Chapter 2

Controls, Concepts, Objectives, types, Risks, exposures risk based audits etc.

In organizations where computer based information systems play a significant role in

achieving business goals and critical success factors, the effectiveness of general
management and controls exercised over these information systems is critical to the success
of the organization. The prerequisites for effective management are appropriate plans,
staffing structures, policies, standards, procedures, methods and controls within the IS
environment. Without those, the risks of failure are greatly increased. In this framework, we
assist companies in performing nformation Systems and Controls Audit.
Application Controls Review - identification of the inherent risks of technology deployed in
client's business processes and minimization of the company's exposure to such risks, by
ensuring that the necessary controls and security are in place.
General Computer Controls - a review to assess the policies, standards, procedures, and
general computer controls aimed at providing a secure and stable environment for the
application systems running on various platforms within the company. General computer
controls are defined as any IS control that falls into one of the following four categories but
that is not specific to any particular application system:
The implementation and monitoring of information security
Controls over computer operations
Controls over the acquisition, development and maintenance of systems
Controls over information systems support.
Strong general computer controls constitute a prerequisite for the establishment of a
reliable IS environment that effectively supports the business objectives of the company.

Different types of audit :

The Auditor General is responsible for carrying out financial (excluding external attest audit)
, operational, compliance, performance (value for money), forensic and other special
reviews of all programs, activities and functions of all City divisions and local boards
(restricted definition), and the offices of the Mayor and members of Council.
Financial Audits (excluding attest)
Financial related audits include determining whether (a) financial information is presented in
accordance with established or stated criteria, (b) the entity has adhered to specific financial
compliance requirements, or (c) the entity's internal control structure over financial
reporting and/or safeguarding assets is suitably designed and implemented to achieve
control objectives.
Performance (Value for money) audits include economy and efficiency and
program audits
Economy and efficiency audits include determining (a) whether the city division is acquiring,
protecting, and using its resources (such as personnel, property, and space) economically
and efficiently, (b) the causes of inefficiencies or uneconomical practices, and (c) whether
the entity has complied with laws and regulations concerning matters of economy and
efficiency.
Operational, Compliance, Performance audits
These audits include (a) determining the extent to which the desired results or benefits
established by the legislature or other authorizing body are being achieved, (b) the
effectiveness of organizations, programs, activities, or functions, and (c) whether the city
division has complied with laws and regulations applicable to the program.
Fraud and Waste Hotline
Undertakes forensic investigations including suspected fraudulent activities and manages
fraud hotline which refers issues to divisional management and the Internal Audit Division
as appropriate.
Follow up audits
On an annual basis, the Auditor General notifies the City Manager or appropriate
management representative (for ABCs) in writing of his outstanding recommendations.
Management staff will report back to the Auditor General on recommendations that have

been implemented. The Auditor General then satisfies himself that the recommendations
have in fact been implemented.
An audit is an accounting procedure under which the financial records of a company or
individual are closely inspected to make sure that they are accurate. An audit keeps a
company honest and also reassures employees and investors as to the financial status of
the organization. There are two primary types of audit: internal audits and independent
audits.
Regardless as to the type of audit, it should be assumed that an audit will be performed
without bias. In the case of an internal audit, this can be difficult, because an internal audit
is carried out by the accounting staff of the company concerned. Generally, an internal audit
can only successfully be carried out by a large accounting department, because auditors
cannot audit records to which they contributed. Internal audits are usually carried out on a
regular basis by large companies to ensure that their finances are in order, and if the
company is publicly traded, audit reports are available for inspection by stockholders.
An independent or external audit is carried out by a neutral third party, such as a
professional accounting firm which specializes in audits. In both cases, all of the financial
records of a company including ledgers, bank statements, payroll, tax information, internal
financial reports, official published reports, accounts payable, and accounts receivable, will
be examined. During the audit, these records are closely inspected for any discrepancies,
and if an inaccuracy is uncovered, it must be addressed and repaired.
Commonly, an audit will reveal a simple accounting mistake. In other cases, more sinister
issues may come to light during an audit. Companies which are struggling financially may
choose to make unsound financial decisions in an attempt to salvage the company, and
these decisions will be revealed by a close audit. Sometimes an audit will reveal that a
company is on the brink of bankruptcy due to gross misuse of funds by high ranking
personnel, as was the case with many American corporations in the early twenty first
century such as Enron and WorldCom.
When an inaccuracy is revealed by an independent audit, it is addressed by the auditors in
the final report made to the company. In some cases, an audit will be ordered by an
external organization, such as the Securities and Exchange Commission, which will also
receive a copy of the report. The issue must be repaired by the company. Common
examples of repairable audit errors are failure to pay payroll taxes to the Internal Revenue

Service, or misuse of pension plans. If the errors cannot be fixed because the company does
not have the funds to address them, the company may face bankruptcy proceedings, and
major creditors will be reimbursed after the company's assets are liquidated by an
independent firm.

Objectives of IS Audit
The main objective for auditing information system are discussed below;

The internal controls must be Adequate and effectiveness in nature.

Allocate resources efficiently with the complete effectiveness.

Should provide the assurance that the computer related assets are completely
protected.

To ensure that the information is accurate and reliable and must be available on
request.

IS Audit should provide the reasonable assurance that all errors, omissions and
irregularities are prevented, detected, corrected and reported.

IS Auditing review the system to check compliance to policies, procedures and

standards.

Insure legal requirements are compiled, audit trails are incorporated, documentation
is completed and system data integrity and security is maintained.

One of the main objective of Information System Auditing is to identify the potential
of computer related frauds, embezzlements, misappropriations and thefts.

It also sees that the management takes corrective and preventing actions when
required.

The objectives of IS audit are to identify the risks that an organisation is exposed
to in the computerized environment. IS audit evaluates the adequacy of the security

controls and informs the Management with suitable conclusions and recommendations. IS
audit is an independent subset of the normal audit exercise in an organisation. The overall
objectives of the normal audit exercise do not change, when applied to the computerized
environment. The major objectives of IS audit include, among others, the following:
a) Safeguarding of Information System Assets/Resources
b) Maintenance of Data Integrity
c) Maintenance of System Effectiveness
d) Ensuring System Efficiency
a) Safeguarding of Information System Assets/Resources :
The Information System Assets of the organisation must be protected by a system of
internal controls. It includes protection of hardware, software, facilities, people
(knowledge), data files, system documentation and supplies. This is because hardware can
be damaged maliciously, software and data files can be stolen, deleted or altered and
supplies of negotiable forms can be used for unauthorized purposes. Safeguarding of the
Information System Assets is a very important function of each organisation.
The term IT infrastructure is a generic one used to describe the physical computer
installations, the system software and the Information Systems process that support them.
The IS auditor will require to review the physical security over the facilities, the security
over the systems software and the adequacy of the internal controls. The IT facilities must
be protected against all hazards. The hazards can be accidental hazards or intentional
hazards.
Accidental hazards include fire, flood, power failure etc. Fire starts accidentally or is the
result of a deliberate attack. All the computer installations should take adequate precautions
to ensure that fire can be prevented, detected and extinguished. Flooding can cause
extensive damage to the computer systems. The power supply for the computer installation
is a vital service need and the uninterrupted availability thereof has to be ensured to
facilitate continuity in processing.
b) Maintenance of Data Integrity :
Data Integrity includes the safeguarding of the information against unauthorised addition,
deletion, modification or alteration. This includes items such as accounting records,
backup, documentation etc. Information Systems are used to capture, store, process,
retrieve and transmit the data in a secure and efficient manner. The emphasis is on the

accuracy of the data and its transmission in a secured manner. Data Integrity also implies
that during the various phases of electronic processing, various features of the data viz.
Accuracy, Confidentiality, Completeness, Up-to-date status, Reliability, Availability,
Timeliness and Effectiveness are not compromised. In other words, data should remain
accurate during electronic processing. The desired features of the data are described
hereunder:
a) Accuracy : Data should be accurate. Inaccurate data may lead to wrong decisions and
thereby, hindering the business development process.
b) Confidentiality: Information should not lose its confidentiality. It should be protected
from being read or copied by anyone who is not authorized to do so. It also includes
protecting the individual pieces of information that may seem harmless by the owner, but
can be used to infer other confidential information.
c) Completeness: Data should be complete. Incomplete data loses its significance and
importance.
d) Up-to-date Status : Data should be updated regularly. If the information is not up-todate, it presents a false picture of the organization.
e) Reliability: Data should be reliable because all business decisions are taken on the basis
of the current database.
f) Availability: Data should be available when an authorized user needs it. It should be
ensured that the information services are unavailable to the unauthorised users.
g) Timeliness: Timeliness of the data is very important because if data is not available
when required, the very purpose of maintaining the database gets defeated.
h) Effectiveness: Information should be effective, so that it helps in the process of business
development and expansion.
If data integrity is not maintained, an organization loses its true representation. Poor data
integrity could lead to loss of competitive advantage. Corruption of data would affect many
users in a networked environment. If the data is valuable to a competitor, its loss may
undermine an organizations competitive position.
c) Maintenance of System Effectiveness :
An effective Information System significantly contributes to the achievement of the goals
of an organization. Therefore, one of the objectives of IS audit is to verify system
effectiveness. It provides input to decide when, what and how the system should be
improved, so that its utility to the management is maximum.
The main objective of introducing computerization in the organisations in the banking and

financial sector is to achieve the goals effectively and efficiently. The IS auditors
responsibility is to examine how the Information Systems assist in the achievement of each
organisations goals. System Effectiveness is a ratio of the actual output to the standard
(budgeted) output. If it is more than 100%, effectiveness is achieved; or else, it shall be
deemed that ineffectiveness has been introduced in the business process. Major goals and
criteria of computerization are:
a) Improved Task Accomplishments: The Information Systems should improve the task
accomplishment capacity of its users by enabling them to become more productive.
b) Improved Quality: It should improve overall quality of work and services by increased
accuracy of information. It should also reduce the time required for retrieval of
information.
c) Operational Effectiveness: The Information System should be operationally effective
and easy to use. It should be frequently used and users must be satisfied with its
performance.
d) Technical Effectiveness: The Information System should be equipped and upgraded by
appropriate hardware and software from time to time.
e) Economic Effectiveness: The Information System should be fully utilized. Benefits
derived should exceed the cost of procurement, implementation, operation and
maintenance.
d) Ensuring System Efficiency :
The resources used by the Information Systems such as the machines, computer
peripherals, software etc. are scarce and costly. Efficient Information Systems use
minimum resources to achieve the desired objectives. When computer no longer has excess
capacity, system efficiency becomes important. It becomes necessary to know whether the
available capacity has been exhausted or the existing allocation of the computer resources
are causing the bottlenecks.
The ratio of the output to the input is known as efficiency. If output is more with the same
or less actual input, system efficiency is achieved; or else, the system is inefficient. If
computerization results in the degradation of efficiency, the effort for making the process
automated stands defeated. Hence, the assessment of the capabilities of the hardware and
software against the workload of the environment is very essential. The IS auditors are
responsible to examine how efficient the application software is in relation to the users and
the workload of the environment. The system should assist in management planning and
efficient execution thereof. The organisation should get maximum output using minimum

resources. In this context, the efficient use of the hardware resources and their
upgradation,
as per requirements, is very essential. Automation should deliver the planned results with
less consumption of computer hardware, software, computerized operations and computer
personnel.
e) Other Objectives :
The following could be, among others, considered the other objectives of IS audit :
a) Identify the risks that the organisation is exposed to in the existing computerized
environment and to prioritize such risks for remedial action.
b) The implementation of Information Technology in the organisation is as per the
parameters laid down in the Security Policy, as approved by the Board of Directors of the
organisation.
c) Verify whether the Information System procedures and policies have been devised for
the entire organisation and that the organisations systems, procedures and practices are
adhered to and that due prudence is exercised at all times in accordance with the circulars
and instructions for a computerized environment, issued by the management of the
organisation.
d) Verify whether proper security policies/procedures have been formulated and
implemented regarding the duties of the system administrators, system maintainers and
persons operating the system for daily operations.
e) Contribute effectively towards the minimization of computer abuses/ crimes by
suggesting steps for removing any laxity observed in the physical and logical controls.
f) Suggest improvements in the security controls for the Information Systems.
g) Act as an advisor to the management of the organisation for improving security and IT
implementation standards.
h) Adhere to the established norms of ethics and professional standards to ensure quality
and consistency of audit work.

Audit Risks:

Because of the test nature of auditing, auditors might fail to detect real or potential material
losses or account misstatements.
The risk of and auditor failing to detect actual or potential material losses or account
misstatements at the conclusion of audit is called audit risk.
Audit Risk Model:
DAR = IR x CR x DR
DAR = Desired Audit Risk
IR = Inherent Risk
CR = Control Risk
DR = Detection Risk
Desired Audit Risk derives the efforts and sets the focus in evidence collection and
evaluation process.
Audit efforts should be focused where they will have the highest payoffs.

DEFINITION AND MEANING OF RISK-BASED AUDITING

Risk based auditing in its simplest form is a relatively new way of independently and
objectively obtaining evidence regarding assertions about a process for the purpose of
forming an opinion about the process and subsequently reporting on the degree to which
the assertions are implemented. Auditors literally start the audit process by equipping
themselves with knowledge of the nature of the business of the entity and its business
environment. Auditors arm themselves with sufficient information about a business and its
environment so as to assess risk before making a decision of either performing a
compliance test or a substantive test.
COMPLIANCE TESTING Vs. SUBSTANTIVE TESTING

Compliance test: this is simply an act of gathering evidence for the purpose of testing an
organizations compliance with control procedures and processes in relation to external
rules, legal requirements, and regulations. Compliance gives the auditor an insight into the
level of compliance with policies and procedures by the management. The aim of a
compliance test is to give the auditor reasonable assurance that the internal control
structure which the auditor plans to rely on is in fact operating as the auditor had already
perceived it to be from the preliminary stage of the audit process.
Substantive test: this is the process of gathering evidence in order to evaluate the
integrity of individual transactions, processes, data, and other information. This is to say
that a substantive test lives up to its name by substantiating the integrity of actual
processing. For example, auditors through substantive test, gathers evidence regarding the
validity and integrity of the balances found in the financial statements of a company and
the balances that supports them.
Auditors perform substantive test when control testing (compliance test) indicate that there
is no control or the presence of weak controls. Make sure you take home the difference
between compliance and substantive testing.
The sole aim of this comprehensive process is to ensure that company objectives are met.
Risk-based approach is used to develop and continually improve the continuous audit
process. It is worth stressing that risk based approach to auditing helps auditors determine
the nature and extent of auditing that needs to be done in an efficient manner. In business
valuation, this process is similar to the fundamental analysis process that an equity
analyst perform in order to help him or her come up with an intrinsic value of a company.
The next section of this article will take you through the process of effectively and efficiently
performing a risk-based audit.
Risk: A risk is the likelihood that an organisation would face a vulnerability being exploited or
a threat becoming harmful. Information systems can generate many direct and indirect risks.
These risks lead to a gap between the need to protect systems and the degree of protection
applied. The gap is caused by:
(a) Widespread use of technology.
(b) Interconnectivity of systems.
(c) Elimination of distance, time and space as constraints.

(d) Unevenness of technological changes.

(e) Devolution of management and control.
(f) Attractiveness of conducting unconventional electronic attacks against organisations.
(g) External factors such as legislative, legal and regulatory requirements or technological
developments.

RISK-BASED AUDIT APPROACH OR PROCESS

Risk based auditing is generally composed of five broad stages. There is no hard and fast
rule of what constitute each stage, but, the most importance facets of those stages are
covered in this section.
FIVE (5) STAGES OF RISK BASED AUDIT
1. INFORMATION GATHERING AND PLANNING STAGE
2. MASTERY OF INTERNAL CONTROL STAGE
3. COMPLIANCE TEST STAGE
4. SUBSTANTIVE TEST STAGE
5. CONCLUSION AND PRODUCTION OF REPORT STAGE
IMPORTANCE OF RISK BASED AUDIT
The fact that risk based auditing encourages auditors to have integrated knowledge of
businesses makes the whole process of auditing less daunting as it used to be. By
understanding the fundamentals of the business models of a company, auditors can easily
identify and categorise risks which will in turn help better determine the risk model or
approach that would be most suitable for the audit. Other benefits of following the risk
based approach of auditing are listed below:

Better understanding of business and its environment

Increased chance of achieving audit objective

Saves resources

Makes audit planning easier

TYPES OF AUDIT RISK

In as much as audit risks shouldnt bother an auditor that approaches that audit procedure
from the risk-based perspective (auditors are not just relying on risk when following the
risk-based auditing, they also rely on internal and operational controls as well as the
knowledge of the company), this article will not be complete without drawing your attention
to the types of audit risks that an auditor might face and when such audit risks surfaces.
Audit risk can be categorised as:

Inherent risk

Control risk

Detection risk

Overall risk

Thus a risk-based audit approach is designed to be used throughout the audit to efficiently
and effectively focus the nature, timing and extent of audit procedures to those areas that
have the most potential for causing material misstatement(s) in the financial report.

A threat is an action, event or condition where there is a compromise in the system, its quality
and ability to inflict harm to the organisation. Threat is any circumstance or event with the
potential to cause harm to an information system in the form of destruction, disclosure,
adverse modification of data and denial of services

Vulnerability is the weakness in the system safeguards that exposes the system to threats. It
may be weakness in an information system, cryptographic system (security systems), or other
components (e.g. system security procedures, hardware design, internal controls) that could

be exploited by a threat. Vulnerabilities potentially gallowh a threat to harm or exploit the

system. For example, vulnerability could be a poor access control method allowing dishonest
employees (the threat) to exploit the system to adjust their own records. Here are two more
vulnerability examples:
. Leaving your front door unlocked makes your house vulnerable to unwanted visitors.
. Short passwords (less than 6 characters) make your automated information system
vulnerable to password cracking or guessing routines.
Missing safeguards often determine the level of vulnerability. Determining vulnerabilities
involves a security evaluation of the system including inspection of safeguards, testing, and
penetration analysis.
An exposure is the extent of loss the organisation has to face when a risk materialises. It is
not just the immediate impact, but the real harm that occurs in the long run. For example, loss
of business, failure to perform the systemfs mission, loss of reputation, violation of privacy,
loss of resources.
Likelihood of the threat occurring is the estimation of the probability that the threat will
succeed in achieving an undesirable event. The presence, tenacity and strengths of threats,
as well as the effectiveness of safeguards must be considered while assessing the likelihood
of the threat occurring.
Attack is a set of actions designed to compromise confidentiality, integrity, availability or any
other desired feature of an information system. Simply, it is the act of trying to defeat IS
safeguards. The type of attack and its degree of success will determine the consequence of
the attack.
Risk Assessment Methodologies and Applications
Any risk still remaining after the counter measures are analysed and implemented is called
Residual Risk. An organisations management of risk should consider these two areas:
acceptance of residual risk and selection of safeguards. Even when safeguards are applied,
there is probably going to be some residual risk. The risk can be minimised, but it can seldom
be eliminated. Residual risk must be kept at a minimal, acceptable level. As long as it is kept
at an acceptable level, (i.e. the likelihood of the event occurring or the severity of the

consequence is sufficiently reduced) the risk has been managed.

THREATS TO THE COMPUTERISED ENVIRONMENT

Any computerised environment is dependent on people. They are a critical links in making the
entire enterprise computing happen. As such threats emanate from people themselves. The
special skill sets such as IT operational team, programmers, data administrator, etc. are key
links in ensuring that the IT infrastructure delivers to the user requirements. Social engineering
risks target key persons to get sensitive information to exploit the information resources of the
enterprise. Threats also arise on account of dependence on external agencies. IT computing
services are significantly dependant on various vendors and service providers e.g., equipment
supply and support, consumables, systems and program maintenance, air-conditioning, hotsite
providers, utilities, etc. A few common threats to the computerised environment can be:

(a) Power Loss: Power failure can cause disruption of entire computing equipments since
computing equipments depends on power supply.
(b) Communication failure: Failure of communication lines result in inability to transfer data
which primarily travel over communication lines. Where the organisation depends on
public communication lines e.g. for e-banking communication failure present a significant
threat that will have a direct impact on operations.
(c) Disgruntled Employees: A disgruntled employee presents a threat since, with access to
sensitive information of the organisation, he may cause intentional harm to the
information processing facilities or sabotage operations.
(d) Errors: Errors which may result from technical reasons, negligence or otherwise can
cause significant integrity issues. A wrong parameter setting at the firewall to gallowh
attachments instead of gdenyh may result in the entire organisation network being
compromised with virus attacks.
(e) Malicious Code: Malicious code such as viruses and worms which freely access the
unprotected networks may affect organisational and business networks that use these
unprotected networks.

(f) Abuse of access privileges by employees: The security policy of the company
authorises employees based on their job responsibilities to access and execute select
functions in critical applications.
(g) Natural disasters: Natural disasters such as earthquakes, lighting, floods, tornado,
tsunami, etc. can adversely affect the functioning of the IS operations due to damage to
IS facilities.
(h) Theft or destruction of computing resources: Since the computing equipment forms
the back-bone of information processing, any theft or destruction of the resource can
result in compromising the competitive advantage of the organisation.
(i) Downtime due to technology failure: IS facilities may become unavailable due to
technical glitches or equipment failure and hence the computing infrastructure may not
be available for short or extended periods of time. However the period for which the
facilities are not available may vary in criticality depending on the nature of business and
the critical business process that the technology supports.
(j) Fire, etc.: Fire due to electric short circuit or due to riots, war or such other reasons can
cause irreversible damage to the IS infrastructure.
THREATS DUE TO CYBER CRIMES
1. Embezzlement: It is unlawful misappropriation of money or other things of value, by the
person to whom it was entrusted (typically an employee), for his/her own use or purpose.
2. Fraud: It occurs on account of intentional misrepresentation of information or identity to
deceive others, the unlawful use of credit/debit card or ATM, or the use of electronic
means to transmit deceptive information, to obtain money or other things of value. Fraud
may be committed by someone inside or outside the company.
3. Theft of proprietary information: It is the illegal obtaining of designs, plans, blueprints,
codes, computer programs, formulas, recipes, trade secrets, graphics, copyrighted
material, data, forms, files, lists, and personal or financial information, usually by
electronic copying.
4. Denial of service: There can be disruption or degradation of service that is dependent on
external infrastructure. Problems may erupt through internet connection or e-mail service

that results in an interruption of the normal flow of information. Denial of service is

usually caused by events such as ping attacks, port scanning probes, and excessive
amounts of incoming data.
5. Vandalism or sabotage: It is the deliberate or malicious, damage, defacement,
destruction or other alteration of electronic files, data, web pages, and programs.
6. Computer virus: Viruses are hidden fragments of computer code which propagates by
inserting itself into or modifying other programs.
7. Other: Threat includes several other cases such as intrusions, breaches and
compromises of the respondent's computer networks (such as hacking or sniffing)
regardless of whether damage or loss were sustained as a result.

Risk Assessment Methodologies and Applications

RISK ASSESSMENT
A risk assessment can provide an effective approach that will serve as the foundation for
avoiding of disasters. Through risk analysis, it is possible to identify, assess, and then mitigate
the risk. Such an analysis entails the development of a clear summary of the current situation
and a systematic plan for risk identification, characterisation, and mitigation.
1. Risk assessment is a critical step in disaster and business continuity planning. Risk
assessment is necessary for developing a well tested contingency plan. Risk assessment is
the analysis of threats to resources (assets) and the determination of the amount of protection
necessary to adequately safeguard the resources, so that vital systems, operations, and
services can be resumed to normal status in the minimum time in case of a disaster. Disasters
may lead to vulnerable data and crucial information suddenly becoming unavailable. The
unavailability of data may be due to the non-existence or inadequate testing of the existing
plan. Risk assessment is a useful technique to assess the risks involved in the event of
unavailability of information, to prioritise applications, identify exposures and develop recovery
scenarios. The areas to be focussed upon are:

(a) Prioritisation: All applications are inventoried and critical ones identified. Each of the
critical applications is reviewed to assess its impact on the organisation, in case a disaster
occurs. Subsequently, appropriate recovery plans are developed.
(b) Identifying critical applications: Amongst the applications currently being processed the
critical applications are identified. Further analysis is done to determine specific jobs in the
applications which may be more critical. Even though the critical value would be determined
based on its present value, future changes should not be ignored.
(c) Assessing their impact on the organisation: Business continuity planning should not
concentrate only on business disruption but should also take into account other organisational
functions which may be affected. The areas to be considered include:
. Legal liabilities.
. Interruptions of customer services.
. Possible losses.
. Likelihood of fraud and recovery procedures.
(d) Determining recovery time-frame: Critical recovery time period is the period of time in
which business processing must be resumed before the organisation incurs severe losses.
This critical time depends upon the nature of operations. It is essential to involve the end
users in the identification of critical functions and critical recovery time period.
(e) Assess Insurance coverage: The information system insurance policy should be a multiperil
policy, designed to provide various types of coverage. Depending on the individual
organisation and the extent of coverage required, suitable modifications may be made to the
comprehensive list provided below: