WIXLIB

S AMPLE I NFORMATION S YSTEMS A UDITISBN : 978-81-8441-846-0SAMPLE INFORMATION SYSTEMS AUDITANDFORENSIC AUDIT REPORTANDF ORENSIC A UDIT R EPORTThe Institute of Chartered Accountants of Indiawww.icai.orgSeptember/2016/P2011(New)(Set up by an Act of Parliament)New Delhi

Sample Information SystemsAudit & Forensic Audit ReportThe Institute of Chartered Accountants of India(Set up by an Act of Parliament)New Delhi

The Institute of Chartered Accountants of IndiaAll rights reserved. No part of this publication may be reproduced, stored in aretrieval system, or transmitted, in any form, or by any means, electronic,mechanical photocopying, recording, or otherwise, without prior permission,in writing, from the publisher.Edition:September, 2016Committee/Department :Committee on Information tp://cit.icai.orgPrice: 100/-ISBN:Published by:The Publication Department on behalf ofCommitteeonInformationTechnology,The Institute of Chartered Accountants of India,Post Box No. 7100, Indraprastha Marg,New Delhi-110 002.Printed by:Sahitya Bhawan Publications, Hospital Road,Agra 282 003.September/2016/1000 Copies

ForewordInformation Technology plays a vital role in supporting the activities of anyorganisation. The growth and change that has come about as a result ofdevelopments in the technology have important implications. Thesetechnological changes have put more focus on the role performed by theChartered Accountants, especially in the fields of Information Systems Auditand Forensic Accounting.Recent financial and cyber frauds have emphasised the urgent need for atransparent and clean system. The vital problem encountered by some of theChartered Accountants is the lack of practical exposure in the area ofInformation Technology. They are faced with various issues whileimplementing the acquired knowledge with the actual working environmentlike how IS Audits & Forensic Audits are conducted, how the report is to beprepared, how the evidences gathered are to be dealt with in the reports.Identifying “Information Systems Audit” and “Forensic Accounting & FraudDetection” is one of the niche area, the Committee on InformationTechnology is conducting a Post Qualification Course on “InformationSystem Audits” and a Certificate Course on “Forensic Accounting and FraudDetection”. The course aims to develop such skills that are required touncover corporate / business frauds, measure resultant damage, providelitigation support outside counsel by applying accounting, auditing principlesfor the detection of frauds.This publication on “Sample IS Audit & Forensic Audit Report” will enableChartered Accountants both in practice and in industry serve as InformationSystem and Forensic Auditors, in preparation of IS Audit and Forensic Auditreport.I appreciate the efforts put in by CA. Atul Kumar Gupta, Chairman, CA. ManuAgrawal, Vice-Chairman and other members of Committee on InformationTechnology for bringing out this publication as guide for IS Audit andForensic Reports.I am sure that it will be a useful learning material.Best wishes,CA M. Devaraja ReddyPresident, ICAI

PrefaceInformation Technology has now emerged as the Business Driver of choiceby Enterprises and Government Departments to better manage theiroperations and offer value added services to their client/ citizens. While theincreasing deployment of IT has given immense benefits to enterprise andgovernment departments, there have been increasing concerns on theefficiency and effectiveness of the massive investments made in IT, apartfrom the safety and security of Information Systems themselves and the dataIntegrity.The Post Qualification on Information Systems Audit aims to equip memberswith unique body of knowledge and skill sets so that they becomeInformation Systems Auditors who are technologically adept and are able toutilise and leverage technology to become more effective in their work andlearn new ways that will add value to clients, customers and employers.Forensic Accounting has come into limelight due to rapid increase in financialfrauds and white-collar crimes. The integration of Accounting andinvestigative skills creates the speciality known Forensic Accounting.Forensic Accounting uses accounting, auditing and investigating skills toconduct investigations, and thefts and frauds cases. The job of Forensicaccountants is to catch the perpetrators of the financial theft and fraudsincluding tracing money laundering, identifying theft activities as well as taxevasions.The Certificate Course on Forensic accounting and Fraud Detection is ablend of theoretical and practical training and is intended to equip theparticipants with concepts in Forensic accounting which aims at sensitizingFraud Investigators, Auditors, security Professionals, and IT executivesabout the risks and mitigation strategies for an effective businessenvironment. It provides an incisive analysis of how fraud occurs within anorganisation and the latest techniques of finding it.It gives us immense pleasure to bring this publication on “Sample IS Auditand Forensic Audit Report” for the members active in the InformationSystems Audit and Forensic Audit field(s). This learning guide is prepared toassist the professionals to prepare IS AuditsReports and Forensic AuditReports. It is brought out to enhance the learning experience and tosynchronise the theoretical knowledge with the practical aspects. It will thus

provide increased understanding as to how to prepare the reports whileconducting Information Systems and Forensic Audits. It provides a wellknitted overview of the format of IS audit report and Forensic reports.We would like to express our gratitude to CA M. Devaraja Reddy, PresidentICAI and CA Nilesh S. Vikamsey, Vice President ICAI for their continuoussupport and encouragement to the initiatives of the Committee. We must alsothank my colleagues from the Council at the Committee on InformationTechnology for providing their invaluable guidance as also their invaluablededication and support to various initiatives of the Committee.We would also like to extend our sincere thanks and appreciation to Mr. S. P.Shah Singh, Mr. Vinay Saini, CA Sanjay Gupta, CA Naresh Gandhi and CAAshish Makhija who contributed their expert knowledge for this publicationbrought out by the Committee on Information Technology. We reallyappreciate their sincere efforts and dedication towards the work of theCommittee.We wish to express our thanks to Committee Secretariat in giving Finalshape to the publication.CA Atul Kumar GuptaChairmanIT CommitteeCA Manu AgrawalVice-ChairmanIT Committee

IndexS.No.ParticularsPageNo.1.IS Audit Report for ICAI1-712.Forensic Reports Guide73-793.Corporate Fraud Report80-98

IS Audit Report for ICAIXXXXX LIMITEDReview of Information SystemsGeneral and Application ControlsDraft ReportDecember 31, 9999(FOR DISCUSSION PURPOSES ONLY)

Sample Information Systems Audit & Forensic Audit ReportXXXXX LimitedInformation System Audit Report (For Discussion Purpose Only)Review of System Management (Including General IT controls)Table of ContentsSr. No.Audit AreaPage. No.AObjective and Scope3BApproach3CIntroduction (Snapshot, Key Facts, Sample etc)4DExecutive Summary4EObservations and Impact51.0 NETWORK ARCHITECTURE / DIAGRAM52.0 SERVERS63.0 L-3 SWITCH / ROUTERS194.0 FIREWALL515.0 LOGICAL ACCESS CONTROLS606.0 INTERNET AND VIRUS UPDATION687.0 EMAIL698.0 BASIC HYGIENE709.0 BACKUP712

IS Audit Report for ICAIA. Objective and ScopeNetworks may have vulnerabilities that expose them to possible exploit orattack. These vulnerabilities -- both known and previously unknown -- oftenexist in the most unlikely of places, such as the firewalls, intrusion protectionsystems and other perimeter defenses ostensibly protecting the network.Just one vulnerability in a single product potentially exposes every otherdevice and application on the network. Even if one of these systems isvulnerable, the integrity, confidentiality and availability of all informationresources can suffer.The objective of audit is to Identify the weaknesses in various device configurations that may putconfidentiality, integrity and availability of data at risk and Provide high level recommendations to address these weaknesses.B. ApproachThe review is based on Hard and soft copies of network diagrams / configurations of variousnetwork devices provided to us Walkthrough of the configuration of firewall Walkthrough of the configurations of various servers Interviews of some administrators etc. but without Vulnerability scan., an automated technique that identifies weaknessesin the devices on network that are open to known vulnerabilities Penetration testing, a method for evaluating the security of a computersystem or network by simulating an attack. The process involves anactive analysis of the system for any potential vulnerabilities that mayresult from poor or improper system configuration, known and/orunknown hardware or software flaws, or operational weaknesses inprocess or technical countermeasures. This analysis is carried outfrom the position of a potential attacker, and can involve activeexploitation of security vulnerabilities. Any security issues that arefound are presented to the system owner together with an assessmentof their impact and often with a proposal for mitigation or a technicalsolution. The intent of a penetration test is to determine feasibility of3

Sample Information Systems Audit & Forensic Audit Reportan attack, the amount of business impact of a successful exploit, ifdiscoveredC. IntroductionXXXXX Limited has a large IT setup to provide IT related services to thecompany. It has in-house IT maintenance but FMS is outsourced to HP.There are more than 50 window based and 4 Unix servers in the data centre.ABC software is used to support finance function. Out of four Unix machinestwo are running HP-Unix and two are on AIX. These servers run owndeveloped applications. Enterprise storage size is more than 30 TB. XXXXXLimited is using Multiple WAN links provided by Reliance, TATA etc. A mix ofNortel and Cisco network devices are used at XXXXX Limited.D. Executive SummaryOur audit of the IT security controls of XXXXX Limited determined that: XXXXX Limited has established a security management program. XXXXX Limited has implemented controls to prevent unauthorizedphysical access to its facilities, as well as logical controls to protectsensitive information. However, we noted several opportunities forimprovement related to XXXXX Limited’s access controls: oStandardized access request forms are not utilized formanaging information systems access;oThere is no formal process for auditing logical and physicalaccess privileges; andoThere are no formal procedures for reviewing system logs.XXXXX Limited has implemented an incident response and networksecurity program. However, we noted several areas of concern relatedto XXXXX Limited’s network security controls:oA formal incident response procedure has not been established;oA firewall configuration standard has not been developed;oAn outbound web proxy has not been implemented;oControls are not in place to prevent unauthorized devices fromconnecting to the network and control the use of removablemedia;4