Global Chartered Accountants - GCA www.gcaofficial.org 30 January 2014 ITMAC Exam Kit This kit is designed to for ITMAC Module E Students.It contains the following: 1.ICAP Syllabus Grid 2.Complete Revision Notes from PBP 3.Past Papers Analysis 4.Topic wise past papers 5.All past papers and answers combined You don't need to spend hours on making past papers analysis and important topics It’s all provided in one single file Share this file with your friends as well If you have any type of study/exam material related to CA/ACCA/ICAEW etc,please send us at gcaofficial@gmail.com For study/exam material of other papers/qualification,visit out website Regards GCA Team Final Examination Information Technology Management, Audit and Control Module E P AP E R E 3: I nf or m a t io n T e c h n o lo g y M a n a g e m e nt , A u di t a n d C on t r o l (100 marks) Introduction This sy llabus aim s to p rovid e: a b c Essential body of IT knowledge related to business information systems IT security, control and governance knowledge related to business information systems Application of knowledge to manage the above and evaluate IT The Case studies in ICAP study material for this syllabus are designed to assist the students in enhancing their knowledge and skills in: Managerial role; Evaluator role; Enterprise resource planning; and Electronic Commerce Case studies / scenario based questions will be set in the examination Contents: IT Strategy and Management Broad know ledg e / sk ill area M ain t opic cov erag e IT strategy Strategic considerations in IT development Illus trat ive sub -top ics ◗ ◗ ◗ ◗ ◗ ◗ E-Business models Management of IT Management of computer operations The Institute of Chartered Accountants of Pakistan ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ Planning of information systems based on business success factors/criteria Position of the entity within its industry/sector Alignment/integration with business objectives/success factors Risks: economic, technical, operational, behavioral Components of long range plans Operational dynamics that influences the entity»s business/programs Business to Consumer (B2C) Business to Business (B2B) Business to Employee (B2E) Consumer to Consumer (C2C) Government to Citizen (G2C) Developing operational priorities Compatibility of computers Planning IT capacity Impact of IT on procedures Data/information architecture IT infrastructures (hardware, facilities, networks) 51 Final Examination Information Technology Management, Audit and Control ◗ ◗ Management of interorganizational computing Management of end-user computing Financial analysis and control IT control objectives ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ Software E-business enabling software IFAC Guidelines / discussion papers ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ The Institute of Chartered Accountants of Pakistan Software (systems, applications, utilities) Performance measurement (productivity, service quality) Collaborative computing Distributed system EDI and electronic commerce Outsourced services (ISPs, ASPs, etc.) Technology diffusion Information center, help desk End-user system security Support for end-user applications Capital budget Time/expense tracking Cost charge out / monitoring Accounting for system costs Effectiveness, efficiency, economy of operations Reliability of financial reporting Effectiveness of controls (design, operation) IT asset safeguarding Compliance with applicable laws and regulations System reliability: ❒ Availability and continuity (back-up, recovery) ❒ Access controls (physical, logical) ❒ Processing integrity (completeness, accuracy, timeliness, authorization) ❒ Data integrity Supply chain management (SCM) Enterprise resource planning (ERP) Sales force automation (SFA) Customer relationship management (CRM) Electronic commerce systems: ❒ Brochure, catalog, order entry, payment processing, fulfillment ❒ Knowledge management systems ❒ Knowledge creation, capture, sharing, maintenance Managing Information Technology Planning for Business Impact Acquisition of Information Technology The Implementation of Information Technology Solutions IT service Delivery and Support Executive Checklist 52 Final Examination Information Technology Management, Audit and Control Information Technology Security, Control and Management Broad k nowled ge / s kill area Control frameworks Main top ic coverage Risks and exposures in ◗ computer-based information systems IT control frameworks Control objectives I llust rativ e s ub-t opics Effectiveness, efficiency, economy of operations Reliability of financial reporting ◗ Error, fraud, vandalism/abuse, business interruption, competitive disadvantage, excessive cost, deficient revenues, statutory sanctions, social costs, etc Effect of IT audit on organization, controls ❒ Economic, technical, operational, behavioral considerations ❒ Cost/benefit ◗ COBIT, ITCG, SysTrust, WebTrust, etc ◗ Cost effectiveness of control procedures ◗ Effectiveness of control ◗ (design, operation) IT asset safeguarding Compliance with applicable laws and regulations System reliability Data integrity ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ Layer of control Responsibility for control Societal Organizational ◗ environment Technology infrastructure Software ◗ Business process ◗ Role and responsibilities of key parties The Institute of Chartered Accountants of Pakistan ◗ ◗ ◗ ◗ Relevance, reliability, comparability / consistency At a point in time; during a period of time Evaluation of facilities management and IT asset safeguarding Prevention/detection of fraud, error and illegal acts Privacy, confidentiality, copyright issues Availability and continuity (back-up, recovery) Access control (physical, logical) Processing integrity (completeness, accuracy, timeliness, authorization) Completeness, accuracy, currency / timeliness, consistency/comparability, authorization, auditability, Input /output; reception/distributic controls Attitudes, laws and regulations Board level, management level, IT administrative /operational level Hardware, facilities, network System, application User departments, individual user Board, top management IT management and IT personnel User departments, individuals Auditors 53 Final Examination Control environment Information Technology Management, Audit and Control External regulatory controls ◗ Board/audit committee ◗ governance Management philosophy and operating style Plans/structure of organization ◗ ◗ ◗ Method to communicate the assignment of authority and responsibility Management control methods Human resource policies and practices Financial policies and practices Risk Assessment Risk Categories ◗ ◗ ◗ ◗ ◗ ◗ Probability of loss ◗ Consequences ◗ ◗ The Institute of Chartered Accountants of Pakistan Record keeping, privacy, copyright, taxation, etc, Regulatory compliance, fiduciary obligations, IT governance, system reliability Integrity and ethical values, commitment to competence Leadership for IT organization, organization of IT function, segregation of incompatible IT and user functions, partnership with other organizations Business practices, codes of conduct, documentation of systems, operations, user responsibilities, reporting relationships Strategic planning, business system/IT integration planning, budgeting, performance measurement, monitoring, compliance with policies Hiring, training, evaluation, compensation of IT personnel, career paths Budgeting process; Cost charge out methods; Economic, technical, operational behavioral Main reason for failure of computer Projects Error, fraud , vandalism/abuse, business interruption, competitive disadvantage, excessive cost, deficient revenues, statutory sanctions, social costs, etc Quantitative / qualitative Monetary, non-monetary Balancing costs of controls vs costs of unmitigated risks 54 Final Examination Control activities Information Technology Management, Audit and Control Control design ◗ ◗ ◗ ◗ ◗ ◗ ◗ Control procedures ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ Control over data integrity, privacy and security ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ ◗ Control activities Availability / continuity ◗ of processing, disaster recovery planning and ◗ control ◗ The Institute of Chartered Accountants of Pakistan Objectives, framework, environment, activities, monitoring Legal, ethical, professional standards/requirements Preventive/detective /corrective strategies Effective control environment (personnel management methods) Preventative application controls Detective application controls Contingency plans, insurance Authorization Separation of incompatible functions (organizational design, user identification, data clarification, user/function/data authorization matrix, user authentication) Adequate documents and records Asset safeguards; limitation of access to assets Independent check on performance; verification of accounting records, comparison of accounting records with assets Computer-dependent controls (edit, validation, etc.) User controls (control balancing, manual follow-up, etc.) Audit trails Error identification/investigation /correction / tracking Understanding of data protection legislation Consideration of personnel issues and confidentiality Classification of information Access management controls Physical design and access control Logical access control (user authorization matrix) Network security (encryption, firewalls) Program security techniques Monitoring and surveillance techniques Threat and risk management software and data backup techniques (problems of on-line systems, etc.) Alternate processing facility arrangements Disaster recovery procedural plan, documentation 55 Final Examination Information Technology Management, Audit and Control ◗ ◗ ◗ IS processing /operations ◗ ◗ ◗ ◗ ◗ Planning and scheduling; service levels; Risks Standards ❒ Infrastructure (hardware, facilities, networks) ❒ Software ❒ Human resources (skill sets and staffing level) Business processes Performance monitoring Costs / benefits (quantitative and qualitative impact on management Jobs and office procedures) Business drivers that impact IT (e.g., scalability, rightsizing, flexibility of change in technology) or business, speed to market, cross-platform capability) Control over productivity and service quality Software /data library management Input/output distribution and control Security and backup, and recovery ◗ ◗ ◗ ◗ Internal monitoring processes Performance review processes External monitoring processes Processes for addressing-non-compliance ◗ ◗ ◗ Monitoring of control compliance Roles of management, users, auditors (internal, external) Computer assisted audit techniques The Institute of Chartered Accountants of Pakistan Integration with business continuity plans Periodic tests of recovery procedures Insurance ◗ Familiarisation with: ❒ System analysis and documentation (e.g., flowcharting package, review of program logic, etc.) ❒ System /program testing (e.g., test data ,integrated test facility, parallel simulation etc.), ❒ Data integrity testing (e.g., generalized audit software, utilities, custom programs, sampling routines, etc.) ❒ Problem solving aids (e.g spreadsheet, database Online data bases, etc) ❒ Administrative aids (e.g., word processing, audit program generation, work paper generators etc) 56 Final Examination Information Technology Management, Audit and Control Recommended Reading PAPER E 13: Information Technology Management, Audit and Control Book Name & Author About the Book Information Systems Control and Audit by Ron Weber The book is useful for gaining the understanding of information systems audit function Management and application control framework have been explained in an effective manner Ways to collect and evaluate the audit evidence are also explained in the book in detail Strategic Management & Systems by Wendy Robson Information The book is useful for the topic of strategic management of information system Auditing in a Computerized Environment by Mohan Bhatia The book explains the fundamentals of information systems audit, business continuity management and the application of CAATs in an effective manner Supplementary Study Material Information Technology Management, Audit and Control Study Text and Revision Series by A T Foulks Lynch Pakistan Information Technology Management, Audit and Control Study Text and Revision Series by Professional Business Publications (PBP) Information Technology Management Audit & Control by Mohammad Amjad Bhatti and Muhammad Qaiser Sheikh International Information Technology Guidelines developed by IFAC»s IT Committee, available at IFAC»s website Useful information is also available at the website: www.isaca.org The Institute of Chartered Accountants of Pakistan 57 Past Papers Anaysis from Summer 2007 to Winter 2012 ATFL Topic Ch # IFAC guidelines 1+3 IT Strategy + Organization Strategy IT personnel Outsourcing; Helpdesk; etc 12 Protection of IS assets Logical Controls Telecomm & networks IS audit & controls Internal External Audits Corporate & IT Governance 13 DRP Ebusiness 11 Auditing infrastructure Hardware management Software management Operations Application controls Databases 10 IS development Enterprise Resource 14 COBIT - IT governance Supply chain Customer Relationship Sales Force Auto Total W12 # W11 # W10 # W09 # W08 # W07 # S12 # S11 # S10 # S09 # S08 # S07 # 11 11 27 18 13 20 19 29 15 12 12 13 22 22 13 24 24 25 19 12 12 51 16 30 15 15 14 29 24 24 13 7 0 12 29 20 26 26 10 12 12 10 9 14 11 13 40 20 20 7 15 10 12 12 32 15 17 10 12 19 10 10 41 25 16 11 22 27 10 17 29 11 10 12 10 11 15 12 10 12 13 12 12 12 33 33 10 10 14 14 10 10 10 13 19 12 10 10 17 13 16 12 10 10 10 33 10 13 100 100 95 100 100 100 100 100 100 100 94 100 Total 228 79 52 97 285 193 92 146 112 34 122 108 89 12 10 67 0 80 75 24 10 13 1189 % 0% 19% 7% 4% 8% 24% 16% 8% 12% 9% 3% 10% 9% 7% 1% 1% 6% 0% 0% 7% 6% 2% 1% 1% 1% INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examination - Winter 2012 Phase 1: Initiating the BCP Project • Obtain and confirm support from senior management • Identify key business and technical stakeholders • Form a business continuity working group • Define objectives and constraints • Establish strategic milestones and draw up a road map • Begin a draft version of business continuity policy Phase 2: Assessing Business Risk • Conduct risk analysis workshops • Assess the likelihood and impact of threat occurrence • Categorize and prioritize threats according to risk level • Discuss outputs of risk analysis with management • Ascertain level of risk acceptable to the organization • Document outputs in business continuity policy ao f fic ia l.o rg Phase 3: Preparing for Possible Emergency • Identify critical and noncritical business services • Establish preferred business continuity service levels and profiles for continuity and recovery • List the potential emergencies that include events that occur within the facility and/ or outside the facility • Estimate the probability of occurring such emergency • Prepare a backup plan • Identify backup facilities/site types to be arranged i.e hot site, cold site etc w w g c Phase 4: Disaster Recovery Phase • Assess the potential of human impact (possibility of death or injury) • Assess the potential property impact (loss of property, machines, etc.) • Assess the business impact (business interruption, critical supplies interruption, etc.) • Identify teams and assign responsibilities during disaster recovery phase • Prepare contact list of key personnel • Assess readiness based on internal and external resources w A.3 Phase 5: Business Recovery Phase • Identify and engage potential business continuity partners • Draft a detailed set of continuity plans and work toward an agreed set of plans with senior management • Produce and execute an implementation plan Phase 6: Testing the Business Recovery Process • Define business continuity acceptance criteria • Formulate the business continuity test plan • Identify major testing milestones • Devise the testing schedule • Execute tests via simulation and rehearsal; document test results • Assess overall effectiveness of business continuity plan; pinpoint areas of weakness and improvement • Iterate tests until the plan meets acceptance criteria • Check, complete, and distribute business continuity policy Page of INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examination - Winter 2012 Phase 7: Training Staff in the Business Recovery Process • Arrange training of all employees in order to effectively manage the business recovery process Phase 8: Keeping the Plan up to date • Develop a review schedule for different types of review • Arrange a business continuity review meeting or workshop • Update the business continuity document • Kick off another BCP cycle if necessary (a) Rounding Down Technique It involves drawing off small amounts of money by rounding down small fractions of a denomination and transferring these small fractions into an unauthorised account ia Phishing Phishers attempt to fraudulently acquire sensitive information, such as user name, password and credit card details by masquerading as a trustworthy entity in an electronic communication, sometimes phone contact has been used as well For example, by posing as a banker, regulator, friend etc ao f fic (b) l.o rg The risk could be mitigated by periodic generation of reports identifying the accounts where often very small amounts are being credited and by checking the trail of those amounts Such reports must be reviewed at an appropriate level Denial of Service Attack It is an attack that disrupts, denies or slows the services to legitimate users, networks, systems or other resources It can be done in many ways, for example, by subjecting a network to hostile pinging by different attackers over an extended time period w (c) w g c Such risk could be mitigated by creating awareness among users about such risks and giving them useful tips like any bank official is not authorized to ask a customer’s PIN w A.4 Appropriate network and firewall policies can be helpful to prevent or minimise the effect of such attacks, for example, blocking the unusual traffic inflow or alerting the network administrator about any unusual network activity that is consuming more than normal network resources Regular scanning of network through appropriate antivirus with updated definitions may also detect such attacks Developing clustered systems also mitigate the impact of such threats, however, active clustering is usually restricted to servers (d) Brute Force Attack Such attacks are launched by an intruder, using many of the password-cracking tools which are available at little or no cost, to gain unauthorized access to an organisation’s network Possibility of the success of such attacks can be mitigated by limiting password input attempts and or generating an image containing some random text which the user is required to input before entering the password Page of INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examination - Winter 2012 Following benefits are achieved using digital signatures: (i) (ii) (iii) (b) Data Integrity: Any change to the digitally signed document renders the signature invalid This ensures the recipient integrity of the message Authentication and Encryption: The recipient can ensure that the message has been sent by the claimed sender since only the claimed sender has the secret (private) key to encrypt the message Non-repudiation: Since the digital signatures on one document cannot be transferred to other document, hence the claimed sender cannot later deny generating and sending the message The required process would involve the following steps: (i) (ii) (iii) fic ia (iv) A hash-value of the message is calculated The message is then encrypted using sender’s private key and sent to the receiver On receipt, the sender decrypts the message The decryption requires authorization by way of public key of the sender that corresponds to the private key used during the signing of the message The hash-value is computed again using the same algorithm as was used during the signing process If the two hash-values are identical, the verification is successful otherwise it means that the digital signature is invalid i.e the message has been altered during transmission rg (a) l.o A.5 (a) Presently, STML is facing the following problems: w A.6 w w g c ao f Since public key may be obtained from the issuing trusted source/certification authority, hence someone else who has access to the message can also decrypt the message, i.e., confidentiality of the message may be compromised This risk can be minimised if, the sender, after encrypting the message with his private key encrypt it again with the recipient public key In this case the receiver would use sender public and his private key to decrypt the message Rest of the process remains the same (i) (ii) (iii) (iv) (b) STML is using different types of software on varied platforms (operating systems) that are not able to communicate with each other Because of this reason, there is a huge inflow of data which cannot be consolidated for analysis Lack of direct communication among units has resulted into duplication of the data entry, which is very costly Timely availability of necessary and relevant data required for the preparation of MIS Reports, budget, profit/loss account etc is another important concern in the present system The information sent by different units is not standardized and may lack uniformity and consistency The following are the major areas, which should be studied in depth in order to understand the present system: (i) Review historical aspects A brief history of the organization is a logical starting point for an analysis of the present system A review of annual reports and organization charts can identify the growth of management levels as well as the development of various functional areas and departments This would help in assessing the needs on account of which different systems were adopted at different units Page of INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examination - Winter 2012 Analyze inputs A detailed analysis of the present inputs and the source of input is important since they are basic to the processing of data (iii) Review data files Investigate the data files maintained by each department, noting their number and size, where they are located, who uses them and the number of times these are used during a certain time period (iv) Review data communication set-up Review and understand the present data communication methods used by the organization Review the types of data communication equipments, including data interface, data links, modems, dial-up and leased lines and multiplexers (v) Analyze outputs The outputs or reports should be scrutinized carefully and assess whether this serves the organization’s actual needs’ (vi) Review internal controls Locate the controls points to visualize the essential parts and framework of STML’s system (vii) Undertake overall analysis of present system This includes analysis of: • the present work volume; • the current personnel requirements; • The competence level of IT personnel; and • the present benefits and costs etc w w Yes, we recommend that STML should implement ERP system to overcome the above mentioned problems Our recommendation is based on the following reasons: (i) (ii) (iii) (iv) (v) w (c) g c ao f fic ia l.o rg (ii) It provides multi-platform, multi-facility, multi-mode manufacturing, multicurrency, multi-lingual facilities It facilitates company-wide Integrated Information System covering all functional areas like manufacturing, selling and distribution, payables, receivables, inventory, accounts, human resources, purchases etc It supports strategic and business planning activities, operational planning and execution activities etc All these functions are effectively integrated for flow and update of information immediately upon entry of any information It allows automatic introduction of the latest technologies like Electronic Fund Transfer (EFT), Internet, Intranet, Video conferencing, E-Commerce etc It has the capability to resolve business problems like material shortages, productivity enhancements, customer service, cash management, inventory problems, quality problems, prompt delivery etc Page of INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers Final Examination - Winter 2012 The following test of controls may be performed: (i) (ii) (iii) (iv) (v) (vi) (vii) The committee formed by the CEO is not a Strategy Committee The IT Strategy Committee is formed at board level whereas an executive level committee is usually termed as IT Steering Committee rg (a) (i) (ii) (iii) (iv) (v) (vi) g c To assess the performance of the Committee, I would consider the following questions in my review: Is the IT function adequately supporting major activities of PC? Was PC able to reduce the cost of core processes after the introduction of IT Strategy (after taking effect of inflation)? What was the role of strategy developed by the Committee, in improving the quality of services in PC? Did the introduction of the strategy have any impact on expansion of the company’s business and profitability? Has the staff reacted positively on the changes introduced as a result of the new strategy? Have their motivation levels improved? How often the strategy has been reviewed and updated? w (b) ao f fic ia l.o IT Strategy Committee is composed of one or more board members and ex-officio representation of key executives The members should be selected on the basis of their knowledge and expertise in understanding the business impacts of information and related technology and their relevance to the key areas of applications of IT The board may choose to select IT experts to serve as external advisors, in case it feels lack of expertise in some particular area The chairman should be a board member w A.8 Verify adherence to processing control procedures by observing computer operations Reconcile a sample of batch totals and observe how discrepancies (if any) are removed Trace disposition of a sample of errors flagged by data edit routines to ensure proper handling Verify processing accuracy for a sample of sensitive transactions Verify processing accuracy for a selected computer generated transactions Search for erroneous or unauthorized code via analysis of program logic Monitor online processing using concurrent audit techniques w A.7 (THE END) Page of Information Technology Management, Audit and Control Final Examination Summer 2013 Module E Q.1 June 2013 100 marks - hours Additional reading time - 15 minutes City Club (CC) is an established social and recreational centre having more than five thousand members Besides cash/cheques, CC allows its members to pay their fee through CC’s website using credit cards CC’s management wishes to evaluate the process of collection of membership fees through its website and have appointed you as Information System Auditor During the planning process, you have obtained the following information: (v) (vi) (vii) (viii) rg l.o fic ia w (ix) ca of (iv) g (ii) (iii) The member is required to input his name (as on the credit card), type of credit card (Visa/Master), credit card number, expiry date of card and billing address, on a Secured Socket Layer protected page at CC’s website The above data is stored on the CC’s web server which is hosted by a third party An automated email containing member’s particulars in text format is generated by the web server and sent to the official email ID of CC’s Assistant Manager Finance (AMF) The details of all emails received during the day are posted by the AMF in a single pre-formatted spread sheet At the day end, these are sent to a designated employee of the commercial bank for the settlement of transactions The bank processes the transactions and sends the success and failure status of each transaction to AMF on the next working day AMF sends the fee receipts to members whose transactions have been successfully processed and intimates the other members about the transaction failure All computers in CC are interconnected via LAN Backup of data on AMF’s computer is stored on a backup file server automatically on daily basis Only the Network Administrator is authorised to restore the data The online fee payment procedure has been functioning satisfactorily for the past five years without any complaints or problems w w (i) Required: Identify seven control weaknesses/risks in the above system Offer suggestions for implementing appropriate control measures to mitigate the related risks Q.2 (14) Transpose Energy Limited (TEL) is a large importer and distributor of UPS, generators and solar panels TEL has been using separate information systems for suppliers, customers, HR and Finance These systems have been developed in-house but due to non-integration, several data items are required to be re-entered The CEO of TEL has recently received a proposal from Alternative Technologies (AT) for outsourcing TEL’s IT function AT proposes to implement a significantly improved and integrated information system in TEL AT has offered to train the existing employees of TEL on the new system; however, the administrative rights of the system would remain with AT AT’s monthly billing would depend upon the number of man hours worked by their employees Required: (a) Identify seven business risks associated with AT’s proposal (b) Most of the risks identified in part (a) above can be covered by including appropriate clauses in the agreement with AT What other measures can TEL take in order to mitigate the identified risk? (07) (04) Information Technology Management, Audit and Control Q.3 Page of As an audit senior of a firm of chartered accountants, you are assigned to conduct an audit of Creative Insurance Company Limited (CICL) CICL places considerable reliance on its computer–based information systems for generation of operational and financial data CICL has formed a quality assurance (QA) department during the current year to review and monitor its information systems In the course of your discussions with the QA Manager, you have been told that: (i) Due to time and resource constraints, QA plans were developed only for those information systems where: the system is of material significance to the company as a whole; all the stakeholders agree on the quality goals identified for that information system (ii) QA plans will be developed for all the remaining information systems as soon as adequate resources are available and QA department has achieved necessary competencies rg Your review of the project documentation shows that presently 12 out of a total of 20 information systems meet the above criteria The remaining information systems include financial information systems (04) Superb Limited (SL) is a distributor of FMCG and is operating this business since the last fifteen years SL’s management is considering to automate the process of executing orders so that the time lag between receipt and supply of goods may be reduced To achieve this objective, SL intends to provide smart phones with customized application to the sales force This may enable them to immediately communicate the customers’ orders to the company’s system Moreover, Area Sales Managers (ASMs) will be provided laptops with pre-installed application software of the company This would enable ASMs to monitor the progress of their sales team at all times from any location w w w g Q.4 (06) ca of fic ia l.o Required: (a) Describe the major concerns, which in your opinion, may restrict your decision to place reliance on QA function (b) Discuss the extent of reliance that you would place on those information systems which receive data from other information systems which not meet the criteria of QA department Required: The inter-connection of smart phones and the laptops with the company’s system poses various risks Identify any eight controls to mitigate such risks Q.5 (08) Generalized Audit Software provides a means to gain access to and manipulate data maintained on computer storage media Required: (a) Briefly explain the following functional capabilities provided by the generalized audit software and in each case give two examples of how the auditor might use these functional capabilities: Stratification and frequency analysis Arithmetical File reorganization Statistical (10) (b) (03) Discuss any two limitations of generalized audit software Information Technology Management, Audit and Control Q.6 Page of Serious Solution Providers (SSP) offers various types of IT related services, e.g data entry, data archiving, web hosting and email hosting As SSP’s IS auditor, you were satisfied with SSP’s Business Continuity Plan (BCP) when it was developed in 2011 However, in June 2012, the officer responsible for the maintenance and updation of BCP had resigned and his replacement had not been able to update the BCP regularly Required: Write a memo to SSP’s management emphasizing on the following matters: (a) Circumstances that creates the need to update the BCP (b) Responsibilities of the new appointee relating to the maintenance of BCP Q.7 Maya Textiles Limited is a growing textile company of the country Currently, they are in the process of framing their long term strategies for the growth of the business The company is concentrating on their manufacturing, logistics, marketing and material management strategies but there have been no plans for developing an IT strategy (05) (05) l.o rg Required: As the CFO of the company, write a memo to the company’s CEO explaining the following: (a) Objective / purpose of IT strategic planning (b) Identify the problems which the company may face in the absence of an IT Strategy You are employed in a firm of chartered accountants This is your second year as the audit supervisor on the audit of Greet Bank Limited The bank has made considerable progress during the year under review which includes introduction of online banking and increase in the number of branches ca of fic ia Q.8 (05) (05) This year you intend to adopt “through the computer” approach as against “around the computer” approach followed last year Q.9 w w w g Required: (a) Justify the audit approach adopted last year and explain the reasons for the change in approach for the current year (08) (b) Identify the difficulties which may arise while using “through the computer” approach (02) With the fast paced growth of Internet, e-commerce has provided new opportunities to businesses to expand their trade boundaries It has also provided new tools to the governments to facilitate their citizens Required: (a) State five ways in which a business can benefit using e-commerce (05) (b) List five benefits of e-commerce to consumers (05) (c) Identify any four areas where government to citizen (G2C) e-commerce model may be implemented Specify two key challenges that may be faced by a developing country while implementing G2C strategies (04) (THE END) INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers  Final Examination ‐ Summer 2013  A.1 Control weaknesses/risks in the system of collecting the membership fees through credit cards along with suggested controls are tabulated below: w w w g c ao f fic ia l.o rg Suggested Controls S No Control Weaknesses (i) Members’ credit card details are  Members’ credit card details should be stored on web server hosted by a stored on the club’s server placed in its third party own premises  If keeping own web server is not possible, the club management should get nondisclosure agreement (NDA) signed by the third party  The data should be stored in encrypted form (ii) Emails containing members’ data  Create privilege users’ accountability and remain at that server at least for auditability by logging users’ activities at sometime email server  Logs of email server should be reviewed periodically at appropriate level (iii) Data is transferred without  Emails from web server and emails sent by encryption AMF should be encrypted (iv) Disclosure of information by bank’s  CC should get the NDA signed by the employees bank authorities  CC should ensure that the bank deploys appropriate controls for the security of the data In this regard, preferred controls should be agreed and documented (v) Risk of exposure of confidential  Sharing of AMF’s computer should be information to unauthorised disabled (unconcerned) employees  Establish rules for access to information on AMF’s computer for normal as well as exceptional circumstances  If possible use a separate computer for storing such information (vi) AMF intentionally leaks the data  Get the NDA signed by AMF and other concerned staff  Strict disciplinary policies should be made for confidentiality breaches (vii) Network Administrator can restore  Members’ credit card details stored on AMF’s computer data from backup AMF’s computer must be encrypted file server (viii) Lack of review  All the controls mentioned above should be deployed in order to avoid this risk  Periodic compliance testing of the deployed controls should be performed If, however, CC opens a merchant account for online payments, then except risk (iv) all the risks identified above would be eliminated                                                                                                                                Page 1 of 6    INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers  Final Examination ‐ Summer 2013  A.2 (a) Business risks associated with AT’s proposal are as follows: (i) (ii) Cost of arrangement with AT may exceed TEL expectations TEL would become extremely dependent on AT on account of non-availability of source code and limited system administration rights (iii) TEL may lose internal IS expertise (iv) AT’s management may not be as responsive to TEL’s need as TEL’s employees (v) AT may fail to deliver the agreed level of services (vi) There is a risk to business continuity of TEL on account of:  Dispute with AT  AT going out of business (vii) AT may use pirated/copied software for which TEL may also be held responsible (viii) Confidentiality of TEL’s data may be compromised Besides inclusion of appropriate clauses in the agreement, TEL may take following other measures to mitigate the identified risks: (i) Appropriate communication with the employees and wherever necessary, their placement at other appropriate places in TEL (ii) Planning the course of action in case of dispute with AT, including:  Sign a separate agreement for the use of alternate processing facility in case of emergency  Train key IT employees on IT tools and technologies relevant to TEL  Develop internally a program that may enable TEL to continue its operations in case AT ceases to provide services (iii) Entering into a short-term contract, at least initially (iv) Assessing viability of AT’s business before accepting the proposal (a) Following concerns may restrict my decision to place reliance on QA function of CICL:     (b) w The given situation indicates that QA function is not fully equipped with the required resources and has not attained a trusted level of competency The stakeholders’ inability to agree on QA goals indicates that information systems objectives have not been clearly set, which may restrict the reliance being placed on them If data produced by a system which has not passed through the QA function is transferred to a system which is QA compliant, we may not be able to place as much reliance on the QA compliant system also Since this is the first year of application of QA function, the auditor has very little experience on which he can assess the reliability of the QA function Since 40% of the systems have not passed through QA test, placing reliance on QA function for the rest may give rise to inconsistent audit approach w  w A.3 g c ao f fic ia l.o rg (b) For material information systems where QA plans have been developed but which import data from information systems that not meet the QA function’s criteria, I would:   test the QA controls of information system which is receiving data; test controls of those information systems from whom data is being imported If the result of above tests are satisfactory, I would place the reliance on these controls and reduce the extent of substantive testing Otherwise, I would go for detailed substantive testing                                                                                                                                Page 2 of 6    INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers  Final Examination ‐ Summer 2013  A.4 Following controls should be in place so that risks associated with inter-connection of smart phones (SPs) and the laptops (LTs) with the company’s system can be mitigated Installation and configuration of applications on SPs and LTs should comply with the existing company standards for security (ii) Addition, deletion or modification of any application should not be allowed to their holders For any such change, documented procedure should be followed (iii) SP and LT information should be synchronized only with organization’s resources contained in the company system (iv) Employees should be instructed to exercise due care during travel as well as within office environments Any loss or theft of a SP or LT should be treated as security breach and reported immediately (v) Identify all remote access points of entry through which access to company system is allowed and that no other remote access points can be used to access the company system (vi) Appropriate authentication mechanisms should be available at company system to ensure that those accessing it are duly authorized (vii) All the security controls over access to the company system remotely should be appropriately documented (viii) Data flowing between SPs/LTs and the company should be encrypted (ix) At the company, server access logs should be generated regularly and reviewed periodically (x) All SPs and LTs should be protected with updated antivirus software (xi) Properly configured firewall should be installed in the company system (xii) In addition to the firewall, an intrusion detection system should also be installed in the company system (a)  Stratification and frequency analysis: It allows data to be categorized and summarized in different ways Frequency analysis and aging analysis can be under taken Frequency tables and bar charts can be produced w g c A.5 ao f fic ia l.o rg (i) w w Examples (i) Accounts receivable balances can be stratified to determine whether the provision for doubtful debts is adequate (ii) The frequency with which various types of monetary transactions occur, can be determined to see whether in any period there is a marked deviation from the norm  Arithmetic: Arithmetic functions enable computations to be performed on data Examples (i) The discounting calculations performed by an invoicing program can be recomputed to check their accuracy (ii) Monetary updates of an account can be performed to check that the application update program does not contain erroneous logic  File reorganization: File reorganization function allows the files to be sorted and merged Examples (i) A file may be sorted to determine whether duplicate records exist on the file (ii) Files of various periods may be merged to identify a trend in financial position                                                                                                                                Page 3 of 6    INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers  Final Examination ‐ Summer 2013   Statistical: Statistical function allows sampling to be undertaken and the result of sampling to be evaluated Examples (i) The sampling capabilities can be used to select records for confirmation (ii) A random selection of inventory records can be undertaken so a physical count can be made to verify the accuracy and completeness of the records (a) Circumstances which create the need for BCP updation (v) (vi) (iii) (iv) (v) (vi) (vii) (viii) A.7 (a) ia l.o Developing a schedule for periodic review, testing and maintenance of the plan Advising all personnel of their roles and the deadlines for receiving revisions and comments Calling for unscheduled revisions whenever significant changes occur Arranging and coordinating scheduled and unscheduled tests of the BCP Training of personnel for emergency and recovery procedures Maintaining records of business continuity plan maintenance activities, i.e testing, training and reviews Evaluate and integrate changes to resolve unsuccessful test results into the BCP Administer the change management process for the changes identified other than BCP testing activity (The change management process includes: identification of changes, acquiring approval for identified changes and incorporating/documenting the changes after approval) w (i) (ii) g c Responsibilities of new appointee relating to maintenance of BCP: w (b) fic (iv) Changes in business strategy may alter the significance of various applications Acquisition/development of new resources/applications Changes in software or hardware environment may make current provisions obsolete or inappropriate or inadequate Change in roles and/or responsibilities of Disaster Recovery plan/ Business Continuity Plan (DRP/BCP) team members Change in arrangement with the vendors Material weaknesses found during testing of BCP ao f (i) (ii) (iii) rg Following are the limitations of generalized audit software: (i) Timely evidence collection may not be possible because evidence on the state of an application system can only be gathered after the data has been processed (ii) The program may not be able to perform all the tests which an auditor may require w A.6 (b) Purpose and objectives of IT strategic planning: (i) Effective management of the IT assets of the business which may be expensive as well as critical (ii) Improving communication between the business and Information System organization (iii) Aligning IT strategy with business strategy (iv) Planning the flow of information and processes (v) Reducing the time and expense of the information systems life cycle (vi) Efficiently and effectively allocating the information systems resources                                                                                                                                Page 4 of 6    INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers  Final Examination ‐ Summer 2013  (b) Problems which the company may encounter due to absence of an IT Strategy: (i) (ii) (iii) (iv) Information management may become difficult due to lack of direction Improper / ad hoc selection of IT projects and their implementation Staff may feel de-motivated due to lack of direction Costs may rise as hardware and software purchases may not be appropriate to the long term direction of the business (v) Business may suffer competitive disadvantage (vi) Customer service may decline (vii) Business objectives may not be achieved (viii) Long term survival of the company may be at risk The audit approach adopted last year was correct for that period, because:     Bank’s systems were relatively simple A clear audit trail existed Reliance was placed on user controls It was also cost-effective to audit by adopting the approach ‘around the computer’ rg (a) ia l.o A.8    (b)  (a) ao f It may be costly, especially in terms of man hours that must be expended to understand the internal working of an application system Technical expertise may be needed in order to understand how the system works A large business organisation may gain following benefits using e-commerce: (i) (ii) (iii) (iv) (v) (vi)   g c The following difficulties may arise while using ‘through the computer’ approach:  A.9 w  w  The inherent risk associated with the new application systems (online banking application) launched by GBL is high The volume of data being processed through computers this year is greater as compared to the last year, which makes it difficult to undertake extensive checking of the validity of input and output, without the use of audit software Significant parts of the internal control system are embodied in the computer system The processing logic embedded within the application system is complex Because of the cost-benefit consideration (by the bank management), substantial gaps in the visible audit trial are likely to exist in the system Due to introduction of online banking, there may be some regulatory requirement to audit through the computer w  fic Following are the reasons for adopting the “through the computer” approach for the current year’s audit It allows more business partners to be reached within a small span of time More geographically dispersed customer base can be reached Procurement processing costs can be lowered Inventories can be reduced Sales and marketing costs can be reduced Prompt interactions with customers                                                                                                                              Page 5 of 6    INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answers  Final Examination ‐ Summer 2013  (b) E-commerce provides following benefits to consumers: (i) (ii) (iii) (iv) Increased choice of vendors and products is available Convenience of shopping from anywhere i.e home or office Round the clock shopping Access to more detailed information about the products, from vendors as well as from independent sources (v) More competitive prices because of increased price comparison capability (vi) Greater customisation in the delivery of services Government to citizen (G2C) e-commerce model may be implemented in the following areas: (iii) (iv) (v) (vi) (vii) Lodging complaints and giving feedback on various projects of the government Keeping citizens’ update on ongoing developments like tax reforms, construction of dams, education policy etc Online submission of tax returns Online payment of utility invoices Online voting in local bodies or in general elections Online submission of job applications Online tracking of CNIC and Passport application status rg (i) (ii) ia l.o (c) fic The government of a developing country may face the following challenges while implementing G2C strategies: Creating infrastructure for providing economical access to the government websites to all citizens specially those living in remote towns and villages (ii) Security of government websites (iii) Creating awareness among masses as regards the uses of e-commerce technology and related issues (THE END) w w w g c ao f (i)                                                                                                                                Page 6 of 6    Best of Luck www.gcaofficial.org ... www.gcaofficial.org Page 14 Global Chartered Accountants - GCA ITMAC Revision Notes (SOFTWARE NEEDED TO RUN THE NETWORK) www.gcaofficial.org Page 15 Global Chartered Accountants - GCA ITMAC Revision. .. Accountants - GCA www.gcaofficial.org 30 January 2014 ITMAC Exam Kit This kit is designed to for ITMAC Module E Students.It contains the following: 1.ICAP Syllabus Grid 2.Complete Revision Notes... Disadvantages www.gcaofficial.org Page 12 Global Chartered Accountants - GCA ITMAC Revision Notes Inability to learn new skills Unwilling to switch Replacement of transfer employee www.gcaofficial.org