Final Examinations

Module E

The Institute of 2 June 2015

Chartered Accountants 3 hours – 100 marks

of Pakistan Additional reading time – 15 minutes

Information Technology Management, Audit and Control

Q.1 IT department of Sana Textiles Mills is headed by its CFO and consists of a senior programmer, a database administrator and two junior programmers. It has recently developed an integrated Information System which has six interconnected modules and is ready to go live. The senior programmer has developed the program and linked all the modules. Junior programmers have assisted him in gathering user requirements, preparing system flowcharts, developing user manual, compiling technical reference manual, designing various forms and reports and unit testing.

Required: (a) With reference to the composition of the development team, identify any two risks and

suggest the steps that may be taken to address those risks. (04) (b) Explain the term ‘unit testing’. Also describe briefly the various types of tests which

may be performed under ‘whole-of-program testing’. (05)

Q.2 Raised University (RU) is a reputed university in its region. It has a resource rich website from where students can download syllabus, past papers, research papers/periodicals, various forms and academic information etc.

In a recent meeting, the Vice Chancellor has advised the IT Manager to provide online fee payment option to the students for the forthcoming semester. Presently fee is either deposited in bank or is paid at the campus through credit cards. The IT Manager has informed that various arrangements will require to be made in this regard which includes re-negotiating the web hosting contract, developing a customised application program and selecting a bank that offers Internet Merchant Account.

Required: (a) Why do you think a revision in web hosting contract would be necessary for providing

such service? (02) (b) Briefly describe the role of a customised application program in processing of

payments for the above purpose. (03) (c) Suggest suitable controls which may need to be implemented to ensure that students

are served in an efficient and secure manner. (04) (d) Briefly explain the factors that RU should consider while selecting a bank for opening

Internet Merchant Account. (06)

Q.3 As the use of mobile devices like smart phones and tablets is gaining popularity, many organisations allow their staff to connect their personal mobile devices to the company’s network by directly connecting to its LAN or through Internet.

Required: (a) Identify the primary security and control issues to which an organisation may be

exposed to in the above stated situation. (02)

(b) List the steps that an organisation may need to take in order to address the risks that may arise in the above stated situation, with regard to:

(i) Network access (ii) Device management (iii) Application security management (09) Continued on next page......

Information Technology Management, Audit and Control Page 2 of 2

Q.4 Nizam Hospital (NH) has recently implemented an off-the-shelf system. The users are not satisfied with the system as several issues have arisen during the first few weeks of its implementation. The complaints have been resolved by the vendor on a timely basis but he is of the view that majority of the problems arose due to lack of users’ knowledge. The management has asked the IT Manager to set up a helpdesk function for providing immediate support to users.

Required: (a) List the information which should be maintained by the helpdesk for each complaint. (05) (b) Specify the responsibilities which could be assigned to the helpdesk staff of NH. (05)

Q.5 As the IS Auditor of Gulbahar Limited, you have identified few instances of software licensing violations. Prepare a note for submission to the management briefly describing the controls, which can be established in order to minimize such violations. (06)

Q.6 (a) State the key differences between cold, warm and hot sites. (03)

(b) Sohrab Insurance Company (SIC) specialises in health insurance. In December 2014, fire broke out in SIC’s data processing facility which forced SIC to operate from a hot site facility. However, SIC faced lot of difficulty in getting access to the site and completing data processing tasks. A consultant hired by SIC has reported that most of the difficulties arose because of deficiencies in the agreement with the hot site provider.

Required: Briefly discuss any six deficiencies to which the Consultant may be referring to. (09)

Q.7 Identify the five stages in developing ‘Information Strategy Plan’ and also identify the key steps/activities in each stage. (10)

Q.8 Data is the most valuable resource of an organization. Accordingly, IT Auditors need to develop a good understanding of how data is managed, database security controls and the roles of Data Administrator and the Database Administrator.

Required: (a) Specify any three objectives which effective data management seeks to achieve. (02)

(b) Identify the responsibilities of the Data Administrator and the Database Administrator in respect of each of the following Data/Database related functions:

(i) Defining data (ii) Creating data (iii) Retiring data (iv) Making database available to users (v) Maintaining database integrity (vi) Monitoring operations (09)

Q.9 On completion of the IS Audit of Sadar Builders (SB), its auditor wrote in his report that SB has paid due attention in securing its network from external threats; however, it has implemented only physical controls to address the insiders’ threats.

Required: Identify any six measures that SB may take in order to mitigate the insiders’ threats to its IT

resources and the main objective/benefit of each such measure. (09)

Q.10 The advancement of communication technology such as the world wide web and email has allowed efficient dissemination of information on a global scale. However, such communication has also increased the need to protect the privacy of data.

Required: Briefly describe the generally accepted privacy-protection principles. (07)

(THE END)