-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
1/28
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
2/28
Case study 2Case study details
You are CA in practice with the ISA Certification.
Your firm has received an inquiry from a Public Sector
Ban for submittin! a proposal for IS Audit.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
3/28
"ey hi!hli!hts of the details provided by the clientcoverin! scope and ob#ectives of IS Audit are provided in
the case study.Softwae Pa!"a#es to $eaudited
Cate#oy A% De&elo'ed I()*ouse +Sta(dalo(e,
Bills
$emittance
%ostro Accounts
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
4/28
Preventive &onitorin! System
Cate#oy -% +Outsou!ed,
Cash &ana!ement Services
Centralised Banin! SolutionII. S!o'e of Audit
'valuation of 'ffectiveness ( 'ffectiveness of thepaca!e vis)a)vis business process and requirements
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
5/28
Application Security ( Controls review
*atabase Security and Inte!rity review
$eview of Interface Controls with other applications
$eview of +etwor ( Communications controls of the
application paca!e
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
6/28
A$o&e s!o'e s*all i(!ludes followi(#
1. ,hether desi!n of the software conforms to the
$equirements Specification.
2. -b#ectives of the application whether these have been
fulfilled/ liely to be fulfilled by implementation.
3. ,hether ban0s systems ( procedures are bein!
followed in the application.
4. ,hat are the controls built in the application1 ,hether
these tae care of ban0s systems and procedures.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
7/28
5. ,hat are the security features available / built into the
application paca!e and whether these are sufficient
to tae care of the riss in a financial transaction.
A$o&e s!o'e i(!ludes followi(#
6. ,hat is the relative efficiency of the application in
conduct of transactions vis)a)vis the performance in
similar paca!es1
7. 2estin! robustness of the application paca!e byrunnin! a specified number of transactions on int.
8. Assessment of the $is component in the paca!e.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
8/28
9. 2o test and verify for any bu!s in the application
paca!e.
Dis!uss t*ese i( you #ou' a(d 'e'ae
'ese(tatio( !o&ei(#
1. Additional information required for submittin!
the proposal and the methodolo!y of !ettin!the information.
2o specify clearly methodolo!y to be adopted in carryin!out each of the above steps.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
9/28
2. Prepare detailed step)by)step methodolo!y3
which will be adopted by you for carryin! out
the assi!nment.
3. Identify sill)sets of audit team and estimated
time for completin! the assi!nment.
4. 4ist the standards and !uidelines to be used
for the assi!nment and e5plain how these how
these would be adopted and used.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
10/28
4ist the desired deliverables and proposed draft formats of the IS
Audit report.&odel Answer
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
11/28
Note% T*is /odel a(swe is i(di!ati&e i(
(atue a(d is 'o&ided fo #uida(!e.Additio(ali(fo/atio( e0uied fo su$/itti(# t*e 'o'osala(d /et*odolo#y of #etti(# t*e i(fo/atio(
1. 2echnolo!y platform of the software such as -peratin!
system3 *atabase and platform in which software isdeveloped.
2. 2ype of application software sin!le)user or multi)userand if multi)user3 appro5imate no. of user of eachapplication software.
3. 4ist of features and functionalities of software.
4. *etails of vendor in case of outsourced software.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
12/28
5. 4ist of documentation available for both software.
6. 4ist of references where such software is deployed.
7. 6acility for havin! wal)throu!h of software with relateddocumentation.
8. Current status of application software ) deployed orproposed to be deployed and brief details of proposeddeployment.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
13/28
Any other information which may be relevant.Ste')$y)ste'
/et*odolo#y w*i!* will $eado'ted $y you fo !ayi(# out t*e assi#(/e(t
1. *iscussions with the I2 department3 users and otherstaeholders as required.
2. $eview of documentation of System softwaresuch as operation system and database
3. '5amination of -S and database access ri!hts
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
14/28
4. $eview of Application Software user manuals
5. -bservation of the 7sers and the systems in operation
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
15/28
$eview of Application Software in detail by walin! throu!h each of
the functionsSte')$y)ste' /et*odolo#y w*i!* will $eado'ted $y you fo !ayi(# out t*e assi#(/e(t6. 2estin! of all ey parameters such as user access profiles
7. 2estin! of software by usin! test data in a test environment
for testin! validations3 processin! and reportin!.
8. 7se CAA2s as required for testin! processin!
9. Identifyin! areas of control weaness and discuss with auditee
mana!ement to confirm findin!s and a!ree on proposedrecommendations
10. Preparation of report with e5ecutive summary with ris ratin! offindin!s into hi!h3 medium and low ris.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
16/28
Presentation of audit findin!s and recommendations to mana!ement.Ide(tifys"ill)sets of audit tea/
1. Audit team to be finalised after detailed review of
documentation and wal)throu!h of software.
2. Audit team will consist of e5perts from
1. I2 with e5pertise in -S/*atabase
2. 6unctional e5perts with domain in specific application software
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
17/28
Assurance professional with nowled!e of usin! CAA2s and application software
audit.Esti/ated ti/e fo !o/'leti(# t*e assi#(/e(t
1. 'stimated time to be finalised after detailed review of
documentation and wal)throu!h of software.
2. 'stimated time will include specific man days of each of
the members of the audit team as identified.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
18/28
Audit plan will be finalised with estimated time and will includeestimated plan for audit plan3 performance and
reportin!.Sta(dads a(d #uideli(es to $e used fo t*e
assi#(/e(t
ISACA and ICAI standards applicable of audit3 internalaudit and IS Audit as applicable.
Best practices of security and control such as C-BI2
Best practices of IS security such as IS- 89::;
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
19/28
2echnolo!y best practices as applicable
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
20/28
Policies and !uidelines issued by ban as applicable.ow t*esta(dads a(d $est 'a!ti!es would $e
ado'ted a(d used
Identified standards3 !uidelines and best practices wouldbe e5tracted and customised as per requirements of
assi!nment.
*etailed audit pro!ram and procedures would beprepared based on these best practices.
Audit pro!ram and procedures would be shared inadvance with auditee department for their feedbac.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
21/28
2hese would be further updated as required durin! e5ecution of
assi!nment.Po'osed deli&ea$les
*raft IS Audit report with list of control weanesses
coverin! each of the software with specific
recommendations for miti!atin! riss.
6inal IS Audit report for each of the software as per
scope with e5ecutive summary for senior mana!ement.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
22/28
Presentation to senior mana!ement coverin! ey points andhi!hli!hts of audits with specific recommendations for follow up
plan for implementation of recommendations as a!reed.Sa/'leFo/at of daft e'ot
1. Issue =area of control weaness>
? $aned based on information criteria as relevant.
2. Implications =effect>
? @i!hli!htin! I2 $esources impacted as relevant. CriticalSuccess 6actors of relevant I2 process
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
23/28
3. Cause identifyin! the probably cause
4. $ecommendations
? 7sin! the best practices of C-BI2 and other bestpractices as adapted for business requirement I2deployment of software auditee.
5. &ana!ement Comment
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
24/28
?As provided by auditee based on discussionSa/'le fo/at of fi(al
e'ot-utline for each findin! =area of control
weaness or area of improvement
Issue
aned based on criticality =hi!h3 mediumor ow>
Implications =effect>
,ith hi!hli!ht of I2 $esources impacted asrelevant identify probability and quantifyris based on business impact.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
25/28
Cause
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
26/28
Identifyin! probable cause=s> for issuePe'ae fi(ale'ot
$ecommendation
Based on best practices as adapted as per specificbusiness requirement I2 deployment of softwareaudited.
&ana!ement Comment
6eedbac from mana!ement and identifyin! issues ofdisa!reement which need escalation.
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
27/28
-
7/24/2019 2. Model Answer for Case Study 2 -Responding to Proposal for is Audit of Application
28/28
mana!ement.T*a("you