System is like human body

Types of system :
1) Element
abstract - system/model based on ideas.
physical set of tangible elements that operate together to get goals.
2) Interactive behavior
Open interact with environment, usually information systems are open
Closed rare in business area but common in day to day life
3) Degree of human intervention
Manual completely by human effort, data collection, maintenance etc.
Automated- very less human intervention
4) Working/Output Deterministic operates in a predictable manner, eg. Computer program
Probabilistic eg. Set of instructions given to human where certain degree of error is always attached.
Entropy quantitative measure of disorder in a system.
Negative entropy maintenance input to offset the entropy
Eg. Entropy user dissatisfaction with features
Negative entropy program enhancements
Reasons for using computers in business area storing and handling huge data, quick retrieval, efficient
transportation, accurate processing etc.
Model of system

_______Feedback______

Input Processing Output

Storage

System Environment world outside system boundary

Subsystem eg. Computer system, subsystems would be input units, CPU, storage units etc.
Interfaces Interaction between subsystem, interconnection between them
Subsystems to Systems (the way it should exist):1) Decomposition eg. Information system divided into sales, inventory, production, personnel and
payroll, purchasing, planning, accounting etc. Personnel and planning further divided into calculation of
pay, preparation of payroll register, cheque printing etc.
2) Simplification organizing subsystems to reduce interconnection numbers.
3) Decoupling eg. Raw material system said to be tightly coupled if input directly put to production, the
moment it arrives. Here raw material delivery must be precisely timed.
4) Standards setting universal standard reduces interaction between departments to negotiate standard
codes.
Supra system system formed by a system and other equivalent systems with which it interacts.
System stress, system change To achieve goals there is system stress on subsystems, system change will
accommodate the stress.

Information Data that has been put into a meaningful and useful context.
Attributes of useful information
1) availability at time of need
2) purpose- must have a purpose to the person transmitted to, otherwise it is simple data.
3) Mode and format visual, verbal etc., format as per what needed, assisting in what person wants.
4) Decay value of information decays with time, so it should be refreshed. Eg. Cricket score.
5) Rate Transmission rate should be near to same as what recipient wants.
6) Frequency 7) completeness 8) reliability 9) validity 10) Quality 11) transparency
Types of information :
internal - production figures, strategy etc. flowing within management.
External govt. policies, competition etc.
Use of information systems effective decision making, gain edge in competitive environment, solving problems,
developing strategy etc.
Factors on which information requirement depends :1) Operational function eg. Marketing would require information on consumer behavior while production
would require on targets and R & D on new innovative tech in the market etc.
2) Types of decision making
a. programmed eg. Set procedure for billing, production etc.
b. non programmed eg. Problems like sudden change in govt. law. Drastic decline in demand etc.
3) level of management activity top level requires info on decision making like fund raising, location of plant
etc., middle level required for tactical/operational decisions, lower level to follow specified tasks effectively
and efficiently.
CBIS computer based information system
Hardware, software, data, procedures, people
Departments using CBIS like finance dept for easy account record maintenance, reports etc., creditor/debtor
management etc., sales dept. to keep track of orders, warranty, comm. To salesmen, production dept. for machine
repair maintenance, waste control, cost control.. Others that use are advertising, inventory, HR depts. etc.
Information systems
1) OSS Operation support system improve operational efficiency
2) MSS management support system
3) OAS office automation system
OSS
TPS - Transaction Processing systems
MIS - Management information systems
ERP - Enterprise resource planning

TPS manipulate data from business transaction, i.e. capture data, organize, process files, generate info in reports
etc
- Components input eg. Customer order, purchase order, sales etc.
processing sales journal, purchase journal, record entries, registers etc.
storage
output eg. Customer invoice is output for purchase order
-

Features of TPS
1) consists of large data volume
2) automation of basic operations
3) benefits easily measurable
4) source of input for other systems

MIS Assist manager in decision making. Designed to provide accurate relevant and timely info for decision making.
- Characteristics of an effective MIS
1) Management oriented dedicated to whole management needs etc.
2) Management directed should be directed by management
3) Integrated tying subsystems into one unit for information gathering
4) Heavy planning MIS takes 3-5 years to be established. So everything needs to be considered.
5) Computerized makes MIS better and effective than manual.
6) Subsystem concept should also be maintained
7) Common database
- Misconceptions of MIS
1) That MIS is about use of computers
2) More data in report means more information for managers it is not quantity but relevance that matters,
3) Accuracy in reporting is very important at operating level it is true, but fair presentation otherwise is
acceptable for decision making eg. For project cost management does not want to know figures till the
exact paisa.
- Prerequisites of effective MIS Database, qualified system and management staff, support of top
management, control and maintenance, evaluation.
- Constraints of MIS non availability of experts, design and implementation is very long process and non
standardized, support from staff is crucial problem.
- Advantages and limitations of MIS pg. 1.28 , 1.29
ERP Fully integrated business management system that integrates core business and management processes to
provide an organization a structured environment, and to make decisions backed by accurate and reliable real time
data.
- Objectives provide support for adopting best business practices, and then we use them to enhance
productivity and empower customers.
- ERP integrates various business processes Business system, production (planning, control etc.),
maintenance (eg. Plant maintenance), quality control, marketing, finance, personnel etc.
- Myths ERP is a computer system
1) Even though computer is an integral part, it mainly focuses on an enterprise wide mission, objectives,
beliefs, values etc.
2) ERP is relevant for manufacturing organizations only.
- Characteristics Flexible, open, integrated, best business practices.
- Features and limitations of ERP pg. 1.32, 1.33
- Advantages Better use of resources, lowering operational costs, proactive decision making, enhanced
customer satisfaction, flexibility in business operations.

MSS
DSS Decision support system generate relevant info for managers to make decisions.
EIS/ESS Executive information system
Expert system
DSS
- System Define problem Frame into DSS model use it to obtain results reformulate problem
- Characteristics Supports semi structured and unstructured decision making, flexibility to adapt to needs,
ease of use.
- Components :1) User involving usually a manager or analyst (for complex)
2) Databases Implementation of database is done at three levels
a) Physical level, that is storage on hard disk.
b) Logical level rows, columns, indexes, scheme of data, connections etc.
c) External level
3) Planning language general purpose and special purpose (SAS, SPSS)
4) Model base brain of DSS
EIS Executive is usually a manager or someone like chief info officer (CIO)
- Characteristics of EIS Pg. 1.44
- Characteristics of type of info used in EIS lack of structure, high degree of uncertainty, future orientation,
informal source, low level of detail.
Expert system - Highly developed DSS, software system powered with knowledge of experts to make decisions in
the specified field. Eg. Accounts and finance tax advice etc., general business project proposal advice etc.
- Need for expert system Experts are scarce. They cant be present everywhere.
- Benefits of expert system pg. 1.44
- Components of expert system
1) Knowledge base
2) Influence engine manipulates knowledge base and provides decision to user as per the query.
Forward and backward, eg. Find cure for patients disease or find disease from symptoms.
3) Knowledge acquisition subsystem (KAS) designing and maintaining expert system.
4) User interface
OAS
- operations Document capture recording incoming mail, chart etc., document creation, calculations,
recording utilizations of resources etc.
- benefits of OAS pg. 1.47
- computer based OAS
a) text processors and related systems
b) electronic document management systems
c) electronic message communication systems
d) teleconferencing and video conferencing systems.

SYSTEM DEVELOPMENT LIFE CYCLE METHODOLOGY

System development components : System Analysis and System Design
System Analysis process of gathering and interpreting facts, diagnosing problems etc. and using it to recommend
improvements to the system.
System Design process of planning a new business system.
Before planning can be done, one must thoroughly understand the old system and determine how computers can be
used to make its operation more effective.
Why organizations fail to achieve their system developments objectives
1) lack of senior management support and involvement
2) shifting user needs when these changes occur during a development process, strategic decision making
being unstructured, the objectives for such development projects are difficult to define.
3) Personnel not familiar with new technology
4) Lack of standard system development methodologies
5) Over worked or undertrained development staff
6) Resistance to change
System Development Team :- consists of computer professionals, key users, system analysts.
Systems Development Methodology
Project is divided into a number of identifiable process and each process has a starting and ending point. Specific
reports and other documentation called Deliverables must be produced periodically to make development personnel
accountable. Users, managers and auditors are required to participate in the project, which, if proper provide
approvals called signoffs. Testing the system prior to implementation to ensure that it meets users needs. A training
plan is developed for those who will operate and use the new system. Program change controls are established to
prevent unauthorized changes to computer programs. A post implementation review of all developed systems must
be performed to assess the effectiveness and efficiency of the new system.
Approaches to system development
Since organisations vary from each other, there exists different approaches. These approaches are not mutually
exclusive, so a combination of these can be used. The approaches are as follows :- Tradtional / Waterfall Linear framework type
- Prototyping Iterative framework type
- Incremental combination of linear and iterative
- Spiral - combination of linear and iterative
- Rapid Application Development (RAD) iterative type
- Agile Methodologies
Tradtional / Waterfall Approach
Used on small projects. An activity is undertaken only when prior activity is completed.
Steps preliminary investigation > requirement analysis > system design > system development > system testing >
implementation and maintenance.
Strengths
1) orderly sequence of development steps ensures quality, reliability, maintainability of the developed software
2) progress of system is measurable
3) conserves resources.
Weaknesses Inflexible, slow, costly. Little room for use of iteration. Problems are often not discovered till system
testing. Difficult to respond to changes.

Prototyping Model
Goal of this approach is to develop a small version of the system called a prototype. It is built quickly and at lesser
cost. As users work with the system, they make suggestions to improve it which is incorporated into another
prototype, which is also used and evaluated and finally a prototype is developed that satisfies all user requirements
which is either turned into the final system or scrapped. If scrapped, the knowledge gained in building the prototype is
used to develop the real system.
Unlike traditional approach, here the design team needs only fundamental system requirements to build the initial
prototype. Prototyping is not commonly used for developing traditional applications where the inputs, processing and
outputs are well known and clearly defined. Eg.A/P, A/R, payroll, inventory management etc.
Steps Identify requirements, develop initial prototype, test and revise, obtain user signoff of approved prototype.
Strengths
1) Improves both user participation in system development
2) encourages flexible designs
3) provides quick implementation of an incomplete but functional application.
4) Better definition of users needs.
5) Errors are hopefully detected and eliminated early in the developmental process.
Weakness approval process and control are not strict, requirements may frequently change, since prototype is
messed with quite extensively the developers are tempted to minimize testing and documentation process resulting
in risk of inadequate testing, it may cause dissatisfaction among users when they have to deal a lot with interactions
and still their needs are not met.
Incremental Model
A method where the model is designed, implemented and tested incrementally until the product satisfies all of its
requirements. It is divided into a number of components, each of which are designed and built separately and
delivered to the client when it is complete.
Steps Requirements >> design >> implementation and unit testing >> integration and system testing >> operation
Strengths
1) Potential exists for exploiting knowledge gained in an early increment during development of later
increments.
2) Stakeholders can be given concrete evidence of project status.
3) More flexible, less costly.
4) Gradual implementation helps monitor the changes and make adjustments before organization is negatively
impacted.
Weakness focusing only on individual modules diverts the focus from overall business problem, problems
pertaining to the system architecture may arise because not all requirements gathered in the start for entire software
lifecycle, difficult problems tend to be allotted to future to show early success.
Spiral Model
Combines the feature of prototyping and waterfall model. It is fit for large expensive and complicated projects.
Steps
1) the system requirements are defined in detail by interviewing a number of users representing all external or
internal users.
2) a preliminary design is created, all possible alternatives that help in developing a cost effective project are
analyzed, identify risks, if risks indicate uncertainty in requirements prototyping may be used.
3) a first prototype of the system needed is constructed from the preliminary design.
4) a second prototype is then made after evaluating the first prototype and by defining the requirements,
planning and defining, constructing and testing the second prototype.
Strengths enhances risk avoidance
Weakness quite complex , requires skilled and experienced project manager, no established control without which
each cycle may generate more work for next cycle

Rapid Application Development (RAD)

Planning of software is integrated with writing the software itself which allows software to be written much faster and
makes it easier to change requirements. Objective is fast development and delivery of a high quality system at low
cost. Key emphasis on fulfilling business need while technological excellence are of lesser importance.
Project Control if project starts to slip emphasis is on reducing requirements to fit the time box, not in increasing the
dead line.
Strengths 1) operational version of software is available much earlier. 2) quick initial reviews. 3) ability to rapidly
change design as demanded by users.
Weakness more speed and low cost may lead to lower system quality, project may end up with more requirements
than needed, potential for violation of programming standards and inconsistent designs, difficult problems pushed to
future to show early success.
Agile Methodologies
Criticism that all previous methodologies lay more emphasis on following procedures, structure and preparing
documentation led to the making of this conceptual framework. Softwares are developed in short time boxes called
iterations. Each iteration is like a miniature software project of its own and includes analysis, design, testing,
documentation, etc. An agile software project intends to be capable of releasing new software at the end of every
iteration. This way the customer gets continuous delivery of useful and usable system.
Characteristics of agile methodology :- iterative, time bound cycles, people oriented, collaborative and
communicative working style.
System Development Life Cycle
It consists of a set of steps or phases in which each phase of the SDLC uses the results of the previous one.
Advantages 1) Better planning and control 2) Ensures better quality by compliance to prescribed standards 3)
proper documentation
Advantages of SDLC system for IS Auditor 1) IS auditor can have clear understanding of the various phases with
the help of detailed documentation created during each phase of SDLC. 2) he can be a guide during the various
phases of SDLC.
Disadvantages of SDLC 1) development team may find it cumbersome 2) users may find the end product is not
visible for a long time 3) rigidity of the approach 4) not suitable for small and medium size business.
SDLC is a set of activities that analysts, designers and users carry out to develop and implement an information
system.
Phases in SDLC preliminary investigation >> systems requirement analysis >> systems design >> systems
development >> implementation >> post implementation review and maintenance.
Preliminary Investigation
To determine and analyze the strategic benefits in implementing the system through evaluation of productivity gains,
cost savings etc. Phases
1) identification of problem by discussions with users. Prevalence within organization is assessed. Example of
problem is outdated system. For the analysts, identification of problem includes understanding project
requests, assessing costs and benefits of alternative approaches, and report findings to the management
with recommendation on accepting or rejecting proposal.
2) Identification of objective work out the objectives of the proposed solution, example problem railway
ticket booking queue.. objective online booking.
3) Delineation(precise description) of scope the following questioned should be answered what
functionalities will be delivered through the solution, what data is required to achieve these functionalities,
control, reliability and performance requirements, describing constraints.
While drawing out a response, addressing project initiators concerns should be the basis of the scope and
not users, as different users have different views. Example initiator = member of senior management and
users = from the operating levels. Development organization has to clearly quantify the economic benefits to

the user org. Impact of solution on org. is to be understood. Solutions which have a wide impact are likely to
be met with greater resistance.
4) Project feasibility - the likelihood that the proposed systems will be useful for the org. evaluating alternative
systems through cost/benefit analysis. The feasibility study of a system is evaluated under following
dimensions :Technical : is the technology needed available, guarantee of success, reliability etc.
Financial : is the solution viable financially
Economic : return on investment, cost/benefit analysis, cost including development, operating intangible
cost
Schedule/time : can the system be delivered on time.
Resources : are human resources reluctant for the solution, example reluctance of skilled persons to
move to non metro locations.
Operational : how will the solution work, concerns with the views of employees, customers, suppliers and all
related people who need to work through the system.
Legal : is the solution valid in legal terms.
5) Reporting results to management.
System requirement analysis
Objectives detailed understanding of current system, identify areas that need modification to solve the problem.
Activities performed in this phase identify stake owners expectations and resolve their conflicts, analyze
requirements to detect and correct conflicts, gather data or find facts, model and document activities.
Document/Deliverable : a system requirements report.
Fact finding techniques - are various fact finding techniques used by the system analyst. Needs/ requirements of
users like the need to operate at low cost, better info for managers etc. are :1) Documents it includes diagrams of how current systems work, procedure manuals of current system etc.
2) Questionnaires
3) interviews provide developers and analysts with complete picture of the problems and opportunities.
4) Observation observing how users react to the prototypes of a new system.
Analysis of the present system
1) Review historical aspects identify major turning points that influenced growth, investigate system changes
in the past and have they been successful or unsuccessful.
2) Analyze inputs system analyst should know various sources of data collection and understand the nature
of each data which is contained in it and who prepared it etc. only then he will be able to determine how
these inputs fit into the framework of the present system.
3) Review data files maintained the analyst should investigate data files maintained by each dept., where
they are located and who uses them, cost of retrieving and processing the data etc.
4) Review methods, procedures and data communications a method is defined as a way of doing something;
a procedure is a series of logical steps by which a job is accomplished. Method and procedure transform
input data into useful output. System analyst also needs to understand the present data communication
used including data interface, modem etc.
5) Analyze outputs understand what information is needed when, why and by whom.. how long it is kept on
file etc.
6) Review internal controls analysis of the present system of internal controls may indicate weaknesses that
should be removed in the new system which could include implementing advanced procedures and
technology.
7) Model the existing physical system and logical system this organizes the facts and helps disclose gaps
and duplication in the data gathered.
8) Undertake overall analysis of present system.

Systems analysis of the present system

The specifications of proposed system must be clearly defined, filling in gaps of present system. Proposed system
should ensure timely reports, proper database maintenance, well defined controls etc.
System development tools
Many tools and techniques have been developed which help analysts to deal with the activities, management
decision making and information systems in an organization.
Categories of major tools used for system development
1) System components and flows flow charts show the flow of data media processed by the hardware and
manual activities.
2) User interface layout forms etc.
3) Data attributes and relationships they include, data dictionary - cataloguing the description of
characteristics of all data elements and their relationships to each other as well as to external systems, entity
relationship diagrams used to document the number and type of relationship among the entities in a
system, file layout forms documents the type, size and names of data elements in a system, grid charts
help in identifying the use of each type of data element in input/output or storage media in a system.
4) Detailed system process used to help the programmer develop detailed procedures required in the design
of a computer program. Use of decision trees and decision tables. Some of these tools in detail
a) Structured English /program design language/pseudo code is the use of English language with the
syntax of structured programming. Thus benefits of both the programming logic and natural language. It
consists of 3 elements operational statements written as English phrases, conditional blocks such as
IF, THEN, ELSE.., repetition blocks such as DO, WHILE, UNTIL etc.
b) Flowcharts graphic technique that can be used by analysts to represent the inputs, outputs and
processes of a business in a pictorial form. Types of flowcharts 1) document flowchart showing a
document flow through systems. 2) data flowchart showing data flow in a system 3) system flowchart
showing controls at a physical or resource level. 4) program flowchart showing controls in a
program within a system.
Benefits of flowchart better way of communicating, problem can be analyzed in more effective way,
serves as a good program documentation, helps in debugging process, efficient program maintenance
Limitations when program logic is quite complicated flowchart becomes complex, if alterations are to
be made then flowchart needs complete
c) Data Flow Diagrams a data flow diagram uses few simple symbols to illustrate the flow of data among
external entities, processing activities and data storage elements. A DFD is composed of four basic
elements: Data Sources and Destinations, Data Flows, Transformation processes, and Data stores.
d) Decision Tree uses a tree-like graph or model, of decision and their possible consequences. It is used
in operations research, to help identify a strategy most likely to reach a goal and to calculate conditional
probabilities.
e) Decision Table is a table which may accompany a flowchart, defining the possible contingencies that
may be considered within the program and the appropriate course of action for each contingency. The
four parts of the decision table are as follows >> 1) Condition Stub lists the comparisons or
conditions. 2) Action tub lists the actions to be taken along the various program. 3) Condition entries
the possible permutations of answer to the question in the conditions stub. 4) Action entries lists the
actions contingent upon the set of answers to questions of that column.
f) CASE Tools Computer-Aided-Software Engineering refers to the automation of anything that humans
do to develop systems and support virtually all phases of traditional system development process.
g) System Components matrix provides a matrix framework to document the resources used, the
activities performed and the information produced by an information system.
h) Data dictionary dictionary is a computer file about data. For auditors and accountants a data
dictionary can help establish an audit trail. A data dictionary can also be used to plan the flow of
transactions data through the system.

System Specification
At the end of the analysis phase, the systems analyst prepares a document called Systems Requirement
Specification containing:Introduction goals and objectives of the software context.
Information Description - problem description, flow and structure, Hardware, software, human interfaces for external
and internal system elements.
Functional Description design constraints, diagram of functions.
Behavioral Description response to external events and internal controls.
Validation Criteria classes of tests to be performed to validate functions, performance and constraints.
Appendix detailed description of algorithms charts, graphs and other such material.
SRS Review SRS document presentation sent to user for review by the development team.
Roles in SDLC
Steering Committee
a) To provide overall direction.
b) To be responsible for all cost and timetables.
c) To conduct a regular review of progress.
d) Taking corrective actions like rescheduling, re-staffing, etc.
Project Manager is responsible for more than one project. He is responsible for delivery of the project within the
time and budget, and periodically reviews the project.
Project leader is dedicated to a project and reviews the project more frequently than a Project Manager.
Systems Analyst conduct interviews with users and understand their requirements and acts as a link between the
users and the programmers.
Team Leader a project is divided into several modules and responsibility for each module is assigned to Team
Leaders.
Programmer /Coder/Developer
Database Administrator
Quality Assurance
IS Auditor
Systems Design
System Design involves first logical design and then physical construction of a system. The logical design is like
blueprint, shows major features of the system and how they are related. Physical construction produces program
software, files and a working system. The design phase involves following steps :1) Architectural design deals with hierarchy of modules and sub modules like identification of major modules,
function and scope of each module, interface features etc. Architectural design is made with the help of a
tool called functional decomposition. It has 3 elements modules, connection and couples.
Couple data element that moves from one module to another.
2) Design of data
3) Design of database design of database involves four major activities
a) Conceptual Modeling These describe attributes, constraints and relationships of entities.
b) Data Modeling Conceptual models are translated into data models to be accessed by both high-level
and low-level programing languages.
c) Storage Structure Design decision on how to partition the data structure so that it can be stored on
some device.
d) Physical Layout Design decisions on how to distribute the storage structure across locations.

4) Design of User Interface important factors in input/output design: which should be considered by the
system analyst while designing user input/output forms.
a) Content collects data relevant to generate desired user outputs. Define clearly the reports in output
forms sorting out data as per user need.
b) Timeline a plan must be established regarding when different types of inputs will enter the system.
Output to be designed as per user need of daily/weekly/regular, etc. report requirement.
c) Format overcoming input format constraints eg. data field length etc. For output formats of reports
should assist in decision making, identifying/solving problems, taking corrective action etc.
d) Media devices on which to input media keyboards, touch pen, magnetic tape, etc. and output media
projectors, paper voice output etc.
e) Form pre-printed papers that require people to fill in responses in a standardized way.form of the
output to be decided keeping in requirements of users.
f) Input/output Volume input volume amount of data that has to be entered in the computer system at
any one time. Amount of data output required at any one time is known as output volume so better to
use high speed printers and fast processing computers.
5) Physical Design in physical design logical design is transformed into units and decomposed further into
programs and modules. Some physical design principles are
a) Design two or three alternatives and choose the best one.
b) Design should be based on the analysis.
c) Functions designed should be directly relevant to business activities.
d) Designs should follow standards laid down.
e) Design should be modular.
Modularity is measured by two parameters: cohesion and coupling. Cohesion refers to the manner in which
elements within the module are linked. Coupling is the measure of the interconnection between modules. In
a good modular design, cohesion will be high and coupling low.
6) Design of the Hardware
System Acquisition
After design development starts which includes acquisition of hardware, software and services. Management should
establish acquisition standards and should focus on things like ensuring security, reliability, etc.
Acquiring Systems Components from Vendors:1) Hardware acquisition from vendors includes installation and maintenance any.
2) Software acquisition from development team.
3) Contracts, software licenses and copyright violations software license grants permission to do things with
computer software. Use of unlicensed software or violation may lead to litigations.
4) Validation of vendors proposals rank proposals from vendors and choose the most useful one.
5) Methods of validating the proposal
a) Checklists: choose the vendor who satisfies with maximum of our condition.
b) point-scoring analysis allocating points on each requirement, for each vendor, on a scale of 10 and
choosing the vendor with highest cumulative points.
c) Public Evaluation Report s Comparing performance of different manufacturers from consulting
agencies.
d) Bench marking problem for vendors proposals Testing whether a computer offered by the vendor
meets the requirement of the job on hand of the buyer.
e) Test problems test the capabilities of the hardware, software or system example, time required to
execute an instruction.

System Development
To convert the specification into a functioning system. Programs are written, tested and documented.
1) Program Coding Standards serves as a method of communication between teams and provide, simplicity ,
efficient utilization of storage and least processing time .
2) Programming Language commonly used are high level such as COBOL and C, Object oriented
languages such as C++, JAVA etc., Scripting languages like JAVAScript, VBScript.
3) Choice of programming language - depends entirely on requirements of user and accordingly which would
suit in best.
4) Program Debugging which refers to correcting programming language syntax and errors so that the
program compiles cleanly. Debugging is a tedious task. Steps >> 1) inputting the source program to the
computer, 2) letting the compiler find errors in the program, 3) correcting lines of code that are erroneous,
4) resubmitting the corrected source program as input to the compiler.
5) Test the program
6) Program documentation managers and users should review documentation to ensure that software and
system behave as per the documentation indicates. If not, documentation should be revised. Documentation
should be prepared in such a way that the user can clearly understand the instructions.
7) Program maintenance
System Testing
Testing is a process used to identify the correctness, completeness and quality of developed computer software.
Testing cannot show the absence of defect, it can only show that software defects are present. Different levels of
testing are
1) Unit Testing is a software verification and validation method in which a programmer tests if individual units
of source codes are fit for use. A unit is the smallest testable part of an application which may be an
individual program, function, procedure, etc. Five categories under unit testing are:- functional tests,
performance tests, stress tests, structural tests example if a function is responsible for tax calculation,
the verification of the logic is structural test., parallel tests same test data is used in the new and old
system and the output results are then compared.
Types of Unit Testing
a) Static analysis testing desk check, code inspection, etc.
b) Dynamic analysis testing
1) Black box testing takes an external perspective of the test object to derive test cases. These tests
can be functional or non-functional, though usually functional. Test designer selects valid and
invalid inputs and determines the correct output. This method of test design is applicable to all
levels of software testing : unit, integration, functional testing, system and acceptance. The higher
the level, hence the bigger and more complex the box, the more one is forced to use black box
testing to simplify.
2) White box testing uses an internal perspective of the system to design test cases based on
internal structure. Tester chooses test case inputs to exercise paths through the code and
determine the appropriate outputs. Since the tests are based on actual implementation, if the
implementation changes, the tests probably will need to change. It is applicable at the unit,
integration and system levels of the testing process. While it normally tests path within a unit, it can
also test paths between units during integration, and between subsystems during a system level
test.
3) Gray box testing a combination of black box testing and white box testing. Here the tester applies
a limited number of test cases to the internal workings of the software under test. In the remaining
part of the gray box testing, one takes a black box approach in applying inputs to the software
under test and observing the outputs.

2) Integration Testing individual software modules are combined and tested as a group. It occurs after unit
testing and before system testing. Its objective is to evaluate the connection of two or more components that
pass information from one area to another. Steps :a) Bottom-up integration traditional strategy and consists of unit testing, followed by sub-system testing,
and then testing of the entire system.
b) Top-down integration read
c) Regression testing - read
d) System testing software and other elements are tested as a whole after software is operational. But
these test procedures are often performed in a non-production environment. Its types are recovery
testing, security testing, stress or volume testing, performance testing.
e) Final accepting testing conducted when system is just ready for implementation. Two major parts are
Quality assurance testing, User acceptance testing.
System Implementation
Process of ensuring that the information system is operational and then allowing users to take over its operation for
use and evaluation is called systems implementation.
Activities during Implementation Stage
1) Equipment installation a) site preparation site where equipment needs to be set up according to the
need of equipments users, b) installation of new hardware/software, c) equipment checkout equipment
must be turned on for testing under normal operating conditions.
2) Training personnel
3) System implementation conversion strategies process of changing from the old system (manual system)
to the new system. Four types of implementation strategies are as follows :
a) Direct implementation complete changeover to new system from old system though a break is given
in between for production so that new system can be installed easily.
b) Phased implementation the new system is brought in stages (phases). Each phase is successful then
the next phase is started, eventually leading to the final phase when the new system fully replaces the
old one.
c) Pilot implementation the new system replaces the old one in one operation but only on a small scale.
Example it might be tried out in one branch of the company or in one location. If successful then is
extended until it eventually replaces the old system completely.
d) Parallel running implementation most secure method with both systems running in parallel over an
introductory period, both being able to operate independently. If all goes well, the old system is stopped
after sometime and new system carries on as the only system.
Activities involved in conversion
1) Procedure conversion operating procedures documentation for the new system must be clearly spelled
out. Information on input, data files, methods, procedures, output, and internal control must be presented
clearly.
2) File conversion file conversion programs must be thoroughly tested. Existing computer files should be kept
for a period until needed for back up.
3) System conversion all transactions initiated after this period is processed on the new system.
4) Scheduling personnel and equipment.

Post Implementation review and System maintenance

Post implementation review answers the question did we achieve what we set out to do in business terms?
1) Development evaluation whether the system was developed on schedule and within budget.
2) Operation evaluation whether the hardware, software and personnel are capable to perform their duties. It
is better if evaluation criteria are established in advance. Example criterion that a system capable of
supporting one hundred terminals should give response time less than two seconds, evaluation of this can
be done easily after the system becomes operational.
3) Information evaluation evaluated in terms of information it provides. Like other evaluations, this cannot be
measured in quantitative manner, so only thing that can be seen is how much the information provided by
system is supportive in decision making, etc.
System maintenance - Types of maintenance:1) Scheduled maintenance maintenance that is anticipated and can be planned for.
2) Rescue maintenance previously undetected malfunctions that were not anticipated but require immediate
solution.
3) Corrective maintenance deals with fixing bugs in the code or defects found.
4) Adaptive maintenance consists of adapting software to change in the environment.
5) Perfective maintenance accommodating to new or changed user requirements and functional
enhancements increase systems performance or to enhance its user interface.
6) Preventive maintenance
Operation Manuals
A users guide. Contents of operation manual :
1)A cover page, title page and copyright page 2) preface 3) contents page 4) troubleshooting section 5) FAQ 6)
contact details 7) glossary
Organizational structure of IT Dept.
Management :
Line Management structure information systems are built and operated on a day to day basis. Eg.
Top management > IS management > System Development Management > Data Administration > Operations
Management > Quality assurance management and so on..
Project management structure - project manager is given complete operational control of the project and
allocated appropriate resources. Eg.

Accounting
I
System Analysis
Programming

IS Manager
I
Production

Operations

CONTROL OBJECTIVES
Factors that an influence an organization towards implementing control and audit of computers are:1) Organization cannot suffer data loss. So control and audit become necessary.
2) Possibility of making decisions based on wrong data
3) Costs of computer abuse unauthorized access to computer systems, computer viruses etc.
4) Value of computer hardware, software and personnel
5) High costs of computer error Great damage may be caused if error occurs during critical business process
6) Maintenance of privacy
7) System efficiency and effectiveness objectives
Effect of computers on internal control with regards to:
1) Personnel whether or not the staff are trustworthy, if they have appropriate skills and training.
2) Segregation of duties an IT environment, the staff in computer department will have a detailed knowledge
of relationship between the source of data, how it is processed and distribution.
3) Authorization procedures to ensure that transactions are approved. Example: a supervisors signature
may be replaced by computerized authorization.
4) Record keeping control over protection and storage of documents, transaction details, audit trails, etc.
5) Access to assets and records in the past manual systems were protected from unauthorized access
through use of locked doors and filing cabinets. Computerized systems need to protect the data.
Internal controls comprise of five interrelated components:
1) Control environment which includes managements operating style, the ways authority and responsibility
are assigned, etc. methods used to plan and monitor performance, etc.
2) Risk assessment
3) Control activities
4) Information and communication
5) Monitoring
Effect of computer on audit -Two basic functions carried out to examine whether the business process activities are
recorded and reported according to the established standards are changes to Evidence Collection and changes to
Evidence Evaluation.
1) Absence of input documents data entered into the computer directly without supporting documentation.
Use of EDI will result in less paperwork being available for audit examination.
2) Lack of a visible audit trail absence of an audit trail will make the auditors job very difficult.
3) Lack of visible output in the absence
Responsibility of control - Planning:1) Long range includes setting goals, objective, identifying strengths and weakness, etc.
2) Long-range planning and IT departments develop and implement appropriate, cost effective internal
control for management, identify improvements, take corrective actions, report annually on internal control.
3) Short-range or tactical planning functions performed every day to support long term goals.
4) Personnel management controls includes job description, salary and benefits budget, recruiting standards
and criteria.
THE IS AUDIT PROCESS
IS audit process is to evaluate the adequacy of internal controls with regard to both computer programs and data
processing environment. Responsibility of IS auditor are:1) Sound knowledge of business operations, practices
2) Should possess the requisite professional technical qualification and certifications.
3) Good understanding of information Risks.

4) Knowledge of IT strategies, policy and procedure controls.

5) Good knowledge of Professional Standards.
Functions of IS auditor - Identifying:1) Inadequate information security. Example out of date antivirus controls, weak passwords, etc.
2) Inefficient use of corporate resources. Example huge spending on unnecessary IT projects.
3) Ineffective IT strategies, policies and practices
4) IT related frauds
Categories of IS auditor
1) Systems and application
2) Information processing facilities
3) Systems development
4) Management of IT
5) Telecommunications, intranets, and extranets
Steps in information technology audit
1) Scoping/pre audit survey background reading, previous audit reports, pre audit interview, observations,
etc.
2) Planning
3) Fieldwork gathering evidence by interviewing, investigating, reviewing documents
4) Analysis make sense of evidence gathered, SWOT
5) Reporting
6) Close winding up, preparing notes for future audits.
ISACA (Information Systems Audit and Control Association)
ISACA issued 16 auditing standards defining mandatory requirements for IS auditing and reporting, 39 auditing
guidelines, 11 IS auditing procedures. COBIT (control objectives for information and related technology) is a
framework containing good business practices relating to information technology.
ITIL (IT infrastructure library) is developed by OGC. It gives a detailed description of a number of important IT
practices that can be tailored to any IT organization. It consists of a series of books giving guidance on quality IT
services
Cost effectiveness of control procedures Implementing and operating controls in a system involves the following
five costs
1) Initial setup cost cost incurred to design and implement controls.
2) Executing cost cost associated with execution of a control.
3) Correction cost cost associated with correction of error or irregularity.
4) Failure cost losses due to undetected/uncorrected errors caused by control malfunctions.
5) Maintenance cost
Benefit of an internal control procedure must exceed its cost.
Objectives of control reduce or eliminate the causes of the exposure to potential loss. Some categories of
exposures are
1) Errors or omissions in data, procedure.
2) Lack of awareness and knowledge of IS risks and controls amongst users and IT staff.
3) Inadequate security functionality in technologies implemented.
Categories of controls1) Objective of controls
a) Preventive controls prevent an error, omission or malicious. Examples of preventive controls employ
qualified personnel, segregation of duties, documentation, training of staff, firewalls, anti-virus software,
and passwords.

b) Detective control examples of detective control echo control in telecommunications, cash counts
and bank reconciliation, monitoring expenditures against budgeted amount.
c) Corrective controls examples contingency planning, backup, report violations.
d) Compensatory controls
2) Nature of IS resource
a) Environmental controls air-conditioning, UPS, smoke detection, etc.
b) Physical access controls security guards, door alarms, video monitoring, etc.
c) Logical access controls encryption controls, tec.
d) IS operational controls
e) IS management controls
f) SDLC controls
3) Functional nature
a) Internal accounting controls controls intended to safeguard clients assets and ensure reliability of
financial records.
b) Operational controls ensure that operational activities are contributing to business objectives.
c) Administrative controls ensuring efficiency and compliance with management policies.
Control Techniques
1) Organizational Controls concerned with the decision making processes. Organizational control techniques
include documentation of: reporting responsibility and authority, definition of responsibilities and objectives,
policies and procedures, job description and segregation of duties.
2) Management Controls controls flowing from top of organization to bottom followed by senior management.
Controls shall include responsibility, an official IT structure, an IT steering committee.
3) Financial control techniques examples
a) Authorization obtain authority to access accounting records or making entries.
b) Budgets estimates of time and money to be spent and comparing with actuals and taking corrective
actions.
c) Cancellation of documents This mark a document in such a way to prevent its reuse.
d) Documentation
e) Safekeeping of assets and other important financial documents.
f) Segregation of duties
g) Sequentially numbered documents
4) Data Processing Environment Controls
5) Physical Access Controls
6) Business Continuity Controls
7) Application Control Techniques
8) Audit Trails when properly implemented, audit trails provide an important detective control to help
accomplish security policy objectives. Audit trails can be used to support security objectives in three waysa) Detecting unauthorized access to the system and also indicate changes in system which may indicate
virus, etc.
b) Facilitate the reconstruction of events example knowledge of conditions that led to system failure
can be used to build a system free of that defect.
c) Promoting personal accountability can help in singling out a responsible person.
User controls that are to be exercised for system effectiveness and efficiency:1) Boundary controls establishes interface between the user of the system and the system itself. Example:
system must ensure it has an authentic user. Boundary control techniques are: - cryptography: encryption
and decryption, passwords, personal identification number (PIN), identification cards.
2) Input control responsible for the data and instructions in to the information system. Since input controls
involve human intervention, they are error and fraud prone. Types of data coding errors are
a) Addition addition of an extra character in a code e.g. 54329 coded as 543219.

b)
c)
d)
e)
f)

Truncation omission of characters in the code.

Transcription recording wrong characters.
Transposition reversing adjacent characters.
Double transposition reversing characters separately by one or more characters.
Factors affecting coding errors as follow :1) Length of the code long codes are naturally prone to more errors.
2) Alphabetic numeric mix intermingling both alphabets and numerical would result in more errors.
3) Confusion between characters, such as between B and 8, I and 1, O an 0, etc.
4) Mixing uppercase/lowercase fonts
5) Sequence of characters should be maintained. Example using ABC instead of ACB.
3) Processing controls responsible for computing, sorting, classifying and summarizing data. Data
processing controls are:a) Run-to-run totals verifying data that is subject to process through stages.
b) Reasonableness verification comparing and cross verifying different fields. Example calculating and
verifying percentage of PF on gross pay with actual deduction.
c) Edit checks used to verify accuracy and completeness of data.
d) Field initialization
e) Exception reports generated to identify errors in data processed.
f) Existence/recovery controls
4) Output controls to provide functions that determine the data content, data format, timelines of data, etc.
a) Storage and logging of sensitive, critical forms
b) Spooling/queuing of data to be printed this queue should not be subject to unauthorized
modifications.
c) Control over printing of important data
d) Report distribution and collection control
e) Retention controls duration for which outputs should be retained before being destroyed.
5) Database controls responsible to provide functions to define, create, modify, delete and read in an
information system. Update controls are divided into update and report controls, like:a) Ensure all records on files are processed.
b) Maintain a suspense account.
Report controls
a) Print-Run-to Run control Totals which helps in identifying errors or from a transaction file.
b) Print suspense account entries.
SYSTEM DEVELOPMENT AND ACQUISITION CONTROLS
It include controls and auditors role for issues like problem definition, management of the change process, entry and
feasibility assessment, analysis of the existing system, formulation of strategic requirements (System Design),
organizational and job design, information processing systems design, application software acquisition/selection
process.
CONTROL OVER SYSTEM AND PROGRAM CHANGES
Management of the change process runs parallel to all the phases of SDLC. The change process involves the
following tasks:1) Provide feedback to the systems stakeholders.
2) Prevents system disruptions which may lead to business losses.
3) Helps users to adapt to new roles.
4) Documentation and follow up on the recommended and implemented process changes.
5) To be reviewed periodically to evaluate its effectiveness.
System Change Controls - Activities involved are promoting and preparing the need for change, complete
changeover to the new system, help users to adapt to their new roles.

Auditors Role - Evaluate the quality of decisions made.

Risks of change control processes are:1) System outages due to error or malicious intent.
2) Data loss or errors
3) Unauthorized changes
4) Reruns of system or application processes.
Program change controls - Standard organization policies, procedures, and techniques are to be followed to
ensure that all programs and program modifications are properly authorized, tested, and approved.
Auditors role
1) To ensure maintenance of software program code libraries.
2) To ensure appropriate backups of the systems data and programs made before the change.
3) A formal handover process.
4) Thorough testing before any new software is applied.
Authorization controls ensures all information and data entered or used in processing is authorized by
management.
Auditors Role
1) Determine if the proper level of management is authorizing the transaction activity.
2) Identify any allowable overrides or bypasses of data validation and edit checks and who can do the
overrides.
Document controls the need for procedures for recording all requests for change (RFC). Documentation contains
descriptions of the hardware, software, policies, standards, procedures, and approvals related to the systems, etc.
the user instruction manual should contain:1) A narrative description of the system.
2) A detailed flowchart of all clerical processes.
3) A list of approvals required on each input document.
4) A system recovery section including provisions for assisting in the restoration of the system.
Auditors role evaluate if:1) There is sufficient documentation that explains how software/hardware is to be used.
2) There are documented formal security and operational procedures.
Testing and Quality Controls testing runs throughout design phase and till the acceptance phase. Overall
objective of the testing is to ensure that the delivered system:1) Conforms with the organizations technical policies and standards.
2) Performs all the required functions.
3) Meets it performance objectives.
4) Is reliable in operation.
Tests must not be done to demonstrate that system works, but to show defects, hence negative testing is done where
tests are conducted to prove the defect rather than showing it defect free. Example testing that system does what it
is not supposed to do. Quality control includes:- establishment of a quality culture, quality plans, quality control
practices, SDLC, system testing and documentation, training, etc.
Quality standards- such as CMMI or ISO are used. Quality control and productivity gains are complementary.
Quality Reviews for example whether a product is: complete and free from defects, is sufficiently
comprehensive, complies with relevant standards.
Copyright Violation software programs can easily be copied or installed on multiple computers. The computing
environment needs controlling to prevent software piracy and copyright violations.
Contract/Warranties IT contracts address these issues: meet IT users expectations and the systems need to
perform as intended, able to file litigation due to dissatisfaction with products or services or on the failure of the

selection or acquisition process. IT auditors can help failure of contracts by evaluating them. The review areas of ITrelated contracts are:
1) Review of supplier contract terms that limit supplier reliability.
2) Review of contract objectives and performance measurements to ensure objectives have been met.
3) Review and inclusion in future contracts of contract clauses for protecting customer interests.
Service Level Agreements (SLA) SLA is a formal agreement between a customer requiring services and the
organization responsible for providing those services. User and provider should agree to standards, level of demand
of service before implementing the system.
Auditors role all legal requirements have been complied and check insurance requirements.
CONTROL OVER SYSTEM IMPLEMENTATION
Procedures Development covers who, what, when, where, and how of the implementation process. Auditor is to
assess quality of the procedures design matching with user requirements and SRS specifications, change
management principles implemented and followed within the organization.
Conversion it involves the following activities:
1) Defines the procedure for correcting and converting data into the new application.
2) Performing data cleansing before data conversion.
3) Identifying the methods to access the accuracy of conversion.
4) Designing exception reports showing the data which could not be converted.
5) Establishing responsibility for verifying and signing off.
Conversion strategies are direct implementation/abrupt change-over, parallel implementation, phased implementation
and pilot implementation.
Auditors role
User Final Acceptance Testing test of the operational system aims to include all manual procedures. It confirms that
User Requirement has been met, clerical procedures work effectively, back-up and recovery procedures work
effectively, all other functions necessary work as planned. The acceptance test plan involves: performance testing,
volume testing, stress testing, clerical procedures checking, back-up and recovery.
Auditors role
User training
SYSTEM MAINTENANCE
Corrective maintenance program fixes and routine correcting errors.
Adaptive maintenance change-in the user environment.
Perfective maintenance user enhancement and efficiency.
Auditors role evaluating effectiveness and efficiency of system maintenance process which includes checking, ratio
of actual maintenance cost per operation versus average of all process, average time to deliver change requests, the
number of bugs, errors reported, the quantity of modules returned to development due to errors discovered in
acceptance testing, time elapsed to analyze and fix problems.
Performance Measurement
POST IMPLEMENTATION REVIEW
It is performed to determine if the anticipated benefits were achieved and is performed jointly by the project
development team and the appropriate end users. Objectives to be met are:1) Business objectives objectives to be met are example delivered within budget and deadline; is producing
predicted savings and benefits, etc.
2) User expectations example user friendly, reliable, etc.
3) Technical requirements example capable of expansion, easy to operate and maintain, interfaces with
other systems, low running cost, etc.

The PIR Team to be impartial, the PIR team should be independent of the system development team. It may
therefore be advisable to employ an external IS consultant to manage the review and employ other external support
too. Internal Audit might help assess the effectiveness of internal controls. PIR is conducted with reference values
authorized by the approving authorities. After going through the PIR Report, the authorizing authority may endorse
continuation of the system or approve plans to modify the systems or terminate the system and made arrangements
for a new course of action.
Auditors role auditor checks through effectiveness of a PIR, or advices to undertake once after his assessment.
CONTROL OVER DATA INTEGRITY, PRIVACY AND SECURITY
Information classification:- top secret, highly confidential, proprietary, internal use only, public documents.
Data Integrity primary objective of data integrity control techniques is to prevent, detect, and correct errors in
transactions as they flow through the various stages of a processing program.
Data Integrity Policies
1) Virus signatures must be updated immediately when they are made available.
2) All software must be tested before installation on production systems.
3) Version zero software example 1.0, 2.0, must be avoided.
4) Back-up at regular intervals.
5) A comprehensive disaster-recovery plan must be used.
Data security
SECURITY CONCEPTS AND TECHNIQUES
Cipher method of encrypting information/unintelligent form of data.
Plain text original form of data/decrypted data.
Cryptosystems refers to a suite of algorithms needed to implement a particular form of encryption and decryption. A
cryptosystem consists of three algorithms : one for key generation, one for encryption, and one for decryption.
Data Encryption Standard (DES) is a cipher, a mathematical algorithm selected as an official Standard for the
United States in 1976, and since has subsequently enjoyed widespread use internationally. It specifies both
enciphering and deciphering operations which are based on a binary number called a key. A key consists of 64 binary
digits (0s or 1s) of which 56 bits are randomly generated and used directly and the other 8 bits are used for error
detection. Authorized users must have the key to decrypt. DES is now considered to be insecure, due to the 56 bit
key size being too small and DES keys have been broken in less than 24 hours. So it has been replaced by
Advanced Encryption Standard (AES).
Public Key Infrastructure (PKI) the system is based on public key cryptography in which each user has a key pair
called a public key and a private key. Private key must be stored in encrypted text and protected with a password or
PIN. It is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the
private key and can only be authenticated with the corresponding public key. The Certificate Authority (CA) through a
digital certificate states that a particular public key and the corresponding private key belongs to a specific user. The
CA attests with its own private key, known as the root key.
DATA SECURITY AND PUBLIC NETWORKS
Firewalls
A firewall is a collection of components (computers, routers and software) that block or allow traffic based on rules
configured by the administrator. Firewalls are subject to failure. When firewalls fail, they typically should fail closed,
blocking all traffic, rather than failing open and allowing all traffic to pass. Types of firewall are :1) Packet Filter Firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid
internal address, originates from a permitted external address, connects to an authorized protocol or
service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for
allowed traffic, then the firewall drops the packet.

Weakness >> packet filter does not examine packet contents, most do not support advanced user
authentication, easy to misconfigure.
Strengths >> offers less security, but faster performance, so useful in high-speed environment, where user
authentication are not as important.
2) Stateful Inspection Firewalls stateful inspection firewalls are packet filters that monitor the state of the TCP
connection.
3) Proxy Server Firewalls acts as an intermediary between internal and external IP addresses and block
direct access to the internal network. Proxy servers are commonly employed behind other firewall devices.
The primary firewall receives all traffic, determines which application is being targeted, and hands off the
traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web
server (HTTP), and mail (SMTP) server.
4) Application-Level Firewalls perform application level screening. It continues to examine each packet after
the initial connection is established. They provide the strongest level of security, but are slower and requires
greater expertise to administer properly.
UNAUTHORISED INTRUSION
Intrusion detection is the set of mechanisms that should be put in place to warn of attempted unauthorized access to
the computer. Intrusion Detection systems fall into two broad categories
1) Network Based Systems these systems are placed on the network. They examine the network traffic and
determine whether it is acceptable or not.
2) Host Based systems these systems actually run on the system being monitored. These examine the
system to determine whether the activity on the system is acceptable.
Ways in which hackers can hack:1) NetBIOS worst kind of hack. It exploits a bug in Windows 9x. NetBIOS is meant for LAN, but bug makes it
accessible across internet.
2) ICMP Ping Internet Control Message Protocol.
3) FTP is a backdoor program such as Doly Trojan _ turn the computer into an FTP server, without any
authentication.
4) rpc.statd problems specific to Unix and Lunix. The problem is the infamous unchecked buffer outflow
problem which makes data to be written in places it should not be and a hacker can access it by writing
program codes into memory.
5) HTTP hacks can only be harmful when user is using Microsoft Web Server Software which has the
unchecked buffer outflow bug.
Data privacy in:1) Policy Communication P3P
2) Policy Enforcement XACML, EPAL, WS-Privacy
Data privacy policies Copyright Notice, E-Mail Monitoring, Non-sharing of Customer Information, Encryption of
Data Backups.
Three types of anti-virus software:1) Scanners it looks for a sequence of bits called virus signatures that are characteristic of virus codes. They
check memory, disk boot sectors, executable to find matching bit patterns.
2) Active Monitor and Heuristic Scanner this looks for critical operating systems functions such as BIOS
calls, which resemble virus action. These generally do not serve the purpose.
3) Integrity Checkers these can detect any unauthorized changes to files on the system.
Logical Access Controls are the system-based mechanisms used to designate who or what is to have access to a
specific system resource and the type of transactions and functions that are permitted.
Issues related to logical access:1) Technical Exposures include unauthorized implementation or modification of data and software like data
diddling, bombs, Trojan horse, worms.

2) Computer Crime Exposures which generally lead to financial loss, legal repercussions, loss of credibility or
competitive edge, disclosure of confidential information.
Spoofing impersonating the system targeted to make the user believe he is using the OS while indeed he
interacting with the design made by the penetrator.
3) Asynchronous Attacks numerous transmissions must wait for the clearance of the line before data being
transmitted. Data that are waiting to be transmitted are liable to unauthorized access called asynchronous
attack. These attacks are hard to detect. Types data leakage, wire-tapping, piggybacking.
4) Remote and distributed data processing can be problematic but can be controlled in many ways.

TESTING GENERAL AND AUTOMATED CONTROLS

Testing is a process of executing a program with the intent of finding an error. A good test case is one that has a high
probability of finding a yet undiscovered error. Successful test is one that uncovers a yet undiscovered error.
Causes of Bugs specification, design, coding errors.
Cost of fixing bugs increases with time.
A test strategy is the plan to cover the product in such a way so as to develop an adequate assessment of quality. A
good testing strategy is specific, practical and justified.
Test Plan Why >> identify risks and assumptions, communicate objectives to all team members, foundation for Test
Spec, Test Cases.
Test Plan What
Test Plans may be of different types e.g. Unit test Plan testing input for format, alignment, etc., Integration test Plan,
System test Plan, Acceptance test Plan.
TEST PLAN OUTLINE background, introduction, assumptions, test items, features to be tested, features not to be
tested, pass/fail criteria.
Types of Software Testing
1) Static Testing verification activities whether the work is as per the set standards.
2) Dynamic testing
Black Box Testing tests to find incorrect or missing functions, interface errors, error in data structures,
performance errors, initialization and termination errors
Equivalence Partitioning this method divides the input domain of a program into classes of data from which test
cases can be derived. It tries to define a test case that uncovers classes of errors and thereby reduces the number of
test cases needed.
Boundary Value Analysis(BVA) selection of test cases that exercise boundary values. BVA derives test cases
from both input and output.
Causes-Effect Graphing Techniques provides a concise representation of logical conditions and corresponding
actions.
1) Causes (input conditions) and effects (actions) are listed for a module and an identifier is assigned.
2) A cause-effect graph is developed.
3) The graph is converted to a decision table.
4) Decision table rules are converted to test cases.
White Box Testing a test case design method that uses the control structure of the procedural design to derive
test cases.
Basis Path Testing
Flow Graphs
Loop Testing four different classes of loops:1) Simple Loops example skin the loop entirely, n-1, n, n+1 passes through the loop.
2) Nested Loop
3) Concatenated Loops
4) Unstructured Loops
Unit testing A unit test is a method of testing the correctness of a particular module of source code. This type of
testing is mostly done by the developers.
Benefits >> encourages change, simplifies integration, documents the code.
Limitations >> will not catch every error. Unit testing is only effective if it is used in conjunction with other software
testing activities.
Requirement testing successful implementation of user requirements.
Regression testing previously tested system functions properly without getting effected though changes are made
in some other segment of application system. It is used when there is high risk that the new changes may affect the
unchanged areas of application system and in development process, maintenance phase.

Error handling testing determines the ability of application system to process the incorrect transactions properly.
Manual support testing involves testing of all the functions performed by the people while preparing the data and
using these data from automated system.
Inter system testing ensures interconnection between application functions correctly.
Control testing to ensure that processing is performed in accordance to what management desire or intents of
management.
Parallel testing to ensure that the processing of new application (new version) is consistent with respect to the
processing of previous application version.
Volume testing it is thee testing of the behavior when the maximum number of users is concurrently active and
when the database contains the greatest data volume.
Stress testing system finding defects in handling large numbers of transactions during peak periods.
CONTINUOUS AUDIT AND EMBEDDED AUDIT MODULES
Today, organizations produce information on a real-time, online basis. Real-time recordings needs real-time auditing
to provide continuous assurance about the quality of the data, thus, continuous auditing. Embedded audit modules
are designed/programmed software bits embedded into the system to run along with data processing. Types of audit
tools:1) Snapshots helps in tracing a transaction in a computerized system.
2) Integrated Test Facility it involves creation of a dummy entity in the application system files and the
processing of audit test data against the entity as a means of verifying processing authenticity, accuracy,
and completeness.
3) System Control Audit Review File (SCARF) embeds audit software modules within a host application
system to provide continuous monitoring of the systems transactions. The information collected is written
onto a special audit file-the SCARF master files. Auditors might use SCARF to collect the following types of
information application system errors, policies and procedural variances, system exception, statistical
sample.
4) Continuous and Intermittent Simulation (CIS) DBMS reads an application system transaction. It is passed
to CIS. CIS replicates the processing and checks discrepancies between CIS results and results of
application system. Exceptions identified are written to an exception log file.
Types of Hardware Testing functional testing, user interface testing, usability testing, compatibility testing, security
testing, capacity testing, performance testing, reliability testing, recovery testing and maintenance testing.
REVIEW OF HARWARE
1) Review the capacity management procedures.
2) Review the hardware acquisition plan.
3) Review the change in management controls wrt hardware.
4) Review the preventive maintenance practices.
OPERATING SYTEM REVIEW
1) Interview technical service manager, system programming manager, and other personnel regarding review
and approval process, test procedures, implementation procedures, documentation, etc.
2) Review cost/benefit analysis to determine they have addressed the following direct costs, cost of
maintenance, training and technical support, processing reliability, data security.
3) Review controls over the installation of changed system software to determine the following.
4) Review system software change controls to determine the following.
5) Review systems documentation specifically in the areas of
6) Review and test systems software implementation to determine adequacy of controls in
7) Review authorization documentation to determine whether
REVIEWING THE NETWORK
Reviewer should identify LAN topology and network design, servers and modems, network topology, LAN
administrator, functions performed by the LAN Administrator, LAN transmission media and techniques, including
bridges, routers and gateways. Reviewer should test physical security, environmental controls, and logical security
interviews.

RISK ASSESSMENT METHODOLOGIES AND APPLICATIONS

Risk: a risk is the likelihood that an organization would face a vulnerability being exploited or a threat becoming
harmful.
Terms:1) A threat is an action, event or condition where there is a compromise in the system, its quality and ability to
inflict harm to the organization.
2) Vulnerability is the weakness in the system safeguards that exposes the system to threats.
3) Exposure is the extent of loss that an organization has to face when a risk materializes.
4) Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving
an undesirable event.
5) Attack is a set of actions designed to defeat an IS.
6) Residual Risk is any risk still remaining after the counter measures are analyzed and implemented.
THREATS TO THE COMPUTERISED ENVIRONMENT power failure, communication failure, disgruntled
employees, errors, malicious code, natural disasters, theft and downtime.
RISK ASSESSMENT
1) Vulnerability assessment
2) Risk assessment identifying critical applications and their impact.
3) Control evaluation determining control effectiveness
4) Residual risk determining recovery time frame
5) Action plan assess insurance coverage
RISK MANAGEMENT
Systematic risks are unavoidable risks these are constant across majority of technologies and applications.
Example the probability of power outage. Systematic risks would remain, no matter what technology is used.
Systematic risks can be reduced by management control process and does not involve technological solutions.
Example the solution to non-availability of consumable is maintaining a high stock.
Unsystematic risks are those specific to specific applications or technology. They can be generally mitigated by using
an advanced technology.
Risk management process
1) Identify the technology related risks.
2) Assess in terms of probability and exposure.
3) Classify the risks as systematic and unsystematic.
4) Look for technological solutions available.
5) Identify and implement other solutions feasible.
6) Reevaluate the risks.
7) Feedback.
Risk management cycle broad categories of risk management process risk identification, risk assessment and
risk mitigation.
Risk identification answering questions like:- what could go wrong, where are we vulnerable, what assets do we
need to protect, how do we bill and collect our revenue, etc.
Two primary questions are:Probability chance that something could go wrong and
Exposure cost of things going wrong.
Techniques for Risk Evaluation
1) Judgment and intuition
2) The Delphi approach used first by R and Corp. here experts are consulted independent opinions about
cost, benefits, etc. are taken risks, exposures also, estimates are compile, an acceptable range is decided
after repeating process 4 times, a curve is drawn, taking all estimates on the graph, the median is the
consensus opinion.
3) Scoring- weights assigned to various risks and exposures based on factors like severity, impact, etc.,
product of risk weight and exposure weight gives weighted score which is then ranked

4) Quantitative techniques basing risk on measurable figures and data.

Risk Ranking
Risk Mitigation risk mitigation measures/techniques are:- self assessment, strengthening internal controls,
establishing a disaster recovery plan and backup systems, insurance, outsourcing operations with strict service level
agreements so risk is transferred.
Risk Analysis And Assessment Form
Eg.
Physical Security
Criterion
Risk criterion
1) Are standards
acceptable
a) Yes
1
b) No
3
c) Yes, reasonably
2
2) .
3) ..
Prepare similarly for data security, software security etc..

Value weight

Total Risk

4
4
4

4
12
8

BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING

(BCP) is the creation and validation of a practical logistical plan for how an organization will recover and restore
partially or completely interrupted critical functions within a predetermined time after a disaster or extended
disruption. Business continuity covers:Business resumption planning the operational aspect of BCP.
Disaster recovery planning the technological aspect of BCP
Crisis management
Objectives of BCP
1) Provide for safety of people on premises at time of disaster.
2) Continue critical business operations.
3) Minimize the duration of a serious disruption to operations.
4) Minimize immediate damage and losses.
5) Facilitate effective co-ordination of recovery tasks.
6) Reduce the complexity of recovery.
Methodology for developing a business continuity plan can be sub-divided into eight different phases:1) Pre-Planning Activities steering committee established to guide the development of the planning process.
2) Vulnerability Assessment and General Definition of Requirements thorough security assessment , develop
a plan framework.
3) Business Impact Analysis
4) Detailed Definition of Requirements
5) Plan Development
6) Testing Program
7) Maintenance Program
8) Initial Plan Testing and Plan Implementation
Identify organizational risks, identify critical business processes, determine maximum allowable downtime for each
business process, and determine the impact to the organization in the event of a disaster. Ways to get these
information are through questionnaire, workshops, interviews and examination of documents. The BIA Report should
be presented to the Steering Committee.
Types of Plans
1) Emergency Plan specifies the actions to be undertaken immediately when a disaster occurs. Actions to be
initiated in case of different disasters should be described.
2) Backup Plan specifies the type of backup to be kept, frequency with which backup is to be undertaken,
procedures for making backup, location of backup resources, personnel responsible for gathering backup
resources and restarting operations of each system. It must ensure that all critical resources are backed up
like personnel, hardware, documentation inventory of documentation stored securely on-site and off-site,
supplies stored securely, application and system software stored securely.
3) Recovery Plan
Threats, risks and exposures to computer systems:Lack of integrity, lack of confidentiality, lack of system availability, unauthorized users attempt to gain access to the
system, hostile software e.g. virus, worm, Trojan horses, etc., disgruntled employees, hackers and computer crimes.
Types of Backups
1) Full Backup
2) Incremental Backup
3) Differential Backup stores files that have changed since the last full backup.
4) Mirror Backup identical to a full backup but files are not compressed in zip files and they cannot be
protected with a password.
Alternate backup options
1) Cold site recovery is slow.
2) Hot site fast recovery, expensive to maintain, usually shared with other organizations.

3) Warm site intermediate level of backup.

4) Reciprocal agreement two or more organizations agreeing to provide backup facilities to each other in the
event of one suffering a disaster.
Types of backup media floppy diskettes, DVD disks, tape drives most common backup media due to their low
cost, capacity of 4 to 10 GB, relatively slow compared with other media and unreliable, disk drives, DAT (Digital Audio
Tape) drives, optical jukeboxes use magnetic optical disks and offer secure storage space ranging from 5 to 20
terabytes, USB flash drive.
Disaster recovery and planning document may include conditions for activating the plans, emergency procedures,
resumption procedures, maintenance schedule, awareness and education activities, responsibilities of individuals,
insurance papers and claim forms, etc.
Kinds of Insurance
1) First-party Insurance Property Damages
2) First-party Insurances Business Interruptions due to any abnormal happening like natural disaster or fire
etc.
3) Third-party Insurance General Liability third party insurance is designed to protect the insured from
claims of wrongs committed upon others.
4) Third-party Insurance Directors and officers designed to protect officers of companies, as individuals,
from liability arising from any wrongful acts committed in the course of their duties as officers.
Four types of tests hypothetical, module, full, component.
Audit of the Disaster Recovery/Business Resumption Plan 1) Determine if plan exists and is sound.
2) Determine if information backup procedures are sufficient for recovery.
3) Determine if plan has been tested.
4) Obtain and review the plan and its documentation.
5) Determine if copies of the plan are safe in off-site storage.
6) Determine if the plan has been updated and revised.
7) Interview functional area managers to determine their understanding of the disaster recovery/business
resumption plan.

AN OVERVIEW OF ENTERPRISE RESOURCE PLANNING (ERP)

Features of ERP
Why companies undertake ERP integrate financial information, integrate customer order information, standardize
and speed up manufacturing processes, reduce inventory and standardize HR information.
Benefits of ERP
Business Process Reengineering (BPR)
Every company that intends to implement ERP has to reengineer its processes in one form or the other. This process
is known as BPR. BPR is reinventing and not enhancing or improving. A cleansiate approach of BPR says that
whatever you were doing in the past is all wrong. Here, the business objectives of the Enterprise are achieved by
transformation of the business processes which may or may not, require the use of Information Technology (IT).
Business Engineering merging of two concepts Information Technology and BPR. Rethinking of business
Processes to improve speed, quality and output of materials or services.
Business Modeling
Data model consists of external data, internal data, funding data, marketing research data, production data, inventory
data, sales forecast, payroll data etc.
Business modeling in practice
Key Planning and Implementation Decisions:- ERP or not ERP, follow softwares processes or customize, inhouse
or outsource, big bang or phased implementation
ERP Implementation Methodology:1) Identifying the needs for implementing an ERP package questions like will profitability and efficiency
increase, will delivery time be reduced etc.
2) Evaluating the As Is situation of the business i.e., to understand the strength and weakness prevailing
under the existing circumstances. Example total time taken by the business process, flow of information
etc.
3) Deciding the Would be situation for the business i.e., the changes expected after the implementation of
ERP do benchmarking for cost, quality etc.
4) Reengineering the business process reengineering is done to reduce business process cycle time and
decision points.
5) Evaluating various available ERP packages.
6) Finalizing of the most suitable ERP package.
7) Installing the required hardware and networks
8) Finalizing
9) Implementing
Risks faced by organizations when they migrate to ERP systems single point of failure, structural changes, job
role changes, online, real time, change management, dependency on external assistance, program interfaces and
data conversions, audit expertise.
Why do ERP projects fail so often conflicts between different departments for customization of ERP according to
their needs and resisting to using it is where ERP breaks down. Thus it must be seen that proper planning, study and
interviews with all departments and their requirements are taken care of before implementing this huge and
expensive system.
How does ERP fit with e-commerce ERP is complex and not intended for public consumption. It assumes that the
only people handling order information will be your employees. But now customers and suppliers are demanding
access to things such as order status, etc. Solving the difficult problems of integrating ERP and e-commerce requires
careful planning.
Sample List of ERP Vendors:1) Baan (The Baan Company)
2) Business Planning and Control System (BPSC) market leading manufacturing ERP solution in terms of
sites.
3) Mapics XA (Marcam Corporations)

4)
5)
6)
SAP:1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)

Oracle Application (Oracle)

Prism (Marcam Corporation)
R/3 (SAP) in five years, R/3 is the market leader in new sales.
Financials financial accounting, general ledger, accounts receivable and payable, fixed assets accounting
Controlling Cost overhead cost control, cost centre accounting, overhead orders, activity based costing,
product cost control, cost object controlling, profitability analysis.
Investment Management corporate wide budgeting, appropriation requests, investment measures,
automatic settlement to fixed assets, depreciation forecast.
Treasury cash management, treasury management, market risk management, funds management
Enterprise controlling consists of 3 modules EC-CS, EC-PCA, EC-EIS.
Product Data Management (PDM)
Sales and Distribution shipping management system, foreign trade processing, billing.
Production Planning and Control sales and operation planning (sop), production control modules, quality
management.
Materials Management purchasing, inventory management, warehouse management, invoice verification.
Human Resource Management (HR) employee master data, recruitment management, selection and
hiring, benefits administration.
Payroll Accounting

INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, BEST PRACTICES

IS Audit Standards
AAS 29 by ICAI on auditing in a CIS environment
BS 7799 British Standards
It focuses on availability, confidentiality and integrity of organizational information that is justified financially and
commercially through a risk assessment. BS 7799 transformed into ISO 17799 and later the BS7799 part 2
developed due to a demand for certification option and transformed to ISO 27001.
BS7799 checks if security controls are justified, policies and procedures are appropriate, security awareness
amongst staff and managers etc.
BS7799 2 is Information Security Management Standard (ISMS)
Areas of focus of ISMS security policy, organizational security, asset classification and control, personnel security,
physical and environmental security, communications and operations management, access control, systems
development and maintenance, business continuity management, compliance.
CMM Capability Maturity Model
In November 1986, the Software Engineering Institute with Mitre Corporation began developing a process maturity
framework to help organizations improve their software process. After four years of experience SEI evolved the
maturity framework into the Capability Maturity Model for Software (CMM). The CMM presents sets of recommended
practices in a number of key process areas that have been shown to enhance software process capability. The CMM
is based on knowledge acquired from software process assessments and extensive feedback from both industry and
government.
The Five Levels of Software Process Maturity:Level 1 the Initial Level: not a stable environment for developing and maintaining software, difficulty making
commitment resulting in crisis. Success in Level 1 organizations depends on heroics of the people in the
organization. Thus Level 1 is a characteristic of the individuals, not of the organization.
Level 2 the Repeatable Level: at this Level, policies for managing a software project and procedures to implement
those policies are established, based on experience with similar projects. An effective process is which is practiced,
documented, enforced, measured and able to improve. The software process capability of Level 2 organizations can
be summarized as disciplined because planning and tracking of the software project is stable and earlier successes
can be repeated.
Level 3 the Defined Level: organizations standard software processes at Level 3 are used to help the software
managers and technical staff performs more effectively. Software process capability of Level 3 can be summarized as
standard and consistent.
Level 4 the Managed Level: at this Level organization sets quantitative quality goals for both software and
processes. Software process capability of Level 4 organizations can be summarized as being quantifiable and
predictable.
Level 5 the Optimizing Level: at this Level, the entire organization is focused on continuous process improvement,
analyze defect to determine their causes. Level 5 organizations are continuously striving to improve range of their
process capability, thereby improving the process performance.
COBIT IT Governance Model
COBIT combines the principles embedded in existing and known reference models like quality requirements quality,
cost delivery, fiduciary requirements effectiveness and efficiency, compliance with law, security requirements
confidentiality, integrity.
Domain of COBIT area controlled by planning and organization, acquisition and implementation, delivery and
support, and monitoring.
Planning and Organization domain involves defining a strategic IT Plan, the Information Architecture, IT Processes
and IT Investments, manage quality, etc.

Acquisition and Implementation domain involves identifying Automated Solutions, acquire and maintain
Application Software, enable operation and use, manage changes, etc,
Delivery and Support domain involves defining and managing service levels, manage third-party services,
performance and capacity, ensure systems security, identify and allocate costs, educate and train users, manage
problems and data, etc.
Monitoring domain involves monitoring and evaluate IT processes, internal control, ensure regulatory compliance,
provide IT governance
COCO Guidance on Control report, known as CoCo, was produced in 1999 by the Canadian Institute of Charted
Accountants. It is concerned with control in general. CoCo can be said to be a concise superset of COSO. It uses the
same three categories of objectives: effectiveness and efficiency of operations, reliability of financial reporting,
compliance with applicable law.
IT Infrastructure Library- ITIL originated as a collection of standards each covering a specific practice with IT
management grew to over 30 books. ITIL v2 consolidated the works into 8 books:- service delivery, service support,
ICT infrastructure management, security management, the business perspective, application management, software
asset management, planning to implement service management.
Systrust and Webtrust SysTrust and WebTrust are two specific services developed by the AICPA that are based
on the Trust Services Principles and Criteria. SysTrust engagements are designed for the provision or advisory
services or assurance on the reliability of a system. WebTrust engagements relate to assurance or advisory services
on an organizations system related to e-commerce.
HIPPA
The Health Insurance Portability and Accountability Act were enacted by the US Congress in 1996. Title I of HIPPA
protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of
HIPPA requires the establishment of national standards for electronic health care transactions and national identifiers
for providers health insurance plans and employers.
The Security Rule lays out three types of security safeguards required for compliance: administrative, physical, and
technical.
a) Administrative Safeguards: policies and procedures designed to clearly show how the entity will comply with
the act.
b) Physical Safeguards: controlling physical access to protect against inappropriate access to protected data.
c) Technical Safeguards: controlling access to computer systems and enabling covered entities to protect
communications over open networks from being intercepted by anyone other than the intended recipient.
SAS 70 Service Organization SAS 70 is an internationally recognized auditing standards developed by AICPA.