TRIBHUVAN UNIVERISTY Department of Mechanical Engineering

INSTITUTE OF ENGINEERING
Pulchowk Campus

Directed Study Report On

Information System (IS) Audit

Submitted By: Rajendra Bahadur Thapa (068/MsTIM/156) Rajib Kumar Hyoju (068/MsTIM/157) Sudan Kayastha (068/MsTIM/163) Sudip Joshi (068/MsTIM/165)

Submitted to:
Prof. Amrit Man Nakarmi Co-ordinator, Master of Science in Technology and Innovation Management (MsTIM), Department of Mechanical Engineering.

9th October, 2012

ACKNOWLDEGEMENT

We wish to express our sincere gratitude to Prof. Amrit Man Nakarmi, Co-ordinator of Master of Science in Technology and Innovation Management (MsTIM) program and core group members of MsTIM program for providing us an opportunity on studying directed study on the topic "Information System (IS) Audit" as a core course of Study in third semester of MsTIM. We sincerely thank to our other professors and lecturers for their valuable feedbacks and encouragement in carrying out this directed study work. Last but not the least, we wish to avail ourselves of this opportunity, express a sense of gratitude and love to our friends for their manual support, strength, help and for everything.

Sincerely, Rajendra Bahadur Thapa Rajib Kumar Hyoju Sudan Kayastha Sudip Joshi MsTIM-2011

ii

Abstract
The strength of organization is measured from the strength information system which integrates knowledge, capability, maturity models, product and services delivery processes, etc possesses by the organization. The information system must be flawless and be aware of possible risks and should have good measures of risks hazards. For this information system must be certified or audited to check the level of performance and enhancing the system. Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. Information systems are the lifeblood of any large business. The purpose of IS audit is to review and provide feedback, assurances and suggestions for the availability, confidentiality and integrity of the information systems. The COBIT framework for IS Audit, incorporates the business-focused, process-oriented, controls-based and measurement-driven

characteristics. NRB has issued the IT Guidelines to be implemented by the commercial banks of Nepal. Thus, due to increase in the complexity in the Information System, IS Audit is necessary to be done for avoiding risk hazards and enhance the performance of the Information Systems to yield more efficiency and competitive advantages.

Key Words: Information System, Information Technology, IT Audit, IS Audit, COBIT, COBIT Framework, NRB Guidelines, Nepal

iii

Table of Contents
ACKNOWLDEGEMENT ...................................................................................................ii Abstract ........................................................................................................................... iii List of Abbreviations ........................................................................................................ v 1. Background .............................................................................................................. 1 1.1 1.2 Introduction ........................................................................................................ 1 Significance of the Study .................................................................................... 2 General Significance ................................................................................... 2 Specific Significance .................................................................................... 2

1.2.1 1.2.2 1.3 1.4

Statement of Purpose ........................................................................................ 3 Theoretical Framework/Model ............................................................................ 3 Control Objectives for Information and related Technology (COBIT): .......... 5

1.4.1 2.

Literature Review ..................................................................................................... 6 2.1 2.2 2.3 2.4 Elements of IS Audit........................................................................................... 6 Need for a Control Framework in Information System ....................................... 7 Procedures ....................................................................................................... 11 Control Objectives for Information and related Technology (COBIT) ............... 12 Vision ......................................................................................................... 12 How COBIT Meets the Need ..................................................................... 12 COBIT Framework Model .......................................................................... 21 Overall COBIT Framework ........................................................................ 24

2.4.1 2.4.2 2.4.3 2.4.1 2.5

Information Security and Technical Security Risks .......................................... 25 Information Security ................................................................................... 25 Technical Security Risks............................................................................ 26

2.5.1 2.5.2 3.

IS Audit in Nepal Scenario ..................................................................................... 32 iv

3.1 3.2 4.

NRB guidelines ................................................................................................ 32 Challenges for Nepal in implementing IS Audit ................................................ 36

Discussion and Recommendation .......................................................................... 37 4.1 4.2 Discussion ........................................................................................................ 37 Recommendation ............................................................................................. 38

5. 6.

Conclusion ............................................................................................................. 39 References and Bibliography ................................................................................. 40

List of Abbreviations
IT IS ISACA ITGI CISA ATM COBIT NRB ISACA ITSEC TCSEC COSO CMMI ITIL PMBOK SEI Information Technology Information System Information System Audit IT Governance Institute Certified Information Systems Auditors Automatic Teller Machine Control Objectives for Information and related Technology Nepal Rastra Bank Information Systems Audit and Control Association Information Technology Security Evaluation Criteria Trusted Computer System Evaluation Criteria Committee of Sponsoring Organizations Capability Maturity Model Integration Information Technology Infrastructure Library Project Management Body of Knowledge Software Engineering Institute

1. Background
1.1 Introduction

This 21st century is the age of information and knowledge management. The strength of organization is measured from the strength of knowledge, capability, maturity models, product and services delivery processes, etc possesses by the organization. For this, organizations/firms should have efficient and reliable information system. To achieve the best information system, the organizations are in rat race competitions to use cutting edge technologies. It is indeed necessary for all the organizations and firms to comply with the new technology and show good performance in the market for getting competitive advantages among the rival companies. Adapting the information system has increased more risks among the organization if any flaws are there. These days, if any flaw is there in the system the bad impression can be followed to the whole world within a few seconds. Any delay on the services and flaw in the product may be tweeted (following the messages in the social networking sites like tweeter, facebook, etc) by the customers. So, the product and services must be perfect and should satisfy all the customers. To achieve the main goal of business by satisfying the customers, the information system must be flawless and be aware of possible risks and should have good measures of risks hazards. For this information system must be certified or audited to check the level of performance for enhancing the system. Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, Ron Weber has defined it as "the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently." Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business 1

processes of the enterprise. In such a scenario, senior management and business managers do have concerns about information systems. The purpose of IS audit is to review and provide feedback, assurances and suggestions. These concerns can be grouped under three broad heads: Availability: Will the information systems on which the business is heavily dependent be available for the business at all times when required? Are the systems well protected against all types of losses and disasters? Confidentiality: Will the information in the systems be disclosed only to those who have a need to see and use it and not to anyone else? Integrity: Will the information provided by the systems always be accurate, reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems? There is also a lot of competition in the business firms and organization in Nepal. Every businesses firm is aware of the benefits of the Information sector. The banking sectors are prominent in the use of best information system with their capacity. There has been a Guidelines for Information Technology audit introduced by Nepal Rastra Bank (Central bank of Nepal). Still IT audit must be introduced by other firm for better performance, which will be gradually increased in coming days.

1.2

Significance of the Study

1.2.1 General Significance The general significance is to study the effective management processes of Information System. 1.2.2 Specific Significance The specific significance of the study can be stated as follows: To study the importance of Information System for an organization, firms, or businesses. To study the management of philosophy, operating style, and risk assessment practices for Information System. 2

To study the processes for auditing Information system adapted in worldwide. To study the security hazards and technical risks in Information System To relate the Information System audit in the context of Nepal.

1.3

Statement of Purpose

Like air is necessary for human beings, these days in every business, organizations and institutions, information system is necessary for smooth operation. There are many issues on using information system. High tech manpower is needed to implement the information system in an effective way. Many companies, organizations, etc are bearing a huge loss while implementing the information system. Information system is integrated to the whole business process. Information Technology department must be responsible for the smooth operation of the information system. So, there is need to control on the implementation of Information system for prosperous overall business performance. Hence we are focusing our study to the control framework for Information governance which is also known as Information System Auditing.

1.4

Theoretical Framework/Model

Governance over information technology and its processes with the business goal of adding value, while balancing risk versus return ensures delivery of information to the business that addresses the required Information Criteria. This is measured by Key Goal Indicators enabled by creating and maintaining a system of process control excellence appropriate for the business. It directs and monitors the business value delivery of IT considers Critical Success Factors that leverage all IT Resources and is measured by Key Performance Indicators. [ IT Governance Institute, 2004] Critical success factor

IT governance activities are integrated into the enterprise governance process and leadership behaviors IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands.

IT governance activities are defined with a clear purpose, documented and implemented, based on enterprise needs and with unambiguous accountabilities Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes. Organizational practices are established to enable: sound oversight; a control environment/culture; risk assessment as standard practice; degree of adherence to established standards; monitoring and follow up of control deficiencies and risks

Control practices are defined to avoid breakdowns in internal control and oversight

Key Goal indicators Enhanced performance and cost management Improved return on major IT investments Improved time to market Increased quality, innovation and risk management Appropriately integrated and standardized business processes Reaching new and satisfying existing customers Availability of appropriate bandwidth, computing power and IT delivery mechanisms Meeting requirements and expectations of the customer of the process on budget and on time Adherence to laws, regulations, industry standards and contractual commitments Transparency on risk taking and adherence to the agreed organizational risk profile Benchmarking comparisons of IT governance maturity 4

Creation of new service delivery channels

key performance indicators Improved cost-efficiency of IT processes (costs vs. deliverables) Increased number of IT action plans for process improvement initiatives Increased utilization of IT infrastructure Increased satisfaction of stakeholders (survey and number of complaints) Improved staff productivity (number of deliverables) and morale (survey) Increased availability of knowledge and information for managing the enterprise Increased linkage between IT and enterprise governance Improved performance as measured by IT balanced scorecards

In recent years, it has become increasingly evident that there is a need for a reference framework for security and control in IT. Successful organizations require an appreciation for and a basic understanding of the risks and constraints of IT at all levels within the enterprise in order to achieve effective direction and adequate controls. Based on the compliance testing carried out in the prior phase, we develop an audit program detailing the nature, timing and extent of the audit procedures. In the Audit Plan various Control Tests and Reviews can be done. 1.4.1 Control Objectives for Information and related Technology (COBIT): The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

2. Literature Review
2.1 Elements of IS Audit

An information system is not just a computer. Today's information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of IS audit can be broadly classified: Physical and environmental reviewthis includes physical security, power supply, air conditioning, humidity control and other environmental factors. System administration reviewthis includes security review of the operating systems, database management systems, all system administration procedures and compliance. Application software review the business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed. Network security reviewReview of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. Business continuity reviewthis includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan. Data integrity reviewthe purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such

substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques). All these elements need to be addressed to present to management a clear assessment of the system. For example, application software may be well designed and implemented with all the security features, but the default super-user password in the operating system used on the server may not have been changed, thereby allowing someone to access the data files directly. Such a situation negates whatever security is built into the application. Likewise, firewalls and technical system security may have been implemented very well, but the role definitions and access controls within the application software may have been so poorly designed and implemented that by using their user IDs, employees may get to see critical and sensitive information far beyond their roles. It is important to understand that each audit may consist of these elements in varying measures; some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems.

2.2

Need for a Control Framework in Information System

In recent years, it has become increasingly evident that there is a need for a reference framework for security and control in IT. Successful organizations require an appreciation for and a basic understanding of the risks and constraints of IT at all levels within the enterprise in order to achieve effective direction and adequate controls. MANAGEMENT has to decide what to reasonably invest for security and control in IT and how to balance risk and control investment in an often unpredictable IT environment. While information systems security and control help manage risks, they do not eliminate them. In addition, the exact level of risk can never be known since there is always some degree of uncertainty.

Ultimately, management must decide on the level of risk it is willing to accept. Judging what level can be tolerated, particularly when weighted against the cost, can be a difficult management decision. Therefore, management clearly needs a framework of generally accepted IT security and control practices to benchmark the existing and planned IT environment. There is an increasing need for USERS of IT services to be assured, through accreditation and audit of IT services provided by internal or third parties, that adequate security and control exists. At present, however, the implementation of good IT controls in information systems, be they commercial, non-profit or governmental, is hampered by confusion. The confusion arises from the different evaluation methods such as ITSEC, TCSEC, IS0 9000 evaluations, emerging COSO internal control evaluations, etc. As a result, users need a general foundation to be established as a first step. Frequently, AUDITORS have taken the lead in such international standardization efforts because they are continuously confronted with the need to substantiate their opinion on internal control to management. Without a framework, this is an exceedingly difficult task. Furthermore, auditors are increasingly being called on by management to proactively consult and advice on IT security and control-related matters. Why Increasingly, top management is realizing the significant impact that information can have on the success of the enterprise. Management expects heightened understanding of the way IT is operated and the likelihood of its being leveraged successfully for competitive advantage. In particular, top management needs to know if information is being managed by the enterprise so that it is: Likely to achieve its objectives Resilient enough to learn and adapt Judiciously managing the risks it faces Appropriately recognizing opportunities and acting upon them

Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with: Aligning IT strategy with the business strategy Assuring investors and shareholders that a standard of due care around mitigating IT risks is being met by the organisation Cascading IT strategy and goals down into the enterprise Obtaining value from IT investments Providing organisational structures that facilitate the implementation of strategy and goals Creating constructive relationships and effective communication between the business and IT, and with external partners Measuring ITs performance

Enterprises cannot deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for IT to: Make a link to the business requirements Make performance against these requirements transparent Organize its activities into a generally accepted process model Identify the major resources to be leveraged Define the management control objectives to be considered

Furthermore, governance and control frameworks are becoming a part of IT management good practice and are an enabler for establishing IT governance and complying with continually increasing regulatory requirements. IT good practices have become significant due to a number of factors: Business managers and boards demanding a better return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value Concern over the generally increasing level of IT expenditure

The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare

The selection of service providers and the management of service outsourcing and acquisition Increasingly complex IT-related risks, such as network security IT governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk The need to optimize costs by following, where possible, standardized, rather than specially developed, approaches The growing maturity and consequent acceptance of well-regarded frameworks, such as COBIT, IT Infrastructure Library (ITIL), ISO 27000 series on information security-related standards, ISO 9001:2000 Quality Management Systems Requirements, Capability Maturity Model Integration (CMMI), Projects in Controlled Environments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge (PMBOK)

The need for enterprises to assess how they are performing against generally accepted standards and their peers (benchmarking)

Who A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specific needs: Stakeholders within the enterprise who have an interest in generating value from IT investments: Those who make investment decisions Those who decide about requirements Those who use IT services Internal and external stakeholders who provide IT services: Those who manage the IT organization and processes 10

 Those who develop capabilities Those who operate the services Internal and external stakeholders who have a control/risk responsibility: Those with security, privacy and/or risk responsibilities Those performing compliance functions Those requiring or providing assurance services What To meet the requirements listed in the previous section, a framework for IT governance and control should: Provide a business focus to enable alignment between business and IT objectives Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling easy navigation of content Be generally acceptable by being consistent with accepted IT good practices and standards and independent of specific technologies Supply a common language with a set of terms and definitions that are generally understandable by all stakeholders Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditors. [IT Governance Institute, 2007]

2.3

Procedures

The preparation before commencing an audit involves collecting background information and assessing the resources and skills required to perform the audit. This enables staff with the right kind of skills to be allotted to the right assignment. It always is a good practice to have a formal audit commencement meeting with the senior management responsible for the area under audit to finalize the scope, understand the special concerns, if any, schedule the dates and explain the methodology for the audit. Such meetings get senior management involved, allow

11

people to meet each other, clarify issues and underlying business concerns, and help the audit to be conducted smoothly. Similarly, after the audit scrutiny is completed, it is better to communicate the audit findings and suggestions for corrective action to senior management in a formal meeting using a presentation. This will ensure better understanding and increase buy-in of audit recommendations. It also gives auditors an opportunity to express their viewpoints on the issues raised. Writing a report after such a meeting where agreements are reached on all audit issues can greatly enhance audit effectiveness. For these procedures, standardization has been developed by Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992, which is a set of best practices (framework for information (IT) management which is known as e Control Objectives for Information and related Technology (COBIT).

2.4

Control Objectives for Information and related Technology (COBIT)

2.4.1 Vision To research, develop, publicize and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. 2.4.2 How COBIT Meets the Need In response to the needs described in the previous section 2.2, the COBIT framework was created with the main characteristics of being business-focused, process-oriented, controls-based and measurement-driven. 2.4.2.1 Business Focused

Business orientation is the main theme of COBIT. It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners. The COBIT framework is based on the following principle (figure below): 12

To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information. Managing and controlling information are at the heart of the COBIT framework and help ensure alignment to business requirements.

Figure 1 Basic COBIT Principle

COBIT's Information criteria are to satisfy business objectives, information needs to confirm to certain control criteria, which COBIT refers to a business requirements for information. These are effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. Business Goals and IT Goals: Whilst information criteria provide a generic method for defining the business requirements, defining a set of generic business and IT goals provides a businessrelated and more refined basis for establishing business requirements and developing the metrics that allow measurement against these goals. Every enterprise uses IT to enable business initiatives, and these can be represented as business goals for IT.

13

Figure 2 Managing IT Resources to Deliver IT Goals

IT Resources: The IT organization delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automated business applications while leveraging business information. The IT resources identified in COBIT can be defined as follows: Applications are the automated user systems and manual procedures that process the information. Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business. Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.

14

2.4.2.2

Process Oriented

COBIT defines IT activities in a generic process model within four domains. These domains are Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to ITs traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps toward good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined. To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. Within the COBIT framework, these domains, as shown in figure below, are called:

Figure 3 The Four Interrelated Domains of COBIT

Plan and Organise (PO)Provides direction to solution delivery (AI) and service delivery (DS) Acquire and Implement (AI)Provides the solutions and passes them to be turned into services 15

 Deliver and Support (DS)Receives the solutions and makes them usable for end users Monitor and Evaluate (ME)Monitors all processes to ensure that the direction provided is followed 2.4.2.3 Controls Based

COBIT defines control objectives for all 34 processes, as well as overarching process and application controls. PROCESSES NEED CONTROLS Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They: Are statements of managerial actions to increase value or reduce risk Consist of policies, procedures, practices and organizational structures Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected Enterprise management needs to make choices relative to these control objectives by: Selecting those that are applicable Deciding upon those that will be implemented Choosing how to implement them (frequency, span, automation, etc.) Accepting the risk of not implementing those that may apply

Guidance can be obtained from the standard control model shown in figure below. It follows the principles evident in this analogy: When the room temperature (standard) for the heating system (process) is set, the system will constantly check (compare) ambient room temperature (control information) and will signal (act) the heating system to provide more or less heat. 16

Each of COBITs IT processes has a process description and a number of control objectives. As a whole, they are the characteristics of a well-managed process. The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number. In addition to the control objectives, each COBIT process has generic control requirements that are identified by PCn, for process control number. PC1 Process Goals and Objectives PC2 Process Ownership PC3 Process Repeatability, etc PC4 Roles and Responsibilities

Figure 4 Control Model

IT GENERAL CONTROLS AND APPLICATION CONTROLS General controls are controls embedded in IT processes and services. Examples include: Systems development Change management Security Computer operations

Controls embedded in business process applications are commonly referred to as application controls. Examples include: 17

Completeness Accuracy Validity Authorization Segregation of duties

The following list provides a recommended set of application control objectives. They are identified by ACn, for application control number. AC1 Source Data Preparation and Authorisation AC2 Source Data Collection and Entry AC3 Accuracy, Completeness and Authenticity Checks AC4 Processing Integrity and Validity, etc 2.4.2.4 Measurement Driven

A basic need for every enterprise is to understand the status of its own IT systems and to decide what level of management and control the enterprise should provide. To decide on the right level, management should ask itself: How far should we go, and is the cost justified by the benefit? Obtaining an objective view of an enterprises own performance level is not easy. What should be measured and how? Enterprises need to measure where they are and where improvement is required, and implement a management tool kit to monitor this improvement. COBIT deals with these issues by providing: Maturity models to enable benchmarking and identification of necessary capability improvements 1. Performance goals and metrics for the IT processes, demonstrating how processes meet business and IT goals and are used for measuring internal process performance based on balanced scorecard principles 2. Activity goals for enabling effective process performance MATURITY MODELS 18

Senior managers in corporate and public enterprises are increasingly asked to consider how well IT is being managed. In response to this, business cases require development for improvement and reaching the appropriate level of management and control over the information infrastructure. While few would argue that this is not a good thing, they need to consider the cost-benefit balance and these related questions: 3. What are our industries peers doing, and how are we placed in relation to them? 4. What is acceptable industry good practice, and how are we placed with regard to these practices? 5. Based upon these comparisons, can we be said to be doing enough? 6. How do we identify what is required to be done to reach an adequate level of management and control over our IT processes? It can be difficult to supply meaningful answers to these questions. IT management is constantly on the lookout for benchmarking and self-assessment tools in response to the need to know what to do in an efficient manner. Starting from COBITs processes, the process owner should be able to incrementally benchmark against that control objective. This responds to three needs: 1. A relative measure of where the enterprise is 2. A manner to efficiently decide where to go 3. A tool for measuring progress against the goal Maturity modeling for management and control over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity level of non-existent (0) to optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) defined for the maturity of software development capability. Although concepts of the SEI approach were followed, the COBIT implementation differs considerably from the original SEI, which was oriented toward software product engineering principles, organizations striving for excellence in these areas and formal appraisal of maturity levels so that software developers could be certified. In COBIT, a generic definition is provided for the COBIT maturity scale, which is similar to CMM but interpreted for the nature of COBITs IT management processes. A specific model is 19

provided from this generic scale for each of COBITs 34 processes. Whatever the model, the scales should not be too granular, as that would render the system difficult to use and suggest a precision that is not justifiable because, in general, the purpose is to identify where issues are and how to set priorities for improvements. The purpose is not to assess the level of adherence to the control objectives. The maturity levels are designed as profiles of IT processes that an enterprise would recognize as descriptions of possible current and future states. They are not designed for use as a threshold model, where one cannot move to the next higher level without having fulfilled all conditions of the lower level. With COBITs maturity models, unlike the original SEI CMM approach, there is no intention to measure levels precisely or try to certify that a level has exactly been met. A COBIT maturity assessment is likely to result in a profile where conditions relevant to several maturity levels will be met, as shown in the example graph in below.

Figure 5 Possible maturity level of an IT process

However, process management capability is not the same as process performance. The required capability, as determined by business and IT goals, may not need to be applied to the same level across the entire IT environment, e.g., not consistently or to only a limited number of systems or units. Performance measurement, as covered in the next

20

paragraphs, is essential in determining what the enterprises actual performance is for its IT processes. 13 0 Non-existentComplete lack of any recognizable processes. The enterprise has not even recognised that there is an issue to be addressed. 1 Initial/Ad Hocthere is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or caseby-case basis. The overall approach to management is disorganized. 2 Repeatable but IntuitiveProcesses have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. 3 Defined ProcessProcedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed and MeasurableManagement monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 OptimizedProcesses have been refined to a level of good practice, based on the results of continuous improvement and maturity modeling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. 2.4.3 COBIT Framework Model The COBIT framework, therefore, ties the businesses requirements for information and governance to the objectives of the IT services function. The COBIT process model 21

enables IT activities and the resources that support them to be properly managed and controlled based on COBITs control objectives, and aligned and monitored using COBIT's goals and metrics. [IT Governance Institute, 2007]

Figure 6 COBIT Management, Control, Alignment and Monitoring

To summarize IT resources are managed by IT processes to achieve IT goals that respond to the
business requirements. This is the basic principle of the COBIT framework, as illustrated by the COBIT cube.

Figure 7 the COBIT Cube

COBITs General Acceptability 22

COBIT is based on the analysis and harmonization of existing IT standards and good practices and conforms to generally accepted governance principles. It is positioned at a high level, driven by business requirements, covers the full range of IT activities, and concentrates on what should be achieved rather than how to achieve effective governance, management and control. Therefore, it acts as an integrator of IT governance practices and appeals to executive management; business and IT management; governance, assurance and security professionals; and IT audit and control professionals. It is designed to be complementary to, and used together with, other standards and good practices. To achieve alignment of good practice to business requirements, it is recommended that COBIT be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every enterprise. Specific practices and standards covering discrete areas can be mapped up to the COBIT framework, thus providing a hierarchy of guidance materials. COBIT appeals to different users: 1. Executive managementTo obtain value from IT investments and balance risk and control investment in an often unpredictable IT environment. 2. Business managementTo obtain assurance on the management and control of IT services provided by internal or third parties 3. IT managementTo provide the IT services that the business requires to support the business strategy in a controlled and managed way 4. AuditorsTo substantiate their opinions and/or provide advice to management on internal controls

23

2.4.1 Overall COBIT Framework

Figure 8 Overall COBIT Framework [IT Governance Institute, July 2000]

24

2.5

Information Security and Technical Security Risks

2.5.1 Information Security Security relates to the protection of valuable assets against loss, misuse, disclosure or damage. In this context, valuable assets are the information recorded on, processed by, stored in, shared by, transmitted from or retrieved from an electronic medium. The information must be protected against harm from threats leading to different types of impacts such as loss, inaccessibility, alteration or wrongful disclosure. Threats include errors and omissions, fraud, accidents and intentional damage. The objective of information security is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of availability, confidentiality and integrity. The impact of the Internet and the growth of the networked economy have added the need for trust in electronic transactions. Overall, for most computer users the security objective is met when: 1. Information systems are available and usable when required, and can appropriately resist attacks and recover from failures (availability) 2. Information is observed by or disclosed to only those who have a right to know (confidentiality) 3. Information is protected against unauthorized modification or error so accuracy, completeness and validity are maintained (integrity) 4. Business transactions and information exchanges between enterprises,

customers, suppliers or partners can be trusted (authenticity and no repudiation) The relative priority and significance of availability, confidentiality, integrity and trust vary according to the value and type of information and the context in which the information is used. For example, integrity of management information is especially important to a business that relies on critical strategy related decisions, and integrity of an online purchase is very important to the home user doing Internet shopping. 25

The amount of protection required depends on how likely a security risk might occur, and how big an impact it would have if it did occur. Protection is achieved by a combination of technical and nontechnical safeguards. For the home user, this means installation of reputable security tools, maintenance of up-to-date software, and care with backups, and being careful and alert to the hazards of using computers and connecting to the Internet. For large enterprises, protection will be a major task with a layered series of safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls. In the ever-changing technological environment, security that is state-of-the-art today may be obsolete tomorrow. Therefore, security protection must keep pace with these changes. Information security provides the management processes, technology and assurance to allow businesses management to ensure business transactions can be trusted; ensure IT services are usable and can appropriately resist and recover from failures due to error, deliberate attacks or disaster; and ensure critical confidential information is withheld from those who should not have access to it. Dr. Paul Dorey, director, Digital Business Security, BP Plc. [IT Governance Institute, 2004] 2.5.2 Technical Security Risks Information security is a key aspect of information technology governance, and it is an important issue for all computer users to understand and address. As computer systems have become more and more commonplace in all walks of life, from home to school and office, unfortunately so too have the security risks. The widespread use of the Internet, handheld and portable computer devices, and mobile and wireless technologies has made access to data and information easy and affordable. On the other hand, these developments have provided new opportunities for information technology related problems to occur, such as theft of data, malicious attacks using viruses, hacking, denial-of-service (DoS) attacks and even new ways to commit organized crime. These risks, as well as the potential for careless mistakes, can all result in serious financial, reputational and other damages. Recognizing the need for 26

better security guidance, this booklet has been developed to provide essential advice and practical tools to help protect computer users from these risks. [IT Governance Institute, 2004] Trojan Horse programs: Trojan Horse programs are a common way for intruders to trick the user (sometimes referred to as social engineering) into installing back door programs, which can allow intruders easy access to the users computer without his/her knowledge, change the system configurations or infect the computer with a computer virus. Back door and remote administration programs: On computers using a Windows operating system, intruders commonly use three toolsBack Orifice, Netbus and SubSevento gain remote access to the computer. These back door or remote administration programs, once installed, allow other people to access and control the computer. The CERT vulnerability note about Back Orifice should be reviewed. Other computer platforms may be vulnerable and the user needs to monitor vulnerability reports and maintain the system. Denial-of-service (DOS) attacks Another form of attack is called a denial-of-service attack. This type of attack causes the computer to crash or become so busy processing data that the user is unable to use it. In most cases, the latest patches will prevent the attack. Being an intermediary for another attack: Intruders frequently use compromised computers as launching pads for attacking other systems. The use of distributed denial-of-service (DDoS) tools is an example of this. The intruders would install an agent (frequently through a Trojan Horse program) that runs on the compromised computer awaiting further instructions. Then, when many agents are running on different computers, a single handler can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack

27

is not the original users computer, but someone elsesthe original users computer is just a convenient tool in a larger attack. [IT Governance Institute, 2004] Unprotected Windows networking shares: Intruders can exploit unprotected Windows networking shares in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet. Mobile code (Java/JavaScript/ActiveX): There have been reports of problems with mobile code (e.g., Java, JavaScript and ActiveX). These programming languages let web developers write code that is executed by the organization's web browser. Although such code is generally useful to the organization, intruders also use it to gather information (such as which web sites the user visits) or run malicious code on the computer. It is possible to disable Java, JavaScript and ActiveX in the web browser, but the user should be aware that this may limit legitimate browser functionality. Also, the user should be aware of the risks involved in the use of mobile code within e-mail programs. Many e-mail programs use the same code as web browsers to display HTML. Thus, vulnerabilities that affect Java, JavaScript and ActiveX are often applicable to e-mail and web pages. Cross-site scripting: A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form or a database inquiry. Later, when the web site responds, the malicious script is transferred to the browser. This can potentially expose the web browser to malicious scripts by: Following links in web pages, e-mail messages or newsgroup postings without knowing where they link Using interactive forms on an untrustworthy site Viewing online discussion groups, forums or other dynamically generated pages where users can post text containing HTML tags 28

E-mail spoofing E-mail spoofing is when an e-mail message appears to have originated from one source when it actually was sent from another source. E-mail spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords). Spoofed e-mail can range from harmless pranks to social engineering ploys. Examples of the latter include: E-mail claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not comply E-mail claiming to be from a person in authority requesting users to send a copy of a password file or other sensitive information E-mail-borne viruses: Viruses and other types of malicious code are often spread as attachments to e-mail messages. Before opening any attachments, the user should be aware of the source of the attachment. It is not enough that the e-mail originated from a recognised address. For example, the Melissa virus spread precisely because it originated from a familiar address. Also, malicious code might be distributed in amusing or enticing programs. Many recent viruses use these social engineering techniques to spread. Examples include W32/Sircam and W32/Goner. Hidden file extensions: Windows operating systems contain an option to hide file extensions for known file types. The option is enabled by default, but a user may choose to disable this option to have file extensions displayed by Windows. Multiple e-mail-borne viruses are known to exploit hidden file extensions.The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm that contained an e-mail attachment named LOVE-LETTER-FOR-YOU.TXT.vbs. (MySis.avi.exe or Other examples include Downloader VBS/CoolNote

uickFlick.mpg.exe),

(COOL_NOTEPAD_DEMO.TXT.vbs), and VBS/OnTheFly (AnnaKournikova.jpg.vbs). 29

The files attached to the e-mail messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) orother file types, when in fact the file is a malicious script or executable (.vbs or .exe). [IT Governance Institute, 2004] Chat clients: Internet chat applications, such as instant messaging applications and Internet relay chat (IRC) networks, provide a mechanism for information to be transmitted bidirectionally between computers on the Internet. Chat clients provide groups of individuals with the means to exchange dialogue, web URLs and, in many cases, files of any type. Because many chat clients allow for the exchange of executable code, they present risks similar to those of e-mail clients. As with e-mail clients, the chat clients ability to execute downloaded files should be limited. As always, the user should be wary of exchanging files with unknown parties.

Packet sniffing: A packet sniffer is a program that captures data from information packets as they travel over the network. These data may include user names, passwords and proprietary information that travel over the network in clear text. With perhaps hundreds or thousands of passwords captured by the packet sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require administrator-level access. Relative to DSL and traditional dial-up users, cable modem users have a higher risk of exposure to packet sniffers, since entire neighborhoods of cable modem users are effectively part of the same LAN. A packet sniffer installed on any cable modem user's computer in a neighborhood may be able to capture data transmitted by any other cable modem in the same neighborhood. Identity theft: Information stored on a home computer may provide a hacker with enough personal data to apply for a credit card or identification in the users name.

30

Tunneling: When employees work at home and transfer files to a computer at the office, there is potential that someone could remotely gain access to the home PC and place a secret file in a document that ends up on the company system. Zombies: Automatic programs search for systems that are connected to the Internet, but are unprotected; take them over without the owners knowledge; and use them for malicious purposes. Spyware: Innocent looking software (e.g., P2p-agent software used in popular peer-to-peer communications software) can include or hide software that collects information about the system and the user, and can send this information to third parties without the legitimate user knowing. Among these, new and new programs targeting naive users are coming and becoming a huge treats to the Information system. So Information Security is a key issue for the Information Audit System. [IT Governance Institute, 2004]

31

3. IS Audit in Nepal Scenario

3.1 NRB guidelines

1 IT GOVERNANCE 2. Information Security 10.Fraud Management

3. Information Security Education NRB IT GUIDELINES 4. Information Disclosure And Grievance Handling 7.Information Systems Acquisition, Development and Implementatio n

9.IS Audit

8.Business Continuity And Disaster Recovery Planning

5. Outsourcing Management 6. IT Operation

Figure 9 NRB IT Guidelines

32

APPLICABILITY OF THE GUIDELINES

The objectives of NRB (Nepal Rastra Bank, central bank of Nepal)'s IT guideline are to promote sound and robust technology risk management and to strengthen system security, reliability, availability and business continuity in commercial banks of Nepal. Banks should compulsorily comply with this guideline within two years from the date of issuance. The Action Plan (along with time frame for each action) for the implementation of the guidelines should be developed and provided to Bank Supervision Department, Nepal Ratra Bank within six month from the issuance. The extent of compliance of this guideline will be examined during the periodic onsite/offsite supervision from NRB. The guidelines cover the 10 different points which are as follows. [Bank Supervision Department, 2012] 1. IT GOVERNANCE IT has been adopted by most of the commercial banks to some degree from branch automation to providing alternate delivery channels. This pervasive nature of IT has increased the challenge on governing it. Since IT is very critical in supporting and enabling business goals and is strategic for business growth, due diligence on its governance is essential. IT governance is a continuous process where IT strategy drives the process using necessary resources. 2. INFORMATION SECURITY Robust information is crucial to achieve business goals and for managing risk prudently in banks. Accuracy, integrity, consistency, completeness, validity, timeliness,

accessibility, usability and auditability are requirement of information processed and stored electronically. To achieve these qualities of data, banks should develop and maintain comprehensive information security program. 3. INFORMATION SECURITY EDUCATION With the introduction of electronic delivery channels, customers dont require to visit the bank branches physically to conduct banking. This has intensified the challenges of

33

authenticating customers. Moreover; fraudsters are designing and using more advanced techniques to impersonate users and make illegal access to customers account. To defend illegal users from accessing banking system, it has become essential to well educate customers to conduct banking operation securely. To create effective information security practice, it is also important to educate other stakeholders including its employees.

4. INFORMATION DISCLOSURE AND GRIEVANCE HANDLING Bank should clearly provide information about the services, cost, security features, risk and benefits of electronic banking environment. Precise information about

responsibilities, obligations and rights of customers and bank regarding electronic transaction should be delivered to customers. 5. OUTSOURCING MANAGEMENT It has become quite common for Nepalese banks to outsource some or all of IT functions. Inter-branch communication, software, hardware and other technical and administrative functions are commonly outsourced by Nepalese banks. Emerging technologies such as virtualization, Data Centre and Disaster Recovery Site Outsourcing are also becoming popular. Whatever the reasons of outsourcing, bank has responsibility to ensure that their service providers are capable of delivering the level of performance, service reliability, capability and security need that is at least as stringent as it would expect for its own operations. 6. IT OPERATIONS IT infrastructures have been developed and grown in banks over few years and has been used to support processing and storage of information in banks. IT should be operated to ensure timely, reliable, secure information. 7. INFORMATION IMPLEMENTATION 34 SYSTEMS ACQUISITION, DEVELOPMENT AND

Many software fails due to inadequate system testing and bad system design. Application that handles financial information of customers' data should, inter-alia, satisfy security requirements. Deficiencies in system design should be recognized at early stage of software development and during software testing. 8. BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING The role of banking sector in economic growth and stability is vital and requires continuous service and reliable service. The introduction of electronic delivery channels and 24/7 services availability has increased the demand of Business Continuity Planning (BCP) framework comprising of all critical aspects of people, process and technology. Business Continuity should be formed to minimize financial, operational, legal, reputational and other risks and it includes policies, standards and procedures to ensure continuity, resumption and recovery of business processes and minimizes the impact of disaster. A business continuity plan generally incorporates business Impact analysis, recovery strategies, business continuity plan as well as testing, training, awareness, communication and crisis management program. 9. IS AUDIT Since the increasing complexity of IT environment in banks has created significant risk, comprehensive risk management comprising of various standard internal control framework, bank's own requirement and NRB requirement. To ensure the effectiveness of implemented controls framework and adequacy of the adopted security plan and procedures, banks should conduct IS audit annually. 10. FRAUD MANAGEMENT Nepalese banks are using electronic delivery channels to provide banking services. Increased use of Internet banking, mobile banking, payment card (debit and credit card), ATM is also creating risk of electronic fraud in banking system. [Bank Supervision Department, 2012]

35

3.2

Challenges for Nepal in implementing IS Audit

Nepal is a developing country. Although Nepal is backward in other infrastructure, it has achieved a significant development in the IT sector. Most of the government and nongovernment sectors in the country have incorporated IT for the Information system. Now a days, information system has taken a role model in every sector of the country like government sector, banking sector, business sector etc. With the advent of IT, it brings both the opportunity and the risk. Although the most of the company uses IT as main backend for the information system, they are either unaware of the risk involved in it or they are ignoring the risk because of lack of IT guidelines and policy in the information system. The unseen risk in the IT system has posed a great threat in the Information System. The threat on the information system is not limited to country geographical boundary. Since IT has connected the information system across the whole globe the threat can be originated from any place across the world. Therefore one must be prepared to tackle the unseen risk in the information system. To list out, the challenges of implementing IS audit in Nepal are as follows: To model the suitable information system audit guidelines, which are appropriate for Nepal and can be well implemented in context of Nepal. o If we try to implement the model form around the world, then it may be not exactly fit here in Nepal. Because some sector may not be able to install high cost IT infrastructure. In addition, due to the ongoing energy crisis in country, it may require high investment in the backup setup for the supply of uninterrupted power to IT devices. To find out skilled manpower who can carry out the information system audit in well manner. Although the country has lots of skilled manpower in IT field, it lacks the professional people who can conduct the audit in information system. To convinced higher authority level personnel who are in decision making process.

36

It is hard to convince the higher authority level personnel who are form non technical background and who are not much acquaintance with contemporary IT savvy world.

4. Discussion and Recommendation

4.1 Discussion

The standardized framework of IT governance is very important to minimize the risk and get the maximum output from the Information systems. Information Systems are integrated in overall business processes. The performance of any firm is reflected from the excellence use of Information Systems. To check the compliance of the information system to avoid risk hazards, time to time IS audit is necessary. The COBIT incorporates the business-focused, process-oriented, controls-based and

measurement-driven characteristics. The information system must not be deviated from the mission, objectives and core values of the firms to achieve the long term vision of the firm / organization. These systems are for enhancing the processes in an efficient way to minimize cost and time. By using IS, the quality of the product and services must be upgraded. These all effectiveness and enhancement must be measureable too. Though Nepal is backward in other infrastructure, the achievement in the development of an IT sector is very significant and praise worthy. Most of the government and nongovernment sectors in the country have incorporated IT for the Information system. Nowadays, information system has taken a role model in every sector of the country like government sector, banking sector, business sector etc. With the advent of IT, it brings both the opportunity and the risk. Although the most of the company uses IT as main backend for the information system, they are either unaware of the risk involved in it or they are ignoring the risk because of lack of IT guidelines and policy in the information system. The unseen risk in the IT system has posed a great threat in the Information System. The threat on the information system is

37

not limited to country geographical boundary. Therefore one must be prepared to tackle the unseen risk in the information system. Proper guidelines for IS audit should be made and IS audit must be implemented to all sectors not only to the banking sectors of Nepal.

4.2

Recommendation

It is not doubt that proper using of the Information Systems will enhance the overall performance of the businesses, organizations and firms. Any flaws, inefficiency in the information systems are much more risky than what benefits were being achieved. To reduce the risk hazards from the Information System, proper guidelines of IS audit must be adopted in the businesses, organizations and firms. IS Audit must be compliance with the current environment of the country. The governing body must make standard guidelines, so that the firms under that body can adapt the similar models. The framework of IS Audit is very important to know by all the managers as Information Systems are being the backbone of all the organizations. For the case of Nepal, IS Audit is a totally new concept. The need of IS Audit is increasing due to increase in complex information systems adopted by the organizations and firms. Some recommendations are as follows: Government policies must be made to increase IS Audit human resources. Appropriate and feasible to implement models of Information System Audit guidelines must be prepared for the context of Nepal. Training programs for IS Audit must be introduced to the IT professionals. Higher authority levels must be aware to the Information System Auditing.

38

5. Conclusion
Nowadays, the use of Information System is found everywhere. With the advent of IS, it brings both the opportunity and the risk. The standardized framework of IT governance is very important to minimize the risk and get the maximum output from the Information systems. Information Systems are integrated in overall business processes. The performance of any firm is reflected from the excellence use of Information Systems. To check the compliance of the information system to avoid risk hazards, time to time IS Audit is necessary. The COBIT incorporates the business-focused, process-oriented, controls-based and measurement-driven characteristics. The information system must not be deviated from the mission, objectives and core values of the firms to achieve the long term vision of the firm / organization. These systems are for enhancing the processes in an efficient way to minimize cost and time. By using IS, the quality of the product and services must be upgraded. These all effectiveness and enhancement must be measureable too. NRB has issued the IT Guidelines to be implemented by the commercial banks of Nepal. The objectives of NRB (Nepal Rastra Bank, central bank of Nepal)'s IT guideline are to promote sound and robust technology risk management and to strengthen system security, reliability, availability and business continuity in commercial banks of Nepal. Banks should compulsorily comply with this guideline within two years from the date of issuance. The Action Plan (along with time frame for each action) for the implementation of the guidelines should be developed and provided to Bank Supervision Department, Nepal Ratra Bank within six month from the issuance. Hence, due to increase in the complexity in the Information System, IS Audit is necessary to be done for avoiding risk hazards and enhance the performance of the Information Systems to yield more efficiency and competitive advantages.

39

6. References and Bibliography

1. IT Governance Institute. (2004). COBIT Student Book. Cobit in Academia. 2. AllinsonCaroline. (2001). Information Systems Audit Trails in Legal Proceedings as Evidence. Computer & Security, 20, 409-421. 3. Bank Supervision Department. (2012). Nepal Rastra Bank Information

Technology Guidelines. Kathamndu: Nepal Rastra Bank. 4. BDO USA LLP. (January 24, 2012). Audit of Information Technology Support for Export-Import Bank's Mission. New York, USA: Office of Inspector General Export-Import Bank of the US. 5. BOONBOTHA AND J.A.HANNER. (2003 vol 53 pp 23-38). The Information Audit: Principles and Guidelines. Libri. 6. ChamplainJ.Jack. (2003 second edition). Auditing Information Systems. John Wiley & Sonx, Inc. 7. Dale StoelHavelka, Jeffrey W. MerhoutDouglas. (2011). An analysis of attributes that impact information technology audit quality: A study of IT and fiancnial audit practitioners. International Journal of Accounting Information System(13), 60-79. 8. DefenceGovernment Department ofAustralian. Information System Audit Guide. 9. Department of Information Technology. (2001). Information Systems audit policy for the banking and financial sector. Mumbai: Reserve Bank of India. 10. ElkySteve. (2007). An Introduction to Information System Risk Management. SANS Institute. 11. Ernst & Young Ford Rhodes Sidat Hyder. ( 2009). The Information Systems Audit. Ernst & Young Ford Rhodes Sidat Hyder. (January 2011 V (11.1)).

40

12. Evi

MariaHaryaniEndang.

(2011).

AUDIT

MODEL

DEVELOPMENT ON

OF

ACADEMIC

INFORMATION

SYSTEM:

CASE

STUDY

ACADEMIC

INFORMATION SYSTEM OF SATYA WACANA. Journals of Arts, Science & Commerce, II (2). 13. Hyo-Jeong KimMannino, Robert J. NieschwietzMicheal. (2009). Information technology acceptance in the internal audit profession: Impact of technology features and commplexity. International Journal of Accounting Information Systems, 214-228. 14. (2008). Information Technology Audit of the Directorate of Education. Government of NCT Delhi. 15. ISACA. (16 August, 2010). IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals. IL, USA: ISACA. 16. ISACA. (2010). IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals. Rolling Meadows, IL 60008 USA. 17. IT Governanace Institute. (2005). Aligning COBIT, ITIL and ISO 17799 for Business Benefit: Management Summary. IL, USA: IT Governance Institute. 18. IT Governance Institute. (July 2000). COBIT 3rd Edition Control Objectives. IL, USA: COBIT Steering Committee and the IT Governance Institute. 19. IT Governance Institute. (2007). COBIT 4.1. IL, USA: IT Governance Institute. 20. IT Governance Institute. (2004). COBIT Security Baseline. IL, USA: IT Governance Institute. 21. Jacky AkokaComyn-WattiauIsabelle. (2010). A FRAMEWORK FOR AUDITING WEB-BASED INFORMATION SYSTEMS. 18th European Conference on Information Systems. 22. Jericho Forum. (January 2009). IT Audit and Compliance. Jericho Forum-COA Position Paper. 41

23. Migual A. MartinezLasheras, Eduardo Fernandez-Medina, Amrosio Toval, Mario PiattiniJoaquin. (2010). A Personal Data Audit Method through Requirements Engineering. Computer Starndars and Interfaces, 166-178. 24. NVijayendraKaul. IT Audit Process & Methodology. Manual of Information Technology Audit. 25. Office of the Auditor General Western Australia. (June 2012). Information Systems Audit Report. Perth, Australia: Office of The Auditor General Western Australia. 26. Paolo GuardaZannoneNicola. (2008). Towards the development of privacyaware sytem. Science Direct. 27. Prakash KumarMaheshworiSajeev. IT Security & Audit Policy. Ref Date: 2012/9/25: http://it.delhigovt.nic.in: http://www.nsit.ac.in/pdf/itsa_policy.pdf 28. Progestic international Inc. (Janury, 2005). Audit of Information Technology. Ottawa: Natural Sciences and Engineering Research Council of Canada. 29. RafeqA. (May, 2003). Practical Approach to Information System Audit. 30. Steven BuchananGibbforbes. (2008). The information audit: Methodology selection. International Journal of Information Management, 28 (1), 3-11. 31. Steven BuchananGibbForbes. (June 2008). The information audit: Theory versus practice. International Journal of Information Management, 28 (3), 150-160. 32. WrightCraig. (2008). The Information Systems Audit program. The IT Regulatory and Standards Compliance Handbook, 43-58.

42