Business Enterprises and Government Departments are making increasing use of Information Technology to better manage their operations and offer value added services to their clients/ citizens. While this increasing deployment of IT has given immense benefits there have been increasing concerns on the efficiency and effectiveness of the massive investments made in IT, apart from the safety and security of Information Systems themselves and data integrity. As enterprises are increasingly getting dependent on IT Resources to manage their core business functionality, the Business Continuity is increasingly dependent on the continuity, efficiency and effective of Information Systems deployment.
Sarbanes Oxley Act and Clause 49 of the listing requirements require companies to certify existence of sufficient controls/ checks & balances, which are today implemented as a part of the IT Implementations, and there is an increasing need for IS Audit Services, just like Statutory Audit, Bank Audits, Internal Audits, Compliance Audits.
Chartered Accountants, as the traditional trusted assurance providers to businesses and regulators, with their unique education and training, understanding of Business Requirements and laws of the land, are being increasingly relied upon to provide value added services in the field of IS Audit/ Systems and Process Assurance.
There is an increasing practice in Audit Firms to deploy a member of the IS Audit Team in all audit teams, as the operations of most enterprises are today managed through increasing deployment of IT. There is a requirement of one D.I.S.A. (ICAI) member for Bank Audits. Currently, there is also a professional requirement of Systems Audit of Stock Brokers of NSE/ BSE. Computer Emergency Response Team of India (CERT-In) has recognized the D.I.S.A. (ICAI) qualification for empanelment of IS Auditors.
In addition to aforesaid requirements, ISA qualified members need to promote greater use of IS Audit Services by their clients.
It is pertinent to note that regulators are increasingly concerned about the IS Audit services being provided by professionals in the country, take the case of CERT-In is reviewing the capabilities of its IS Auditors by testing them on a Test Bed with typical grey areas. It is hence pertinent for members to keep developing their capabilities to survive and grow in the emerging economy of the country.
An IT audit is different from a financial statement audit. While a financial audit’s purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system’s internal control design and effectiveness. This includes but is not limited to efficiency and security protocols, development processes, and IT governance or oversight. The goal is to evaluate the organization’s ability to protect its information assets and properly dispense information to authorized parties. The IT audit’s agenda may be summarized by the following questions:
The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but it cannot completely eliminate all risks.
Cyber law is a term used to describe the legal issues related to use of communications technology, particularly “cyberspace”, i.e. the Internet. It is less a distinct field of law in the way that property or contract are, as it is an intersection of many legal fields, including intellectual property, privacy, freedom of expression, and jurisdiction. In essence, cyber law is an attempt to apply laws designed for the physical world to human activity on the Internet. There is no one exhaustive definition of the term “Cyber Law”. Simply speaking, Cyber Law is a generic term which refers to all the legal and regulatory aspects of Internet and the World Wide Web.
Cyber law encompasses laws relating to:
1. Cyber Crimes
2. Electronic and Digital Signatures
3. Intellectual Property
4. Data Protection and Privacy
Need for Cyber law:
In today’s techno-savvy environment, the world is becoming more and more digitally sophisticated and so are the crimes. Internet was initially developed as a research and information sharing tool and was in an unregulated manner. As the time passed by it became more transactional with e-business, e-commerce, e-governance and e-procurement etc. All legal issues related to internet crime are dealt with through cyber laws. As the number of internet users is on the rise, the need for cyber laws and their application has also gathered great moment
Key words related to cyber crimes:
Cyber Defamation:This occurs when defamation takes place with the help of computers and or the Internet e.g. someone published defamatory matter about someone on a websites or sends e-mail containing defamatory information to all of that person’s friends.
Cyber Pornography:This would include pornographic websites; pornographic magazines produced using computer and the Internet (to down load and transmit pornographic pictures, photos, writings etc.)
Cyber Stalking:Cyber stalking involves following a person’s movements across the Internet by posting messages on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the victim
Data diddling:This kind of an attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed
Denial of Service:This involves flooding computer resources with more requests than it can handle. This causes the resources to crash thereby denying authorized users the service offered by the resources.
E-Mail bombing:Email bombing refers to sending a large amount of e-mails to the victim resulting in the victims’ e-mail account or mail servers.
E-Mail spoofing:A spoofed email is one that appears to originate from one source but actually has been sent from another source. This can also be termed as E-Mail forging
Financial Claims:This would include cheating, credit card frauds, money laundering etc.
Forgery:Counterfeit currency notes, postage and revenue stamps, mark sheets etc., can be forged using sophisticated computers, printers and scanners.
Internet Time Theft:This connotes the usage by unauthorized persons of the Internet hours paid for by another person.
Logic bombs:These are dependent programs. This implies that these programs are created to do something only when a certain event occurs, e.g. some viruses may be termed logic bombs because they lie dormant all through the year and become active only on a particular date.
Online gambling:There are millions of websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.
Phishing:Itis derived from the word “fishing”, and it means luring or enticing an unwary customer of a Banking or Financial Institution to pass on sensitive information pertaining to their account. Scamsters then use this information to siphon off funds or, undertake transactions that are billed to the original customer.
Physically damaging a computer system:
This crime is committed by physically damaging a computer or its peripherals.
Salami attacks: Those attacks are used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed e.g. A bank employee inserts a program into bank’s servers, that deducts a small amount from the account of every customer.
Sale of illegal articles:This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, bulletin boards or simply by using e-mail communications.
Theft of information contained in electronic from:This includes information stored in computer hard disks, removable storage media etc.
Trojan horse:A Trojan as this program is aptly called, is an unauthorized program which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing.
Unauthorized access to computer system or network: Thisactivity is commonly referred to as hacking. The Indian Law has however given a different connotation to the term hacking.
Virus/worm:Viruses are programs that attach themselves to a computer or a file and then circulate themselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses don not need the host to attach themselves to.
Role of Finance Professionals in combating cyber crimes and in the cyber environment
1. Technological measures – Public key cryptography, Digital signatures, Firewalls
2. Cyber investigation – Computer forensics is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in courts of law.
3. Information systems audit
4. Cyber Law Compliance officer
5. Initiate training of employees on Cyber Law Compliance
6. Use authentication procedures suggested in law
7. Maintain data retention, Identify and initiate safeguard requirements under Information Technology Act
8. Initiate global standards of data privacy on collection, retention, access, deletion etc.
Compiled by Vimal Garg [B. Com (H), AT (ICAI), LLB]. He is having interest in Systems Audit and IT Controls development and implementation. For any queries and suggestions the readers may reach at [email protected]