Class Lecture Slide - ICAB, CA Professional Level, IT Knowledge

1. IT KNOWLEDGE
CA Professional Stage - Knowledge Level, ICAB
Tutor: Mohammad Abdul Matin
Chapter 5
Internal Control in Computer
Based Business System

2. Chapter Outline
 Control, IT Internal Control, IT Internal Audit
 Responsibility of Control
 Control Objectives and Techniques
 Control over Acquisition, Implementation and Changes
 Risk Assessment
 Business Continuity Plan
 Overview of ERP

3. Control Objectives for IT (COBIT)
 Developed in 1996 as generally accepted information
technology control objectives for day-to-day use.
 COBIT 4.1 has around 34 high level processes and
covers 201 control objectives in four domains:
– Planning & Organization
– Acquisition & Implementation
– Delivery & Support
– Monitoring & Evaluation

4. Control Objectives for IT (COBIT)
 A complete COBIT package contains:
Executive Summary: Summary, principles, concepts, synopsis of
the framework, etc.
Framework: Defines the different (34) high level and other IT
processes in four domains. Also defines the Information criteria.
Control Objectives: Defines the (210) control objectives in the
form of statements throughout the high level processes.
Management & Implementation Guidelines: Composed of
Maturity Models to help defining and comparing expectations,
CSFs, KPIs, Key Goals Indicators, industry norms, etc.

5. Control Objectives for IT (COBIT)
IT Assurance Guide: Tools to assess if the IT controls linked to the
respective control objectives are achieving results. Compatible
with ISACA’s (Information System Audit and Control Association)
and ITAF’s (Information Technology Assurance Framework)
standards.

6. Audit Trails
Logs that are designed to record activity at the system
application and user levels to provide detective control
related to security, issue finding, etc.
 Audit Trail Objectives:
– Detecting unauthorized access
– Facilitating reconstruction of failure events or problems
– Establishing personal accountability

7. Controls – IS Selection, Acquisition
 Strategic Master Plan
A strategic master plan to ensure appropriateness and priority
 Project Control
Project Management, resource and time planning with responsibilities
 Data Processing Schedule
Backend tasks to be distributed and scheduled to maximize resource
usage
 System Performance Measurement
Throughput and time based utilization measurements
 Post-Implementation Review
Compare the cost and benefit between plan and implementation

8. Post Implementation Review (PIR)
 Post Implementation Review (PIR) of an initiative is
performed to mainly assess if the following were met as per
expectation / plan:
– Business Objectives (budget, deadline, benefits, etc.)
– User Expectations (friendliness, workload, reliability, etc.)
– Technical Requirements (expandability, ease of operation,
interconnectivity with external systems, etc.)
 PIR is typically performed after any project is completed, has
become stable and not being significantly changed/modified
as a result of errors or realizations.
 PIR should be performed by independent IS
consultant/team who had not been involved in the original
initiative/project/development.

9. Business Continuity Planning (BCP)
Key Objectives of a BCP
– Safety of people at the time of a disaster
– Continue critical business operations
– Minimize the duration of disruption of regular operations
– Minimize immediate damage or losses (data and equipment)
– Establishing management succession and emergency powers
– Facilitate effective coordination of recovery tasks
– Reduce the complexity in recovery
– Identify critical lines of business and supporting functions

10. Business Continuity Planning (BCP)
Eight Phases of Developing a BCP
i. Pre-planning activities
ii. Vulnerability assessment
iii. Business impact analysis
iv. Definitions of requirements
v. Plan development
vi. Testing program
vii. Maintenance program
viii. Plan testing and implementation

11. Enterprise Resource Planning (ERP)
 ERP system is a fully integrated business management
system covering different functional areas of an
enterprise.
 ERP systems can be general or industry specific.
Components integrated within a ERP system can vary
depending on the organizational needs and priority.
 Examples of ERP systems: SAP, Oracle EBS, Dynamics AX,
IFS, Glovia, Infor, Sage, etc.

12. Enterprise Resource Planning (ERP)
 Benefits of a ERP System
– Integrated Financial Systems
– Standardized Processes
– Shared, Real-time Information
 Implementation of ERP Systems
– Corporate culture
– Process change
– Management support
– Project Manager competence
– The ERP Team
– Project Methodology
– Training
– Commit to the change

13. ERP Example: SAP
 World’s most used tier one ERP system developed by
SAP AG, a German company.
 SAR R/3 System Architecture:
– Presentation layer
– Application layer
– Database layer
 Can run on many different O/S and Database platforms
 Can be distributed into multiple systems for load
management and other objectives.

14. Common SAP R/3 Functional Modules

15. Exam Questions
 What is control? What are the purposes of internal
control? Explain the five key components required for
effective internal control.
 What is Audit Trail? Explain its objectives.
 Describe Post Implementation Review (PIR).
 Why is information system security important?
 Explain “vulnerability management” and “threat
management” in management of IT security
 What is disaster recovery plan? Describe major areas of
a disaster recovery planning document.
 What is ERP? Explain SAP as a ERP system.

16. Thank You