Module E
This syllabus aims to provide:
This syllabus aims to provide:
a.
a. EssenEssential btial body oody of IT f IT knowledknowledge rge related elated to bto business usiness informainformation stion systemystems.s.
b.
b. IT securIT securityity, contr, control and gool and governance knvernance knowledgowledge relate related to bused to business infiness information sormation systemsystems..
c.
c. AppliApplication cation of kof knowledgnowledge to e to manage manage the athe above bove and and evaluatevaluate ITe IT..
The Case studies in ICAP study material for this syllabus are designed to assist the students in The Case studies in ICAP study material for this syllabus are designed to assist the students in enhancing their knowledge and skills in: Managerial role; Evaluator role; Enterprise resource planning;
enhancing their knowledge and skills in: Managerial role; Evaluator role; Enterprise resource planning;
and Electronic Commerce.
and Electronic Commerce.
Case studies / scenario based questions will be set in the examination.
Case studies / scenario based questions will be set in the examination.
Introduction Introduction
Information Technology Management, Audit and Control Information Technology Management, Audit and Control
1.
1.
IT
IT Strategy Strategy and and ManagementManagementContents:
Contents:
Broad k
Broad knowledge / nowledge / skill area
Q Planning of information systemsPlanning of information systems
based on business success factors/criteria based on business success factors/criteria
Q
Q Position of the entity within its industry/sectorPosition of the entity within its industry/sector
Q
Q Alignment/integration with businessAlignment/integration with business objectives/success factors
objectives/success factors
Q
Q Risks: economic, technical, operational,Risks: economic, technical, operational, behavioral
behavioral
Q
Q Components of long range plansComponents of long range plans
Q
Q Operational dynamics that influences theOperational dynamics that influences the entity»
entity»s s business/programsbusiness/programs
Q
Q Business to Consumer (B2C)Business to Consumer (B2C)
Q
Q Business to Business (B2B)Business to Business (B2B)
Q
Q Business to Employee (B2E)Business to Employee (B2E)
Q
Q Consumer to Consumer (C2C)Consumer to Consumer (C2C)
Q
Q Government to Citizen (G2C)Government to Citizen (G2C)
Q
Q Developing operational prioritiesDeveloping operational priorities
Q
Q Compatibility of computersCompatibility of computers
Q
Q Planning IT capacityPlanning IT capacity
Q
Q Impact of IT on proceduresImpact of IT on procedures
Q
Q Data/information architectureData/information architecture
Q
Q IT infrastructures (hardware, facilities,IT infrastructures (hardware, facilities, networks)
networks)
Final Examination
Final Examination Information Technology Management, Audit and ControlInformation Technology Management, Audit and Control
Software
Q Software (systems, applications, utilities)Software (systems, applications, utilities)
Q
Q Performance measurement (productivity,Performance measurement (productivity, service quality)
service quality)
Q
Q Collaborative computingCollaborative computing Distributed system
Q Technology diffusionTechnology diffusion
Q
Q Information center, help deskInformation center, help desk
Q
Q End-user system securityEnd-user system security
Q
Q Support for Support for end-user applicationsend-user applications
Q
Q Capital budgetCapital budget
Q
Q Time/expense trackingTime/expense tracking
Q
Q Cost charge out / monitoringCost charge out / monitoring
Q
Q Accounting for system costsAccounting for system costs
Q
Q Effectiveness, efficiency, economy ofEffectiveness, efficiency, economy of operations
operations
Q
Q Reliability of financial reportingReliability of financial reporting
Q
Q Effectiveness of controls (design, operation)Effectiveness of controls (design, operation)
Q
Q IT asset safeguardingIT asset safeguarding
Q
Q Compliance with applicable laws andCompliance with applicable laws and regulations
regulations
Q
Q System reliability:System reliability:
Ì
Ì Availability and continuity (back-up,Availability and continuity (back-up, recovery)
recovery)
Ì
Ì Access controls (physical, logical)Access controls (physical, logical)
Ì
Ì ProcessinProcessing g integrity (completeness,integrity (completeness, accuracy, timeliness, authorization) accuracy, timeliness, authorization)
Ì
Ì Data integrityData integrity
Q
Q Supply chain management (SCM)Supply chain management (SCM)
Q
Q Enterprise resource planning (ERP)Enterprise resource planning (ERP)
Q
Q Sales force automation (SFA)Sales force automation (SFA)
Q
Q Customer relationship management (CRM)Customer relationship management (CRM)
Q
Q Electronic commerce systems:Electronic commerce systems:
Ì
Ì Brochure, catalog, order entry, paymentBrochure, catalog, order entry, payment processin
processing, g, fulfillmentfulfillment
Ì
Ì Knowledge management systemsKnowledge management systems
Ì
Ì Knowledge creation, capture, sharing,Knowledge creation, capture, sharing, maintenance
maintenance
Q
Q Managing Information Technology PlanningManaging Information Technology Planning for Business Impact
for Business Impact
Q
Q Acquisition of Information TechnologyAcquisition of Information Technology
Q
Q The Implementation of InformationThe Implementation of Information Technology Solutions
Technology Solutions
Q
Q IT service Delivery and SupportIT service Delivery and Support
Final Examination
Final Examination Information Technology Management, Audit and ControlInformation Technology Management, Audit and Control
Broad know
Broad knowledge / ledge / skill area
efficiency, economy , economy ofof operations
Q ErrorError, fraud, , fraud, vandalism/abuse, businessvandalism/abuse, business interruption, competitive disadvantage, interruption, competitive disadvantage, excessive cost, deficient r
excessive cost, deficient revenues, statutoryevenues, statutory sanctions, social costs, etc.
sanctions, social costs, etc.
Q
Q Effect of IT audit on organization, controlsEffect of IT audit on organization, controls
Ì
Ì Economic, technical, operational,Economic, technical, operational, behavioral considerations
behavioral considerations
Ì
Ì Cost/benefitCost/benefit
Q
Q COBIT, ITCG, SysTrust, WebTrust, etcCOBIT, ITCG, SysTrust, WebTrust, etc
Q
Q Cost effectiveness of control proceduresCost effectiveness of control procedures
Q
Q Relevance, reliability, comparability / Relevance, reliability, comparability / consistency
consistency
Q
Q At a point in time; during a period of timeAt a point in time; during a period of time
Q
Q Evaluation of facilities management and ITEvaluation of facilities management and IT asset safeguarding
asset safeguarding
Q
Q Prevention/detection of fraud, error and illegalPrevention/detection of fraud, error and illegal acts
acts
Q
Q PrivacyPrivacy, confidentiality, copyright , confidentiality, copyright issuesissues
Q
Q Availability and continuity (back-up, recovery)Availability and continuity (back-up, recovery)
Q
Q Access control (physical, logical)Access control (physical, logical)
Q
Q Processing integrity (completeness, Processing integrity (completeness, accuracyaccuracy,, timeliness, authorization)
timeliness, authorization)
Q
Q Completeness, accuracy, currency / Completeness, accuracy, currency / timeliness,
timeliness, consistency/comparabilityconsistency/comparability,, authorization,
authorization, auditabilityauditability,,
Q
Q Input /output; reception/distributic controlsInput /output; reception/distributic controls
Q
Q Attitudes, laws and regulations Board level,Attitudes, laws and regulations Board level, management level, IT administrative
management level, IT administrative /operational level
/operational level
Q
Q Hardware, facilities, networkHardware, facilities, network System, application
System, application
Q
Q User departments, individual userUser departments, individual user
Q
Q Board, top managementBoard, top management
Q
Q IT management and IT personnelIT management and IT personnel
Q
Q User departments, individualsUser departments, individuals
Q
Q AuditorsAuditors
2.
2.
Inform
Information ation TTechnolo
echnology gy SecuritSecurityy, C
, Control ontrol and and ManagemManagemententFinal Examination
Final Examination Information Technology Management, Audit and ControlInformation Technology Management, Audit and Control Control environment
Q Record keeping, privacy, copyright, taxation,Record keeping, privacy, copyright, taxation, etc,
etc,
Q
Q Regulatory compliance, fiduciary obligations,Regulatory compliance, fiduciary obligations, IT governance, system reliability
IT governance, system reliability
Q
Q Integrity and ethical values, commitment toIntegrity and ethical values, commitment to competence
competence
Q
Q Leadership for IT organization, organization ofLeadership for IT organization, organization of IT function, segregation of incompatible IT IT function, segregation of incompatible IT and user functions, partnership with other and user functions, partnership with other organizations
organizations
Q
Q Business practices, codes of conduct,Business practices, codes of conduct, documentation of systems, operations, user documentation of systems, operations, user responsibilities, reporting relationships responsibilities, reporting relationships
Q
Q Strategic planning, business system/ITStrategic planning, business system/IT
integration planning, budgeting, performance
Q Hiring, training, evaluation, compensation of ITHiring, training, evaluation, compensation of IT personnel, career paths
personnel, career paths
Q
Q Budgeting process; Cost charge out methods;Budgeting process; Cost charge out methods;
Q
Q Economic, technical, operational behavioralEconomic, technical, operational behavioral
Q
Q Main reason for failure of computer ProjectsMain reason for failure of computer Projects
Q
Q ErrorError, fraud , , fraud , vandalism/abuse, businessvandalism/abuse, business interruption, competitive disadvantage, interruption, competitive disadvantage, excessive cost, deficient revenues, statutory excessive cost, deficient revenues, statutory sanctions, social costs, etc.
sanctions, social costs, etc.
Q
Q Quantitative / qualitativeQuantitative / qualitative
Q
Q MonetaryMonetary, non-monetar, non-monetaryy
Q
Q Balancing costs of controls vs. costs ofBalancing costs of controls vs. costs of unmitigated risks
unmitigated risks
Final Examination
Final Examination Information Technology Management, Audit and ControlInformation Technology Management, Audit and Control Control activities
integrity, , privacyprivacy and security
Q Objectives, framework, environment, activities,Objectives, framework, environment, activities, monitoring
monitoring
Q
Q Legal, ethical, professionalLegal, ethical, professional standards/requirements standards/requirements
Q
Q Preventive/detective /corrective strategiesPreventive/detective /corrective strategies
Q
Q Effective control environment (personnelEffective control environment (personnel management methods)
management methods)
Q
Q Preventative application controlsPreventative application controls
Q
Q Detective application controlsDetective application controls
Q
Q Contingency plans, insuranceContingency plans, insurance
Q
Q AuthorizationAuthorization
Q
Q Separation of incompatible functionsSeparation of incompatible functions (organizational design, user identification,
Q Adequate documents and recordsAdequate documents and records
Q
Q Asset safeguards; limitation of access toAsset safeguards; limitation of access to assets
assets
Q
Q Independent check on performance;Independent check on performance;
verification of accounting records, comparison verification of accounting records, comparison of accounting records with assets
of accounting records with assets
Q
Q Computer-dependent controls (edit,Computer-dependent controls (edit, validation, etc.)
validation, etc.)
Q
Q User controls (control balancing, manualUser controls (control balancing, manual follow-up, etc.)
follow-up, etc.)
Q
Q Audit trailsAudit trails
Q
Q Error identification/investigation /correction / Error identification/investigation /correction / tracking
tracking
Q
Q Understanding of data protectionUnderstanding of data protection legislation
legislation
Q
Q Consideration of personnel issues andConsideration of personnel issues and confidentiality
confidentiality
Q
Q Classification of informationClassification of information
Q
Q Access management controlsAccess management controls
Q
Q Physical design and access controlPhysical design and access control
Q
Q Logical access control (user authorizationLogical access control (user authorization matrix)
matrix)
Q
Q Network security (encryption, firewalls)Network security (encryption, firewalls)
Q
Q Program security techniquesProgram security techniques
Q
Q Monitoring and surveillance techniquesMonitoring and surveillance techniques
Q
Q Threat and risk management software andThreat and risk management software and data backup techniques (pr
data backup techniques (problems of on-lineoblems of on-line systems, etc.)
systems, etc.)
Q
Q Alternate processing facility arrangementsAlternate processing facility arrangements
Q
Q Disaster recovery procedural plan,Disaster recovery procedural plan, documentation
documentation
Final Examination
Final Examination Information Technology Management, Audit and ControlInformation Technology Management, Audit and Control
Monitoring of control
Q Integration with business continuity plansIntegration with business continuity plans
Q
Q Periodic tests of recovery proceduresPeriodic tests of recovery procedures
Q
Q InsuranceInsurance
Q
Q Planning and scheduling; service levels; RisksPlanning and scheduling; service levels; Risks Standards
Standards
Ì
Ì Infrastructure (hardware, facilities,Infrastructure (hardware, facilities, networks)
networks)
Ì
Ì SoftwareSoftware
Ì
Ì Human resources (skill sets and staffingHuman resources (skill sets and staffing level)
level)
Q
Q Business processesBusiness processes
Q
Q Performance monitoring Costs / benefitsPerformance monitoring Costs / benefits (quantitative and qualitative impact on (quantitative and qualitative impact on management Jobs and office procedures) management Jobs and office procedures)
Q
Q Business drivers that impact IT (e.g.,Business drivers that impact IT (e.g.,
scalability, rightsizing, flexibility of change in scalability, rightsizing, flexibility of change in technology) or business, speed to market, technology) or business, speed to market, cross-platform capability)
cross-platform capability)
Q
Q Control over productivity and service qualityControl over productivity and service quality
Q
Q Software /data library managementSoftware /data library management
Q
Q Input/output distribution and controlInput/output distribution and control
Q
Q Security and backup, and recoverySecurity and backup, and recovery
Q
Q Internal monitoring processesInternal monitoring processes
Q
Q Performance review processesPerformance review processes
Q
Q External monitoring processesExternal monitoring processes
Q
Q Processes for addressing-non-complianceProcesses for addressing-non-compliance
Q
Q Familiarisation with:Familiarisation with:
Ì
Ì System analysis and documentation (e.g.,System analysis and documentation (e.g., flowcharting package, review of program flowcharting package, review of program logic, etc.)
logic, etc.)
Ì
Ì System /program testing (e.g., test dataSystem /program testing (e.g., test data ,integrated test facility, parallel
,integrated test facility, parallel simulation etc.),
simulation etc.),
Ì
Ì Data integrity testing (e.g., generalizedData integrity testing (e.g., generalized audit software, utilities, custom programs, audit software, utilities, custom programs, sampling routines, etc.)
sampling routines, etc.)
Ì
Ì Problem solving aids (e.g. spreadsheet,Problem solving aids (e.g. spreadsheet, database. Online data bases, etc) database. Online data bases, etc)
Ì
Ì Administrative aids (e.g., wordAdministrative aids (e.g., word
processing, audit program generation, processing, audit program generation, work paper generators etc).
work paper generators etc).
Final Examination
Final Examination Information Technology Management, Audit and ControlInformation Technology Management, Audit and Control