with auditee

mana!ement to confirm findin!s and a!ree on proposedrecommendations

10. Preparation of report with e5ecutive summary with ris ratin! offindin!s into hi!h3 medium and low ris.


16/28

Presentation of audit findin!s and recommendations to mana!ement.Ide(tifys"ill)sets of audit tea/

1. Audit team to be finalised after detailed review of

documentation and wal)throu!h of software.

2. Audit team will consist of e5perts from

1. I2 with e5pertise in -S/*atabase

2. 6unctional e5perts with domain in specific application software


17/28

Assurance professional with nowled!e of usin! CAA2s and application software

audit.Esti/ated ti/e fo !o/'leti(# t*e assi#(/e(t

1. 'stimated time to be finalised after detailed review of

documentation and wal)throu!h of software.

2. 'stimated time will include specific man days of each of

the members of the audit team as identified.


18/28

Audit plan will be finalised with estimated time and will includeestimated plan for audit plan3 performance and

reportin!.Sta(dads a(d #uideli(es to $e used fo t*e

assi#(/e(t

ISACA and ICAI standards applicable of audit3 internalaudit and IS Audit as applicable.

Best practices of security and control such as C-BI2

Best practices of IS security such as IS- 89::;


19/28

2echnolo!y best practices as applicable


20/28

Policies and !uidelines issued by ban as applicable.ow t*esta(dads a(d $est 'a!ti!es would $e

ado'ted a(d used

Identified standards3 !uidelines and best practices wouldbe e5tracted and customised as per requirements of

assi!nment.

*etailed audit pro!ram and procedures would beprepared based on these best practices.

Audit pro!ram and procedures would be shared inadvance with auditee department for their feedbac.


21/28

2hese would be further updated as required durin! e5ecution of

assi!nment.Po'osed deli&ea$les

*raft IS Audit report with list of control weanesses

coverin! each of the software with specific

recommendations for miti!atin! riss.

6inal IS Audit report for each of the software as per

scope with e5ecutive summary for senior mana!ement.


22/28

Presentation to senior mana!ement coverin! ey points andhi!hli!hts of audits with specific recommendations for follow up

plan for implementation of recommendations as a!reed.Sa/'leFo/at of daft e'ot

1. Issue =area of control weaness>

? $aned based on information criteria as relevant.

2. Implications =effect>

? @i!hli!htin! I2 $esources impacted as relevant. CriticalSuccess 6actors of relevant I2 process


23/28

3. Cause identifyin! the probably cause

4. $ecommendations

? 7sin! the best practices of C-BI2 and other bestpractices as adapted for business requirement I2deployment of software auditee.

5. &ana!ement Comment


24/28

?As provided by auditee based on discussionSa/'le fo/at of fi(al

e'ot-utline for each findin! =area of control

weaness or area of improvement

Issue

aned based on criticality =hi!h3 mediumor ow>

Implications =effect>

,ith hi!hli!ht of I2 $esources impacted asrelevant identify probability and quantifyris based on business impact.


25/28

Cause


26/28

Identifyin! probable cause=s> for issuePe'ae fi(ale'ot

$ecommendation

Based on best practices as adapted as per specificbusiness requirement I2 deployment of softwareaudited.

&ana!ement Comment

6eedbac from mana!ement and identifyin! issues ofdisa!reement which need escalation.


27/28


28/28

mana!ement.T*a("you

2. model answer for case study 2 -responding to proposal for is audit of application

Documents