information system & it audit bml 303 past paper pack 2016

Institute of Cost and Management Accountants of Pakistan

Constituted under Cost and Management Accountants Act, 1966

INFORMATION SYSTEMS AND I.T. AUDIT (ML-303)

SEMESTER-3

PAST PAPERS

<)

�ICMA ,..... Pakistan

Institute of Cost and Management Accountants of Pakistan

Constituted under Cost and Management Accountants Act, 1966

Past Papers Included

1. MODEL PAPER

2. Fall (March) 2015 Examination

3. Spring (AUGUST) 2015 Examination

4. Fall 2014 (March) Examination

5. Spring (AUGUST) 2014 Examination

6. Extra Attempt, MAY 2014 Examination

7. Fall 2013 (FEBRUARY 2014) Examination

8. Extra Attempt, (NOVEMBER 2013) Examination

9. Spring 2013 (August 2013) Examination

10. Fall 2012 (February 2013) Examinations

11. Spring (August) 2012 Examinations

12. New Fall (E) 2011, April 2012 Examinations

13. Winter (November) 2011 Examinations

14. Summer (May) 2011 Examinations

15. Fall (Winter) 2010 Examinations

16. Spring (Summer) 2010 Examinations


18. Spring (Summer) 2009 Examinations


20. SPRING (SUMMER) 2008 EXAMINATIONS

21. FALL (Winter) 2007 Examination

22. SPRING (Summer) 2007 Examination

23. FALL (Winter) 2006 Examination

24. SPRING (Summer) 2006 Examination

1 Re-align Syllabus 2012 ICMA Pakistan

SSEEMMEESSTTEERR -- 33

IINNFFOORRMMAATTIIOONN SSYYSSTTEEMMSS AANNDD IITT AAUUDDIITT [[BBMMLL--330033]] IINNTTRROODDUUCCTTIIOONN TThhiiss ccoouurrssee ddeeaallss wwiitthh mmaannaaggeemmeenntt ooff sseeccuurriittyy ooff tthhee ssyysstteemmss,, aanndd iiss ddeessiiggnneedd ttoo ffooccuuss oonn ttoooollss aanndd tteecchhnniiqquueess ooff iinnffoorrmmaattiioonn ssyysstteemmss aanndd aapppplliiccaattiioonn ooff kknnoowwlleeddggee ttoo II..TT.. AAuuddiitt.. OOBBJJEECCTTIIVVEE TToo pprroovviiddee tthhee ssttuuddeennttss wwiitthh aa ddeettaaiilleedd kknnoowwlleeddggee ooff IInnffoorrmmaattiioonn SSyysstteemm aanndd II..TT.. AAuuddiitt ttoo eennaabblliinngg tthheemm ttoo:: ddeessiiggnn aanndd ddeevveelloopp iinnffoorrmmaattiioonn ssyysstteemm ttoo iimmpprroovvee tthhee

ppeerrffoorrmmaannccee ooff oorrggaanniissaattiioonnss,, aanndd aappppllyy ccoonncceeppttuuaall aapppprrooaacchh ooff iinnffoorrmmaattiioonn ssyysstteemmss ttoo II..TT..

AAuuddiitt..

OOUUTTCCOOMMEESS OOnn ccoommpplleettiioonn ooff tthhiiss ccoouurrssee,, ssttuuddeennttss sshhoouulldd bbee aabbllee ttoo:: uunnddeerrssttaanndd EE--BBuussiinneessss aanndd EE--CCoommmmeerrccee.. lleeaarrnn mmaannaaggeemmeenntt ooff IISS ooppeerraattiioonnss.. lleeaarrnn bbaassiicc ddaattaa mmaannaaggeemmeenntt sskkiillll.. uunnddeerrssttaanndd mmaannaaggeemmeenntt ooff aauuddiittiinngg iinnffoorrmmaattiioonn

ssyysstteemm.. ddeemmoonnssttrraattee aann uunnddeerrssttaannddiinngg ooff tthhee ccoommpplleexxiittyy ooff

mmaannaaggiinngg sseeccuurriittyy iinn eelleeccttrroonniicc ssyysstteemmss,, iiddeennttiiffyy aanndd aasssseessss tthhee ccrriittiiccaall tthhrreeaattss ttoo iinnffoorrmmaattiioonn

ssyysstteemmss,, ppeerrffoorrmm pprreelliimmiinnaarryy sseeccuurriittyy aauuddiitt ooff iinnffoorrmmaattiioonn

ssyysstteemmss aanndd aappppllyy sskkiillllss ttoo aa sseeccuurriittyy iinncciiddeenntt,, aanndd aappppllyy tthhee mmoosstt eeffffeeccttiivvee iinnffoorrmmaattiioonn ssyysstteemmss aauuddiitt,,

ccoonnttrrooll aanndd sseeccuurriittyy pprraaccttiicceess.. IINNDDIICCAATTIIVVEE GGRRIIDD

PPAARRTT SSYYLLLLAABBUUSS CCOONNTTEENNTT AARREEAA WWEEIIGGHHTTAAGGEE

AA

IINNFFOORRMMAATTIIOONN SSYYSSTTEEMMSS 11.. EEmmeerrggiinngg TTeecchhnnoollooggyy iinn EE--BBuussiinneessss 22.. IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss 33.. IInnffoorrmmaattiioonn aanndd DDaattaabbaasseess 44.. SSyysstteemmss AAccqquuiissiittiioonn // DDeevveellooppmmeenntt PPrroocceessss

5500%%

BB

IITT AAUUDDIITT 55.. TThhee PPrroocceessss ooff AAuuddiittiinngg IInnffoorrmmaattiioonn SSyysstteemm 66.. GGoovveerrnnaannccee aanndd MMaannaaggeemmeenntt ooff IITT 77.. AAuuddiittiinngg IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss 88.. AAuuddiittiinngg SSyysstteemmss AAccqquuiissiittiioonn // DDeevveellooppmmeenntt PPrroocceessss 99.. IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt 1100.. BBuussiinneessss CCoonnttiinnuuiittyy aanndd DDiissaasstteerr RReeccoovveerryy

5500%%

TTOOTTAALL 110000%%

NNoottee:: TThhee wweeiigghhttaaggee sshhoowwnn aaggaaiinnsstt eeaacchh sseeccttiioonn iinnddiiccaatteess,, ssttuuddyy ttiimmee rreeqquuiirreedd ffoorr tthhee ttooppiiccss iinn tthhaatt sseeccttiioonn.. TThhiiss wweeiigghhttaaggee ddooeess nnoott nneecceessssaarriillyy ssppeecciiffyy tthhee nnuummbbeerr ooff mmaarrkkss ttoo bbee aallllooccaatteedd ttoo tthhaatt sseeccttiioonn iinn tthhee eexxaammiinnaattiioonn..

CCOONNTTEENNTTSS

PPAARRTT �� AA IINNFFOORRMMAATTIIOONN SSYYSSTTEEMMSS

11.. EEmmeerrggiinngg TTeecchhnnoollooggyy iinn EE--BBuussiinneessss EE--BBuussiinneessss aanndd EE--CCoommmmeerrccee;; EE--BBuussiinneessss MMooddeellss ((BB22BB,, BB22CC,, BB22EE,, BB22GG,, GG22CC &&

CC22CC,,EE22EE)) EE--CCoommmmeerrccee AArrcchhiitteeccttuurree,, aanndd RRiisskkss AAddvvaannttaaggeess aanndd ddiissaaddvvaannttaaggeess ooff EE--CCoommmmeerrccee ffoorr

BBuussiinneesssseess EEDDII ((ddeeffiinniittiioonn,, ccoommppoonneenntt ,,aaddvvaannttaaggeess aanndd

ddiissaaddvvaannttaaggee)) EE--BBuussiinneessss SSooffttwwaarree ((SSCCMM,, EERRPP && CCRRMM)) ((ddeeffiinniittiioonn,,

ccoommppoonneenntt,, aaddvvaannttaaggeess aanndd ddiissaaddvvaannttaaggee))

22.. IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss MMaannaaggeemmeenntt ooff IISS OOppeerraattiioonnss IITT SSeerrvviiccee MMaannaaggeemmeenntt CChhaannggee MMaannaaggeemmeenntt PPrroocceessss CCoommppuutteerr HHaarrddwwaarree CCoommppoonneennttss aanndd AArrcchhiitteeccttuurreess CCaappaacciittyy MMaannaaggeemmeenntt PPrroobblleemm mmaannaaggeemmeenntt OOppeerraattiinngg SSyysstteemmss NNeettwwoorrkk AArrcchhiitteeccttuurree ((LLAANN,, WWAANN && WWiirreelleessss)) LLAANN ,, WWAANN && wwiirreelleessss ddeevviicceess OOSSII llaayyeerrss NNeettwwoorrkk MMeeddiiaa DDaattaa mmaannaaggeemmeenntt aanndd mmoonniittoorriinngg

33.. IInnffoorrmmaattiioonn aanndd DDaattaabbaasseess WWhhaatt iiss aa ddaattaa--bbaassee DDaattaa mmooddeelllliinngg TTyyppeess ooff ddaattaa--bbaasseess TThhee rroolleess ooff aa ddaattaa--bbaassee mmaannaaggeemmeenntt ssyysstteemm DDaattaa aass aa rreessoouurrccee IImmppoorrttaannccee ooff mmooddeellss&& EERRDD DDaattaabbaassee aacccceessss tteecchhnniiqquueess IInnffoorrmmaattiioonn ssyysstteemmss ccaatteeggoorriieess OOffffiiccee aauuttoommaattiioonn ssyysstteemmss CCoommmmuunniiccaattiioonn ssyysstteemmss TTrraannssaaccttiioonn pprroocceessssiinngg ssyysstteemmss DDeecciissiioonn ssuuppppoorrtt ssyysstteemm MMaannaaggeemmeenntt iinnffoorrmmaattiioonn ssyysstteemm EExxeeccuuttiivvee IInnffoorrmmaattiioonn ssyysstteemm EEnntteerrpprriissee ssyysstteemmss LLiimmiittaattiioonn UUsseess ooff iinnffoorrmmaattiioonn ssyysstteemmss CCaatteeggoorriieess DDSSSS ccaatteeggoorriieess

44.. SSyysstteemm AAccqquuiissiittiioonn // DDeevveellooppmmeenntt PPrroocceessss AApppprrooaacchh((WWaatteerrffaallll,, ssppiirraall,, iinntteerraaccttiivvee,, pprroottoottyyppiinngg)) PPhhaassee ooff SSDDLLCC ((IInnvveessttiiggaattiioonn aanndd ffeeaassiibbiilliittyy ssttuuddyy)) RReeqquuiirreemmeenntt AAnnaallyyssiiss aanndd iinniittiiaall DDeessiiggnn DDeettaaiilleedd ddeessiiggnn ssppeecciiffiiccaattiioonn // ddooccuummeennttaattiioonn SSyysstteemm iinnssttaallllaattiioonn // iimmpplleemmeennttaattiioonn &&

mmaaiinntteennaannccee PPrroojjeecctt MMaannaaggeemmeenntt PPrroojjeecctt PPllaannnniinngg PPrroojjeecctt CCoonnttrrooll MMeetthhooddss aanndd SSttaannddaarrddss

L

I

I

2 Re-align Syllabus 2012 ICMA Pakistan

PPAARRTT �� BB II..TT.. AAUUDDIITT

55.. TThhee PPrroocceessss ooff AAuuddiittiinngg IInnffoorrmmaattiioonn SSyysstteemmss AAuuddiitt MMiissssiioonn aanndd PPllaannnniinngg RRoollee aanndd rreessppoonnssiibbiilliittiieess ooff IInntteerrnnaall,, eexxtteerrnnaall aanndd IITT

AAuuddiittoorrss,, RRiisskk AAsssseessssmmeenntt aanndd AAnnaallyyssiiss RRiisskk bbaasseedd AAuuddiitt AApppprrooaacchh CCoommpplliiaannccee aanndd ssuubbssttaannttiivvee tteessttiinngg IInntteerrnnaall CCoonnttrroollss aanndd tthheeiirr ttyyppeess,, oobbjjeeccttiivveess aanndd

pprroocceedduurreess.. PPeerrffoorrmmiinngg aann IITT aauuddiitt CCAAAATTss CCoonnttrrooll sseellff aasssseessssmmeenntt..

66.. GGoovveerrnnaannccee aanndd MMaannaaggeemmeenntt ooff II..TT CCoorrppoorraattee aanndd IITT GGoovveerrnnaannccee IITT GGoovveerrnnaannccee FFrraammeewwoorrkkss RRoolleess aanndd RReessppoonnssiibbiilliittiieess ooff SSeenniioorr MMaannaaggeemmeenntt,,

SStteeeerriinngg CCoommmmiitttteeee && CChhiieeff IInnffoorrmmaattiioonn OOffffiicceerr PPoolliicciieess aanndd PPrroocceedduurreess HHuummaann RReessoouurrccee MMaannaaggeemmeenntt SSoouurrcciinngg PPrraaccttiicceess CChhaannggee MMaannaaggeemmeenntt IISS RRoolleess aanndd RReessppoonnssiibbiilliittiieess SSeeggrreeggaattiioonn ooff dduuttiieess aanndd CCoonnttrroollss wwiitthhiinn IISS.. AAuuddiittiinngg IITT GGoovveerrnnaannccee,, SSttrruuccttuurree aanndd

IImmpplleemmeennttaattiioonnss..

77.. AAuuddiittiinngg IInnffrraassttrruuccttuurree aanndd OOppeerraattiioonnss HHaarrddwwaarree rreevviieeww OOppeerraattiinngg SSyysstteemmss RReevviieewwss DDaattaabbaassee,, llooccaall aarreeaa nneettwwoorrkk,, nneettwwoorrkk ooppeerraattiinngg,,

ccoonnttrrooll aanndd iinnffoorrmmaattiioonn ssyysstteemm ooppeerraattiioonnss rreevviieewwss LLiigghhttss--OOuutt OOppeerraattiioonnss AApppplliiccaattiioonn ccoonnttrroollss aanndd tthheeiirr oobbjjeeccttiivveess FFiillee ccrreeaattiioonn;; DDaattaa CCoonnvveerrssiioonn IInnppuutt aanndd oouuttppuutt PPrroobblleemm mmaannaaggeemmeenntt rreeppoorrttiinngg rreevviieewwss HHaarrddwwaarree aavvaaiillaabbiilliittyy UUttiilliizziinngg rreeppoorrttiinngg aanndd sscchheedduulliinngg rreevviieewwss..

88.. AAuuddiittiinngg SSyysstteemmss AAccqquuiissiittiioonn // DDeevveellooppmmeenntt pprroocceessss RRiisskk ooff iinnaaddeeqquuaattee ssyysstteemm ddeevveellooppmmeenntt lliiffee ccyyccllee

((SSDDLLCC)) aanndd rreevviieeww ooff ddeevveellooppmmeenntt pprroocceedduurreess aanndd mmeetthhooddoollooggiieess

RReevviieeww ooff aaccqquuiissiittiioonn pprroocceessss ffoorr oouuttssoouurrcciinngg iinnffoorrmmaattiioonn ssyysstteemm mmaaiinntteennaannccee pprraaccttiicceess CChhaannggee mmaannaaggeemmeenntt lliibbrraarryy ccoonnttrrooll ssooffttwwaarree RReevviieeww ooff tthhee pprraaccttiiccee ooff pprroojjeecctt mmaannaaggeemmeenntt ttoooollss

aanndd tteecchhnniiqquueess.. 99.. IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt

IImmppoorrttaannccee ooff IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt UUnnddeerrssttaannddiinngg ooff FFaacciilliittiieess ((DDaattaa cceennttrreess,,

oouuttssoouurrcceedd ffaacciilliittiieess,, SSttoorraaggee,, mmeeddiiaa lliibbrraarriieess,, bbaacckkuupp vvaauullttss,, UUPPSS && DDiissaasstteerr rreeccoovveerryy ssiitteess))

AAnnttiivviirruuss SSooffttwwaarree IImmpplleemmeennttaattiioonn SSttrraatteeggiieess PPrrooggrraamm aanndd DDaattaa sseeccuurriittyy tteecchhnniiqquueess,, MMoonniittoorriinngg aanndd ssuurrvveeiillllaannccee tteecchhnniiqquueess EEnnvviirroonnmmeenntt CCoonnttrroollss SSmmookkee ddeetteeccttoorrss FFIIRREE SSuupppprreessssiioonn AAcccceessss mmaannaaggeemmeenntt ccoonnttrroollss PPhhyyssiiccaall ddeessiiggnn aanndd aacccceessss ccoonnttrroollss LLooggiiccaall AAcccceessss ccoonnttrroollss ((uusseerr aauutthhoorriizzaattiioonn mmaattrriixx &&

PPaasssswwoorrdd mmaannaaggeemmeennttss // ppaasssswwoorrdd cchhaannggee pprroocceedduurreess))

NNeettwwoorrkk sseeccuurriittyy ((eennccrryyppttiioonn,, ffiirreewwaallllss)),, ((,,aanndd HHuummiiddiittyy // TTeemmppeerraattuurree))

MMeeddiiaa SSaanniittiizzaattiioonn AAuuddiittiinngg IInnffoorrmmaattiioonn SSeeccuurriittyy MMaannaaggeemmeenntt

1100.. BBuussiinneessss CCoonnttiinnuuiittyy aanndd DDiissaasstteerr RReeccoovveerryy

DDeeffiinniinngg aa DDiissaasstteerr BBCCPP aanndd DDRRPP BBCCPP PPrroocceessss BBuussiinneessss CCoonnttiinnuuiittyy PPoolliiccyy aanndd PPllaannnniinngg IInncciiddeenntt MMaannaaggeemmeenntt BBuussiinneessss IImmppaacctt AAnnaallyyssiiss DDeevveellooppmmeenntt ooff BBCCPP IInnssuurraannccee PPllaann TTeessttiinngg AAuuddiittiinngg BBuussiinneessss CCoonnttiinnuuiittyy..

TTEEAACCHHIINNGG MMEETTHHOODDOOLLOOGGYY:: TThhee ffaaccuullttyy iiss aaddvviisseedd ttoo tteeaacchh tthhee ttooppiiccss iinn tthhee mmooddee ooff ccaassee ssttuuddiieess bbaasseedd oonn kknnoowwlleeddggee aanndd aapppplliiccaattiioonn wwiitthh pprraaccttiiccaall aapppprrooaacchh..

RREECCOOMMMMEENNDDEEDD BBOOOOKKSS

CCOORREE RREEAADDIINNGGSS

TTIITTLLEE AAUUTTHHOORR PPUUBBLLIISSHHEERR

IInnffoorrmmaattiioonn SSyysstteemmss:: TThhee FFoouunnddaattiioonn ooff EE--BBuussiinneessss

SStteevveenn AAlltteerr PPrreennttiiccee HHaallll // PPeeaarrssoonn // FFiinnaanncciiaall TTiimmeess

DDeecciissiioonn MMooddeelllliinngg wwiitthh MMiiccrroossoofftt EExxcceell JJeeffffrreeyy HH.. MMoooorree // LLaarrrryy RR.. WWeeaatthheerrffoorrdd PPrreennttiiccee HHaallll // PPeeaarrssoonn // FFiinnaanncciiaall TTiimmeess

CCIISSAA RReevviieeww MMaannuuaall CCIISSAA IInnffoorrmmaattiioonn SSyysstteemmss AAuuddiitt aanndd CCoonnttrrooll AAssssoocciiaattiioonnss,, IInncc..

AADDDDIITTIIOONNAALL RREEAADDIINNGGSS

IInnttrroodduuccttiioonn ttoo IInnffoorrmmaattiioonn SSyysstteemm JJaammeess OO�� BBrriieenn MMccGGrraaww--HHiillll

PPrraaccttiiccaall IITT AAuuddiittiinngg JJaacckk CChhaammppllaaiinn WWaarrrreenn GGoorrhhaamm && LLaammoonntt RRIIAA GGrroouupp

1 of 2 ISITA/Model-Paper

ICMA.

Pakistan

MODEL PAPER

INFORMATION SYSTEMS AND I.T. AUDIT (ML-303) SEMESTER- 3

Time Allowed: 02 Hours 40 Minutes Maximum Marks: 80 Roll No.:

(i) Attempt all questions.

(ii) Answers must be neat, relevant and brief.

(iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate.

(iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper.

(v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script.

(vi) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.

(vii) Question Paper must be returned to invigilator before leaving the examination hall.

MARKS

Q.1 First question (MCQs Part) comprises 20 MCQs of one (1) mark each to be attempted in 20 minutes.

Q.2 Read the following CASE carefully and answer the questions given below:

C A S E

Megaton Corporation is a large industrial concern that has a complex network infrastructure with multiple local area and wide area networks that connects Megaton headquarter with its national and international offices. There is an Intranet site that is accessed only by employees to share work-related information. An Internet EDI site is also available that is accessed by customers and suppliers to place orders and check status of the orders. Both sites have both open areas and sections containing private information that requires an ID and password to access. User IDs and passwords are assigned by the central security administrator. The wide area networks are based on a variety of WAN technologies including frame relay, ATM, ISDN, and T1/T3. These network carry unencrypted, non-sensitive information that are sent to international offices of Megaton but do not include any customer identifiable information. Traffic over the network involves a mixture of protocols, as a number of legacy systems are still in use. All sensitive network traffic traversing the Internet is first encrypted prior to being sent. A number of devices also utilize Bluetooth to transmit data between PDAs and laptop computers. A new firewall has been installed and patch management is now controlled by a centralized mechanism for pushing patches out to all servers. Firewall policy did not allow any external access to the internal systems. Various database-driven Internet applications are in use and many have been upgraded to take advantage of newer technologies. Additionally, an intrusion detection system has been added, and reports produced by this system are monitored on a daily basis. Megaton headquarter also maintains a data center consists of 15,000 square feet (1,395 square meters). The access to data centre is controlled by a card reader and cameras monitoring the entrance. Recently, Megaton has actively started supporting the use of notebook computers by its staff so they can use them when travelling and when working from home. In this regard Megaton desires that they can access the company databases and provide online information to customers. A large organization-wide ERP software implementation project is also under consideration. Megaton decided to buy a commercial off-the-shelf ERP package and then customize it to fit their needs. Though Megaton was not in a hurry to implement the project but sizeable customizations of ERP were anticipated. The last IS audit was performed more than five years ago. The current business continuity and disaster recovery plans have not been updated in more than eight years. During this time Megaton has grown by over 300 percent. At the headquarters alone, there are approximately 750 employees. The IS auditor has been asked to evaluate the current environment and make recommendations for improvement.

PTO

id1013781 pdfMachine by Broadgun Software - a great PDF writer! - a great PDF creator! - http://www.pdfmachine.com http://www.broadgun.com

2 of 2 ISITA/Model-Paper

MARKS

Questions: a. What possible risks can be involved with the use of EDI system at Megaton? 08

b. What would be the most serious concerns regarding the wide area networks at Megaton?

06

c. Many issues are involved when a company stores and exchanges the confidential customer information over the network. What could some of the significant issues to address if the information exchange between Megaton headquarter and its international offices include personally identifiable customer information?

05

d. What role top management of Megaton can play for better IT governance? 05

e. Suggest some controls to strengthen the security of Data Centre at Megaton. 03

f. Based on the information given in the case, what would you recommend to Megaton for preparing their disaster recovery plan?

03

Q.3 (a) �Capacity management� is the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively. The capacity plan should be developed based on input from both user and IS management to ensure that business goals are achieved in the most efficient and effective way. Discuss some types of information required for successful capacity planning.

08

(b) A database is a collection of information that is organized so that it can easily be

accessed, managed, and updated. List properties of three major types of database structure: hierarchical, network and relational.

06

Q.4 (a) To develop an information system, the organization can either outsource the system development or rely on its people. What are some of the risk involved when system development is done by the end-users of an information system?

06

(b) E-commerce is a positive development for both business and individuals as it has made

transactions more convenient and efficient. E-commerce involves no physical interaction between buyers and sellers and such virtual transactions have many associated risks. Explain some of these risks and their mitigation strategies.

06

Q.5 (a) The acquisition of right hardware and software resources for organization is a complex issue that requires careful planning. What are some of the issues involved in acquiring hardware and software for an information system and the steps involved in the selection of a computer system?

06

(b) An important objective of the IS auditor is to ensure that organization provides adequate

segregation of duties within the information system management structure. What are some of the duties and responsibilities of the IS auditor to achieve this objective?

06

Q.6 (a) While performing IS audit of an organization, IS auditor needs to carefully examine various IS controls implemented by the organization. What are some techniques IS auditor can use to evaluate the application controls implemented in an information system.

06

(b) An organization can hold a variety of sensitive information such as financial results, and

business plans for the year ahead. As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the risk of unauthorized access increases. What are some basic types of Information Protection that an organization can use to minimize this risk?

06

THE END

ICMA Pakistan

INFORMATION SYSTEMS AND I.T. AUDIT (BML-303)

SEMESTER-3 FALL 2015 EXAMINATIONS

Tuesday, the 1st March 2016 Extra Reading Time: 15 Minutes Writing Time: 02 Hours 40 Minutes

Maximum Marks: 80 Roll No.:

(i) Attempt all questions. (ii) Write your Roll No. in the space provided above.

(iii) Answers must be neat, relevant and brief. It is not necessary to maintain the sequence. (iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper. (v) In marking the question paper, the Examiners take into account clarity of exposition, logic of arguments,

effective presentation, language and use of clear diagram/ chart, where appropriate. (vi) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script. (vii) Question No. 1 - "Multiple Choice Questions" printed separately, is an integral part of this question paper. (viii) Question Paper must be returned to invigilator before leaving the Examination hall. DURING EXTRA READING TIME, WRITING IS STRICTLY PROHIBITED IN THE ANSWER SCRIPT EXAMINEES ARE ADVISED TO MANAGE SOLUTIONS/ ANSWERS WITHIN PROPOSED TIME ·········································---------------------------························································ Marks Question No. 2 Proposed Time : 60 Min. Total According to a research by the University at Berkeley, the amount of digital information produced in the world is doubling as often as every two years. All those e-business tools-databases, CRM, SCM, ERP etc. are generating huge quantum of data. Outsourcing Information Technology infrastructure including BCP and DRP support is an emerging business trend in today's business. This practice is faster to deploy, easier to manage and often much cheaper. Austro industry has been deployed outsourcing model in its core IT operations. An IS auditor has been asked to review the draft of an outsourcing contract and Service Level Agreement (SLA), and recommend any changes or point out any concerns prior to these documents being submitted to senior Management for renewal approval. The service level agreement includes outsourcing support of Windows and UNIX server administration, virtualization of servers and network management to a third party. Servers will be relocated to the outsourcer's facility that is located in another country, and connectivity will be established using the Internet. The operating system will be upgraded on a semi annual basis. All requests for addition or deletion of user accounts will be processed within three business days by the System Administrator. Intrusion detection software will be continuously monitored by the outsourcer and the customer notified by email if any anomalies are detected. New employees hired for operation support under SLA within the last three years, were subject to background checks. Prior to that there was no policy. A right to audit clause is in place but 24-hour notice is required prior to an onsite visit. If the outsourcer is found to be in violation of any terms or conditions of the contract, the outsourcer will have 10 business days to correct the deficiency. The outsourcer does not have an IS auditor but is audited by a regional public accounting firm. Company plan to implement virtualization to increase efficiency and to decrease cost of its IT operations. However, virtualization also introduces additional risks. Virtual Box is a Virtualization product from Oracle is selected for this solution. The advantage of Virtual Box is that it can run on most platforms including Windows, Linux and Mac. Virtual Box is also free and Open-Source software. Due to importance of data, company management is developing revised business continuity plan (BCP) and disaster recovery plan (DRP) under SLA for its headquarters facility and network of its branch offices. At the headquarters facility, there are approximately 750 employees. These individuals connect over a local area network to an array of more than 60 application, database and file print servers located in the corporate data centre and over a leased line circuit network to the branch offices. Travelling users access corporate system remotely by connecting over the Internet using virtual private networking, which allows a secure authentication and connection into those resources where privileges have been granted. User can be connected through dial up connection or dedicated leased lines after authentication via TACACS (Terminal Access Controller Access Control System) server. All critical applications have a recovery time objective (RTO) of three and five days backup for servers located at the branch offices and are stored at nearby branch offices using reciprocal agreements between offices.

/SITA-Fall 2015 1 of 3 PTO

Marks Current contracts signed with a third party hot site provider include 25 servers, work area space equipped with desktop computers to accommodate 50 individuals, and a separate agreement to shift up to two servers and 10 desktop computers to any branch office declaring an emergency. The contract term is for three years, with equipment upgrades occurring at renewal time. The hot site provider has multiple facilities throughout the country in case the primary facility is in use by another customer or rendered unavailable by the disaster. Senior management desires that any enhancements be as cost effective as possible. To ensure that the critical activities of an organization are not interrupted in the event of disaster, secondary storage media are used to store software applications files and associated data for backup purposes. These secondary storage media are removable media i.e. tap cartridges, compact disks, digital video disks or mirrored disks (local or remote) or network storage. Another disked-based backup system like virtual tape libraries, hot-based replication, disk-array-based replication and snapshots are used to copy the data taken for offsite backup. The offsite facility and transportation arrangements must, therefore, meet the security requirements for the most sensitive class of data on the backup media. Once in a year business continuity plan (BCP) has been tested in compliance of contract clause of SLA by running operations from hot site to ensure reliability of BCP in case of any disaster.

Required: (a) You are appointed by company as a system administrator. Discuss responsibilities of a system

administrator in organizing network infrastructure. 05

(b) Discuss need of signing Service Level Agreement with third-party vendor. How SLA will help Austro Industry in improving performance of the organization. 05

(c) Differentiate between disaster recovery plans (DRP) and business continuity plan (BCP). Enlist six different components of a business continuity plan. 05

(d) Enlist and explain features of disk-based backup system deployed by organization in order to maintain offsite backup of its critical data. 05

(e) Virtualization is the feature of operating system. Discuss any three (3) advantages and two (2) disadvantages of virtualization solution in order to reduce IT operations cost of organization. 05

(f) Different techniques are used by the company employees to securely remote access their corporate network and applications. Discuss any five different risks associated with remote access either accessing corporate applications ERP, SCM, CRM by end users or SLA vendor for any network configuration management work. 05

Question No. 3 Proposed Time : 30 Min. Total Marks : 16 (a) Risk is the combination of the probability of an event and its consequences. Business risk may

negatively impact the assets, process or objectives of a specific business or organization. A banking organization engaged external auditors to evaluate risks in its IT infrastructure deployment. Risk assessment should be an ongoing process in an organization that endeavours to continually identify and evaluate risks as they arise and evolve. Summarize the different steps of risk assessment process. 08

(b) GEKO oil and gas company has just implemented IT Governance framework to provide assurance to its stakeholders that IT services are aligned with business vision, mission and objectives. You are appointed as new IS auditor of the company and asked to share key concepts of following knowledge statements regarding effective governance and management of IT in organization:

(i) Knowledge of quality management system. 02

(ii) Knowledge of the use of maturity models. 02

(iii) Knowledge of process optimization technique. 02

(iv) Knowledge of practices for monitoring and reporting of IT performance. 02

/SITA-Fall 2015 2 of 3

Question No. 4 Proposed Time : 25 Min. I Total Mark · Marks

(a) In order to ensure timely detection of errors and misappropriations during normal course of business process, IS auditor has advised to segregate duties within IS department. The segregation may further avoid the possibility of single person responsible for diverse and critical functions. Several control mechanism can be used to strengthen segregation of duties. What control mechanisms should be used by the IS auditors to strengthen segregation of duties in organization? Describe any four (4) mechanisms. 08

(b) Project Management is the application of knowledge, skills, tools and techniques to a broad range of activities to achieve a stated objective such as meeting the defined user requirements, budget and deadlines for an IS project. Zee Telecom is planning to provide cloud computing facility to its corporate clients. As a Project Manager what would be the initiation process for the project? 04

Question No. 5 Proposed Time: 30 Min. Total Marks : 14 (a) Electronic Data Interchange (EDI) replaces the traditional paper document exchange such as

invoices, purchase order etc. Due to revolution of E-commerce, Bostow Company hired a web developer to design and implement web based EDI system. Web based EDI consists of Front end application designed with open source software PHP and MySQL database used on backend. Before implementation of EDI, company wants to know the importance of web based EDI and four risks associated with deployment of EDI applications. 08

(b) An operating system is a resource manager of computer system. Multithreading, virtual memory, multiprocessing, virtualization, etc are some advance features of modern operating system. Important options and parameters of windows operating system are set in special system configuration files referred to as a registry, which is an important aspect of IS auditing. Computer processing activity can be logged for analysis of system function. As an IS auditor elaborate six different areas that can be analyzed based on activity logging and reporting options. 06

Question No. 6 Proposed Time: 15 Min. I Tot IT data centre operation team of a cellular company observed frequent failure of its hard drives installed in storage area network (SAN) and routing engine of its core router. IS auditors are engaged to audit environment exposures and controls. Discuss importance of implementing the following environmental exposures and their controls in cellular company's IT Data Centre to deal with any naturally or manmade disaster situation: (i) Electromagnetic Interference (EMI) issue 02

(ii) Water Detectors 02

(iii) Fire suppression systems 02

(iv) Electrical surge protectors 02

THE END

/SITA-Fall 2015 3 of 3

ICMA Pakistan

INFORMATION SYSTEMS AND I.T. AUDIT (BML-303)

SEMESTER-3 SPRING 2015 EXAMINATIONS Thursday, the 27th August 2015

Extra Reading Time: 15 Minutes Writing Time: 02 Hours 45 Minutes

Maximum Marks: 90 Roll No.:

(i) Attempt all questions. (ii) Answers must be neat, relevant and brief.

(iii) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper. (iv) In marking the question paper, the Examiners take into account clarity of exposition, logic of arguments,

effective presentation, language and use of clear diagram/ chart, where appropriate. (v) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.

(vi) Question No. 1 - "Multiple Choice Questions" printed separately, is an integral part of this question paper. (vii) Question Paper must be returned to invigilator before leaving the Examination hall.

DURING EXTRA READING TIME, WRITING IS STRICTLY PROHIBITED IN THE ANSWER SCRIPT

Marks

Q. 2 X-Link is a Middle East based telecommunication services provider company enjoying large clientele in Middle East and in several other countries. Last year it inaugurated its data center for handling increasing clientele. Mr. Jamal is the chief information officer (CIO) and Mr. Qasim is the director infrastructure of X-Link, are directly supervising this new data center. This data center manages databases for central X-Link information system (Oracle based EXA-DATA system) which contains customer relationship management (CRM) and billing system which is remotely accessed by over 50 franchise offices of the X-Link. The data center infrastructure hosts server/ network racks, HVAC systems, UPS, battery bank, network switches, routers, hardware based firewalls, storage area network (SANs) and application systems. Data center intranet consists of 100 nodes connectivity via 1 OOgbps fast ethernet which is also connected to a separate dedicated area for customers to provide them business continuity planning (BCP) facilities to work on these servers/ machines remotely. Each customer is configured via separate VLAN on core switches to ensure network security, Customers can access their storage, SANs, application servers and other network devices through LAN while working in data center premises using their allocated working space.

There are three major teams working in X-Link data center as follows:

1. Infrastructure team: Responsible for monitoring and managing data center power, cabling, HVAC systems, hardware, server racks and helpdesk operations.

2. Enterprise network team: Responsible for the operations and monitoring of major network components including switches, routers, wireless network servers.

3. System team: Responsible for operations and monitoring of X-Link information system, data migration, operating system support, virtualization and active directory management of X-Link's employees.

All of the above three teams consist of permanent staff and also utilize the services of third party vendors which mostly includes hardware vendor, power generation rentals, security personnel, backup tape vendors, oracle EXA-DATA system support, cable vendor and janitorial staff. Most of the teams working in X-Link data center had never received any specific training on information security. Human resource (HR) department of organization is now working for developing procedures for recruiting, training and promoting staff, measuring staff performance, disciplining staff, succession planning, and staff retention. Due to heavy working load and tough working timings in operations of data center and insufficient training/ expertise, staff of X-Link is extremely exhausted and demotivated. Most of them have applied for no objection certificate (NOC) to switch their jobs.

/SITA-Spring 2015 1 of 4 PTO

Marks

X-Link management also plans for migration of all of tts corporate customers' data into new installed Oracle EXA-DATA system, which provides 50TB storage capacity. Two data migration experts were recently hired for this job by the company.

The management is currently considering ways by which it can enhance the physical and logical security of its data center. The information system (IS) auditor has been asked to assist in this process by evaluating the current environment and making recommendations for improvement. The data center consists of 15,000 square feet raised floor on the ground floor of the corporate headquarter building. A total of 25 operations personnel require regular access. Currently, access to the data center is obtained using a biometric card, which is assigned to each authorized user. There are three entrances to the data center, each of which utilizes a card reader and has camera monitoring system at the entrance. These cameras feed their signals to a monitor at building reception desk. Two of the doors to the data center also have key locks that bypass the electronic system so that a biometric card is not required for entry. Access control logs are retained for 45 days. During the review, the IS auditor noted that 64 biometric access control cards are currently active and issued to various personnel. The data center has no exterior window. One wall is made up of glass and overlooks the entry foyer and reception area of the building.

To support IS operations, X-Link management decided to implement IT service management (ITSM) in data center to meet the challenges in competitive environment. ITSM comprises processes and procedures for efficient and effective delivery of IT services to businesses. A service desk for 24 x 7 is established to support IT services and provide single point of contact to all internal and external customers. This step helps a lot in customers' satisfaction and to achieve required goals.

Required:

(a) Explain the six business reasons for importance of information security management (ISM) in data center. 06

(b) A place is dedicated to customers wtth 24 x 7 sitting faciltty in data center. Discuss six different risks associated with the use of LAN by external customers to access their servers, storage and other network equipments which are installed/ hosted in data center. 06

(c) X-Link skilled staff left/ resigned from the organization frequently. HR department has been assigned a task to review its standard operating procedures (SOPs) and appraisal policies. Discuss the features of hiring, training and promotion policies as per requirements of data center technical team. 07

(d) A large-scale data conversion can potentially become a project within a project because considerable analysis, design and planning will be required. Discuss any six necessary steps for successful data conversion/ migration from old system to new oracle based EXA-DATA storage system. 06

(e) Customers logged complaints in IT service desk. Discuss role of service desk in data center in incident/ problem management. 05

Q. 3 (a) E-commerce is a subset of e-business. It is buying and selling of goods online, usually via internet. Typically, a web site advertises goods and services, and the buyer fills in a form on the web site to select items to be purchased and provide delivery and payment details or banking services such as transfers and payment orders. Mr. Akram has opened his own play organization to sell clothes online. He hosted a website and starts his online business

Required:

Develop a proposed business solution from the following:

(i) E-commerce architecture 04

(ii) E-commerce requirements 04

(iii) Also discuss at least four ( 4) risks associated with e-commerce to kickoff this online business. 02

/SITA-Spring 2015 2 of 4

Marks

(b) Information system capacity management is one of the key business requirements for IT systems. Business operations and processes can only be supported reliably when IT systems provide the required capacity. An internet service provider is planning to launch cloud computing services to its corporate customers. During procurement of IT system, the capacity management team will work with the architect to estimate resource requirements and capacity forecasting through application sizing and modelling of new services.

Required:

Enlist and elaborate at least seven different elements of capacity planning and monitoring for this new project. 07

Q. 4 (a) Electronic communication systems help people work together by exchanging or sharing information in many different ways. New communication capabilities have changed the way many businesses operate by making it possible to do many things at a distance that previously required being present in a specific location. AI-Rawabit company is planning to adopt latest communication technology to reduce its cost.

Required:

Explain features of following communication systems which make it possible to transmit specific messages to specific individuals or group of individuals:

(i) Instant messaging

(ii) Group support systems

(iii) Knowledge management systems

(b) Master Institute is planning to implement PeopleSoft ERP solution for its examination system in order to meet high quality of standards in examination and to improve higher education commission (HEC) rating of the institute.

Required:

02

04

04

Discuss various needs to be determined by the project manager during project planning phase of software development/ acquisition or maintenance for this project. 08

Q. 5 (a) Internal controls are normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organization. An IT solution provider company engages its board of directors and senior management for establishing the appropriate culture to facilitate an effective and efficient internal control system, and for continuous monitoring the effectiveness of the internal controls w�hin organization.

Required:

Briefly discuss different control classifications, their respective functions and usages with examples that should be considered when evaluating control strength in any organization. 08

(b) Information security has now become a significant governance issue as a result of global network, rapid technological innovation and change, increased dependence on IT, increased sophistication of threat agents, and an extension of the enterprise beyond its traditional boundaries. Due to importance of information security, banking management has created a post of Chief Information Officer (CIO) and Mr. Yaseen is appointed for this post. CIO just after his appointment established a steering committee.

Required:

Discuss in detail the role and responsibilities of 'steering cornrnittee' and 'CIO' in banking organization. 06

/SITA-Spring 2015 3 of 4 PTO

Marks

Q. 6 (a) The changing technological infrastructure and the manner in which to operate it have led to evolving ways to perform audits and specific reviews. Roshan company has engaged you as an IS auditor to review database.

Required:

Discuss at least five (5) different areas to be reviewed and associated questions to consider, while working on database review auditing task. 05

(b) An Islamic bank has implemented a core banking solution in a centralized environment. All other delivery channels i.e., internet banking, ATM etc. are also operational. The centralized server, internet banking web servers and ATM switch are located in the bank's data center. The bank has got its own WAN, with inter-city links, connecting 100 cjties across the country. The bank developed its business continuity planning (BCP) as compliance with State Bank of Pakistan policies. Business impact analysis (BIA) is a critical step in developing the business continuity strategy.

Required:

Discuss different approaches for performing a BIA. Also explain the recovery point objective (RPO) and recovery time objective (RTO) in BIA and at least two different recovery alternatives for banking sector to be incorporated in their BCP. 06

THE END

/SITA-Spring 2015 4 of 4

ISITA-Mar.2015 1 of 2 PTO

ICMA.

Pakistan

INFORMATION SYSTEMS AND I.T. AUDIT (BML-303) SEMESTER-3

FALL 2014 EXAMINATIONS Thursday, the 5th March 2015




(iii) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper.

(iv) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate.

(v) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.

(vi) Question No. 1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.


MARKS

Q. 2 (a) Xeon Limited is a large multinational Bank. It has recently received license to operate banking business in Pakistan. The management of the bank has decided to develop its own banking software and recently they have awarded a software development contract to a local software consulting company. While project kicked off, the project manager who had been assigned on this project; applied his own software development methodology instead of internationally recognized Software Development Life Cycle (SDLC).

08

The bank has deputed you on this project as IS auditor. As job responsibility, you are required to identify risks associated with non-compliance of international standards for software development methodology that has not been adopted by project manager.

List down at least four potential risks and suggested controls that may expose due to incorporation of non-standard software development methodology.

(b) Audit risk is the risk of information or financial report that may contain material error or IS auditor may not detect an error that has occurred. Explain in brief how would you categorize audit risks?

08

Q. 3 (a) You are an IS auditor of Glorious (Private) Limited, a large accounting firm. As part of human resource development plan, Glorious recently arranged overseas training of Computer-Assisted- Audit-Techniques (CAATs) for its IS audit team. You were one of the team members who travelled for CAATs training. When you resumed office after successful completion of training, the senior management of Glorious asked you to transfer CAATs knowledge to its IS Audit team members. In order to conduct knowledge transfer session, you are required to develop a presentation that should include: i) Applications of CAATs (At least five) ii) four advantages and four disadvantages of CAATs (At least four of each)

Describe the important points in brief.

13

(b) Lincoin Limited is a group of companies has branch offices in all major cities of

Pakistan. Lincoin Limited has good IT infrastructure all over its branches. Its data processing facilities are highly sophisticated and running number of software applications. A few months ago Lincoin�s IT facilities had shutdown for two weeks due to unforeseen application server�s disaster that caused significant losses in business since timely information was not available for decision making. The IT business continuity plan (BCP) was in place but it did not recover the business applications successfully as expected while applied in disaster recovery events. Due to ineffectiveness of BCP, the management of Lincoin has decided to get it reviewed by an external IS auditor. State at least ten basic elements that should be verified by IS auditor while reviewing BCP.

05


ISITA-Mar.2015 2 of 2

MARKS

Q. 4 (a) There are various project management techniques and tools available to assist project

manager in software development process. In current revolutionary age of information technology, Agile project management process is considered highly successful. Describe in brief the Agile project management method with at-least 10 Agile principles that support project teams in implementing Agile project management method.

12

(b) Wolex Enterprises is a large distribution company dealing in life saving drugs. Currently

they have very small distribution network, however, the management intends to launch its operation in all major cities of the country. Wolex operation�s feasibility team is in consultation with various firms engaged in developing the infrastructure facilities and recruiting the work force. However, outsourcing option for IT support services is also under consideration. You as a senior member of Wolex feasibility team; required to come-up with four benefits and four limitations that support outsourcing proposal.

08

Q. 5 (a) A database is a collection of information of structured data organized in rows and columns. The usage of database has various significant strengths such as:

reduced data redundancy

improved data integrity

allows data sharing

reduced development time Explain each of the strengths as indicated above.

08

(b) Symbol Electronics Limited is a medium sized manufacturing company involved in

assembling and exporting domestic electronic goods. During last year, SEL had incurred significant losses on several large export consignments due to three weeks over scheduled shipments. Upon investigation by the internal IS Audit team, the production manager of SEL held the suppliers responsible for not delivering the raw material on time, while the suppliers were of the view that the delivery lead time was not considered by SEL procurement department when raw material orders were placed. In order to overcome the issue of delayed acquisition of raw material, the management of SEL has decided to adopt Business-to-Business (B2B) model. You, as a head of Information Technology of SEL, briefly explain B2B model and specify its key characteristics. State advantages and disadvantages of B2B model.

08

THE END

1 of 2 ISITA/August-2014

ICMA.

Pakistan


SPRING (AUGUST) 2014 EXAMINATIONS Thursday, the 21st August 2014




(iii) DO NOT write your Name, Reg. No. or Roll No., or any irrelevant information inside the answer script.


(v) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, effective presentation, language and use of clear diagram/ chart, where appropriate.

(vi) Question Paper must be returned to invigilator before leaving the examination hall.

MARKS

Q.2 (a) Enterprise Resource Planning (ERP) is an industry term for integrated, multi-mode application software packages that are designed and support multiple business functions. Due to importance and effective operational needs, an automobile manufacturing industry management plans to implement ERP system in order to integrate its different departmental functions. Briefly explain different implementation phases of ERP system. Discuss benefits achieved to the company by effectively implementing ERP system in organization.

09

(b) Recent research shows that most of the time approx 80% CPU of computer system

remains in idle state. Operating system is a resource manager and optimize the CPU resources. Discuss different classes of operating system.

05

Q.3 (a) A Decision Support System (DSS) is an interactive information system that provides information, models and data manipulation tools to help make decisions in semi-structured and unstructured situations. Discuss eight important techniques used in decision making in Decision Support System (DSS).

10

(b) MIS system has been deployed in an organization and has advertised Data Base

Administrator (DBA), Project manager and application developer jobs in leading newspaper to fulfil its vacant positions. Discuss role and job description of each post to effectively implement and manage MIS system in organization.

06

Q.4 (a) A multinational bank has established a data center in its head office. 50 Terabyte capacity Storage Area Network (SAN), Blade server, CISCO router and PIX firewalls have been deployed in network infrastructure of data center. Proper environment and physical controls can ensure equipment reliability as per manufacturer like IBM & CISCO recommendations in equipments data sheets, which can reduce risk of any downtime. The management of the bank has engaged an IT auditor for LAN and Network operating review. Consider yourself as an IT Auditor, highlight the minimum six requirements related to organization LAN and Network operating review.

10

(b) Due to revolution in networks technology, wireless security provide prevention of

unauthorized access or damage to computers using wireless networks. Discuss three principal ways to secure wireless networks.

06

PTO


2 of 2 ISITA/August-2014

MARKS

Q.5 (a) Students of XYZ University have developed mobile applications and have advertised on

university web site. To promote this product through e-commerce activity they need a merchant account. Discuss need and requirement of merchant account in our country to promote e-commerce business activities. Elaborate six different payment methods used in e-commerce business?

09

(b) For all customers, partners, resellers, and distributors who hold valid Cisco service

contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. M/s UNICOM network manager has decided to upgrade its CISCO12000 series router as per CISCO TAC (Technical assistant support center) recommendation. Change management procedure is used when changing hardware, upgrading operating system and configuring various network devices. Discuss effects of proper procedures/ SOPs followed and deployed during this migration process.

07

Q.6 (a) Most business continuity tests fall short of a full-scale test to all operational portion of the corporation. The test should address all critical components and simulate actual prime-time processing conditions. Discuss different tasks to be accomplished by �Continuity Plan Testing�? Explain five test phases that should be completed to perform full testing.

09

(b) Software development practitioners have developed alternative development strategies

to reduce development time, maintenance costs or to improve the quality of software. Compare advantages and disadvantages of waterfall model, spiral model and prototyping models used in software development methodologies.

09

THE END

1 of 2 ISITA/May-2014

ICMA.

Pakistan

EXTRA ATTEMPT, MAY 2014 EXAMINATIONS

Saturday, the 24th May 2014









MARKS Q.2 (a) A traditional system development life cycle (SDLC) approach is made up of a number of

distinct phases, each with a defined set of activities and outcomes. Identify the phases and discuss in detail the purpose of each phase and the general activities performed by each phase.

12

(b) Assume that you are helping an IT manager of a supermarket in managing databases.

What different methods of accessing data you will use for their databases? 06

Q.3 (a) Discuss the various types of E-commerce models. E-commerce highly depends on the existence of a level of trust between two parties to avoid risk factor. State the most important elements of risk in E-commerce.

09

(b) Wireless transmission does not need a fixed physical connection because it sends

signals through air or space. Discuss the four common types of wireless transmissions with their applications� differences in scale and complexity.

06

Q.4 (a) Outsourcing is one of the business practices and strategies of organizations to reduce operational cost and concentrate on its core business areas. Cloud computing is one of the techniques of outsourcing. Elaborate different cloud computing service models. Discuss the advantages, disadvantages and business risks related to outsourcing.

08

(b) Adequate planning is necessary in performing effective IS audit. Discuss the various

types of audits, internally or externally, and the audit procedures associated with each audit that an IS auditor should understand.

08

Q.5 (a) Disaster recovery planning �DRP� is a continuous process. When the normal production facilities become unavailable, the business may utilize alternate facilities to sustain critical processing until the primary facilities can be restored. Discuss the most common recovery alternatives in detail.

10

(b) You have been assigned to audit a multinational company having its offices around the

globe. Discus the areas of IS auditing which should be kept in mind while performing audit of any global presence company.

09

PTO


2 of 2 ISITA/May-2014

MARKS

Q.6 The most critical factor in protecting information assets and privacy is laying the foundation for effective information security management. Identify and discuss at least six key elements of information security management system.

12

THE END

1 of 2 ISITA/Feb-2014

ICMA.

Pakistan

FALL 2013 (FEBRUARY 2014) EXAMINATIONS

Saturday, the 22nd February 2014









MARKS

Q.2 (a) Most of the business information systems are based on databases. In fact web is not a database, however, it illustrates the capabilities of hypermedia databases. Discuss features of hypermedia database. Also write difference between searching required information using a traditional database and using World Wide Web metaphor.

09

(b) The expert system makes sure that important factors of event have not been ignored

and provide information that helps the person make a good decision. Differentiate with the help of an appropriate example between forward chaining and backward chaining logics used by expert system.

08

Q.3 (a) PeopleSoft ERP system of XYZ Courier Company has been crashed. Data backup is key preventative measures .It ensures that the critical activities of an organization are not interrupted in the event of disaster. Discuss different types of disk-based back up system and criteria for choosing different types of back up devices and media for early restoration of data.

09

(b) One of the most interesting market mechanism in e-commerce is electronic auction which used B2C,B2B, C2B, G2B and G2C business models. Differentiate between forward and reversed e-auction with examples. Also discuss the role of broker and barter in e-marketplace.

08

Q.4 (a) To ensure high level of computer hardware and network availability, XYZ Company has signed service maintenance contract including spare parts with IBM local vendor for Information system support and maintenance work. The hardware maintenance program is designed to document the performance of hardware maintenance. Discuss mandatory information, which should be maintained in hardware maintenance program. Also elaborate typical procedures and reports for monitoring the effective and efficient use of hardware.

09

(b) A project team with participation by technical support staff and key users should be

created to write a request for proposal (RFP). Elaborate seven different areas which should be included in this or any RFP document contents.

07

PTO


2 of 2 ISITA/Feb-2014

MARKS

Q.5 (a) An IT audit firm is planning for its critical data migration from old FOXPRO database

system to new Oracle 9i database system. This large-scale data conversion becomes a project within a project. Discuss necessary steps for a successful data conversion process.

10

(b) Remote access is a common technique to monitor and configure network devices using

Telnet and others utility software�s. Discuss different remote access connectivity�s methods. How can an organization implement remote access security to avoid any chances of access to company�s intranet by any intruder, cracker, or hacker?

08

Q.6 Why organizations need Transaction Processing System (TPS), Management Information System (MIS) and Executive Information System (EIS)? How management Information system (MIS) emerged partly as a response to the shortcoming of the first computerized transaction processing system? Similarly Executive Information system (EIS) attempts to take over the short falls of traditional MIS approach. Elaborate this revolution in Information system. Do MIS and EIS really solve manager�s problem?

12

THE END

1 of 2 ISITA/E-Attempt.2013

ICMA.

Pakistan

EXTRA ATTEMPT, NOVEMBER 2013 EXAMINATIONS Tuesday, the 26th November 2013

INFORMATION SYSTEMS AND I.T. AUDIT � (ML-303)

SEMESTER- 3







(vi) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.


MARKS

SECTION � �A�

Q.2 (a) Modern E-commerce architectures consist of a variety of complex integrated components. Explain four significant components of e-commerce architecture.

06

(b) E-businesses use a variety of computer hardware architectures. These computers are

used both at client and service provider end. Explain any three types of computers based on their processing power, size, and architecture.

09

Q.3 (a) There are three major forms of organizational alignment for project management

within a business organization. Discuss each. 06

(b) Problem management is one of the key functions of information system operations.

Discuss three important duties of IS manager with respect to the problem management function.

09

Q.4 (a) Information system development may involve developing a new system or modifying

the existing one. In either case, IS management is required to prepare various types of feasibility studies. What are the five important functions of IS auditor while analyzing these feasibility studies?

05

(b) There exists a variety of models of databases used in information systems today.

Explain any five key features of network database model and relational database model.

10

SECTION � �B�

Q.5 (a) A risk-based audit approach is usually adopted to develop and improve the continuous IS audit process. Explain five stages of risk-based audit approach.

10

(b) Steering Committees play a strategic role in information systems management and

ensure that IS department is in harmony with the corporate mission and objectives. List five primary functions performed by the Steering Committee.

05

PTO


2 of 2 ISITA/E-Attempt.2013

MARKS

Q.6 (a) Data conversion is a significant activity in information system development life cycle. Explain five significant points to be considered in a data conversion project.

05

(b) System development life cycle (SDLC) approach doesn�t guarantee successful

completion of IS development project. This involves a magnitude of risk that needs to be controlled. Explain six responsibilities of IS auditor to control risks of inadequate system development life cycle.

06

Q.7 (a) Firewalls generally act as a first line of defence in securing corporate internal networks

from external threats. List six general features of firewalls. Also list three problems faced by organizations after implementing firewalls.

09

(b) The IS processing insurance policy is usually a multi-tiered policy designed to provide

various types of IS risk coverage. Explain five types of coverage provided in IS processing insurance policy.

10

THE END


o ICMA t:�}, �\�l� --P-a- ki- st_a_n_

Time Allowed: 02 Hours 45 Minutes Maximum Marks: 90

SPRING 2013 EXAMINATIONS Saturday, the 31st August 2013

INFORMATION SYSTEMS AND I.T. AUDIT - (ML-303)

SEMESTER- 3

Roll No.: I (i) Attempt all questions.

(ii) Answers must be neat, relevant and brief. (iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments,

effective presentation, language and use of clear diagram/ chart, where appropriate. (iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper. (v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script.

(vi) Question No.1 - "Multiple Choice Question" printed separately, is an integral part of this question paper. (vii) Question Paper must be returned to invigilator before leaving the examination hall.

MARKS

SECTION - "A"

Q.2 (a) Leading companies, whether they are not typically associated with information 08 technology, are using information technology extensively in their businesses. In this regard how can we differentiate between E-commerce and E-business?

(b) IT service management is a concept that describes IT management as a series of 07 processes and procedures that provide "service" to the business. What is the significance of Service Level Agreement (SLA) in IT service management?

Q.3 (a) Effective management of every project requires clear goals, deliverables, and 08 schedules. What are some of the specific challenges associated with effective management of IS projects?

(b) Information systems are designed to support decision-making in one way or another. 06 Identify and explain the steps in decision making.

Q.4 (a) WAN links and devices needs to be monitored and managed. All network devices are 08 network manageable. Discuss different areas of network management defined by ISO. How network devices are managed by using SNMP (Simple Network Management Protocol)?

(b) Computer systems deploy in a way that mirror business processes and can be used 08 as per the requirement of the users or organizations. Discuss advantages and disadvantages of the four alternative approaches to computing in organizations.

SECTION - "B"

Q.5 (a) Each organization, irrespective of size, industry, or finances needs to comply with 10 various IS-related governmental and external laws and regulations. What possible impact these laws and regulations can have on IS audit planning of the organization?

(b) IT governance policies and procedures are developed by top management of the 06 organization. Why an IS auditor should pay close attention to these policies and procedures during the IS audit?

PTO

1 of 2 ISITA!Spring.2013

MARKS

Q.6 (a) Without a well-devised information security management system (ISMS), state-of-the- 08 art security features and devices alone are not enough to protect the organizational IS. What should be some of the key features of this ISMS?

(b) 'Change management' is an important process of information system maintenance 06 practices. How important is the role of change requests in the change management process?

Q.7 (a) 'Disaster planning' is very important to avoid damages caused by unforeseen events. 06 What are some of the specific issues related to information system (IS) that makes IS disaster planning more important?

(b) There are three main schemes for backup and each one has advantages and 09 disadvantages over others. Explain.

THE END

2 of 2 /SITA!Spring.2013

1 of 2 ISITA/February.2013

INSTITUTE OF COST AND MANAGEMENT ACCOUNTANTS OF PAKISTAN

Fall 2012 (February 2013) Examinations

Saturday, the 23rd February 2013

INFORMATION SYSTEMS & I.T. AUDIT � (ML-303) SEMESTER - 3

Time Allowed � 2 Hours 45 Minutes Maximum Marks � 90 Roll No.:

(i) Attempt ALL questions. (ii) Answers must be neat, relevant and brief.

(iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments, presentation and language.



(vi) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper. (vii) Question Paper must be returned to the invigilator before leaving the examination hall.

MARKS SECTION � �A�

Q. 2 (a) What do you understand by �Data Integrity Testing�? A multinational stock exchange

company uses online multi-user transaction processing system controlled by Oracle DBMS. Discuss properties of ACID principle used in this online Oracle based transaction processing system.

07

(b) Discuss importance of Customer Relationship Management (CRM) to meet expectations

of customers. Distinguish between Operational and Analytical CRM. 08

Q. 3 (a) �Modern operating system provides virtualization features�. Elaborate the statement. ABC

Company is planning to reduce its operational cost by implementing virtualization solution. Compare advantages and disadvantages of this solution.

06

(b) Moving data in a batch transmission process through the traditional Electronic Data

Interchange (EDI) process involves three functions within each trading partner�s computer system. Enlist and briefly explain these functions used in traditional EDI process.

09

Q. 4 (a) Software development organizations implement process methodologies. Discuss

features of waterfall and spiral models. How spiral model is supportive in risk management?

07

(b) A multinational bank is establishing its different branches all over the country. These will

be integrated through WAN. Discuss different WAN technologies alongwith their features to provide point to point secure connectivity of all its branches to bank�s Head Office. (any eight)

08

PTO

2 of 2 ISITA/February.2013

MARKS

SECTION � �B� Q. 5 (a) �Encryption� is the need of today�s e-business. Discuss why Symmetric Encryption is

used for Data Encryption and Asymmetric Encryption is used in Key exchange mechanism. If an individual wants to send messages using a public key cryptographic system, how does s/he distribute the public key in secure way?

08

(b) The changing technological infrastructure requires specific reviews of hardware,

operating systems, IS operations, databases and networks. As an IS auditor, discuss main areas which need to be reviewed related to hardware.

06

Q. 6 (a) �Policies and procedures� reflect management guidance in developing controls over

information systems. IS auditors should use policy as a benchmark for compliance. Discuss main features of information security policy document. How IS auditor can ensure Acceptable Internet Usage Policy?

06

(b) How CAAT helps IS auditor in gathering information from hardware and software

environment. Generalized audit software (GAS) is a main tool used in CAAT. Discuss different functions supported by GAS.

09

Q. 7 (a) There are various reasons to create Access Control Lists (ACLs). Discuss. How can

network administrator secure network by implementing extended ACL�s on company router interface?

08

(b) Discuss the process of developing and maintaining an appropriate �Business Continuity

Plan�. Explain what are the major tasks involved when an IS auditor is evaluating the suitability of business continuity plan.

08

THE END

ISITA/August.2012 1 of 2


Spring (August) 2012 Examinations

Thursday, the 30th August 2012

INFORMATION SYSTEMS & I.T. AUDIT � (S-602) STAGE-6






(vi) There will also be a computer based practical examination of 10 marks and presentation of a project of 20 marks, which form the part of this paper.

(vii) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.

(viii) Question Paper must be returned to the invigilator before leaving the examination hall.


Q. 2 (a) What are five major components of an idealized expert system? Expert system logic

combines forward chaining and backward chaining. Explain 10

(b) Distinguish between data base and data modeling. Give an example through illustrating

basic entity-relationship diagram tool for data modeling. 05

Q. 3 (a) The systems in organisations are built and maintained in terms of four phases. Illustrate

these phases. Also list out the common reasons of project failure for each phase. 08

(b) Define �Business Intelligence (BI)�. Identify its area of application. Three main factors

have been responsible for increasing use of BI as a distinct field of IT. Explain these factors.

06

SECTION � �B� Q.4 (a) �Testing� is an essential part of the development process. Discuss testing and the

elements of a software testing process. Enlist various types of testing. 08

(b) A large-scale data conversion requires considerable analysis, design and planning.

Discuss the necessary steps for a successful data conversion. 06

PTO

ISITA/August.2012 2 of 2

MARKS Q.5 (a) A recovery strategy indentifies the best way to recover a system (one or many) in case of

interruption including disaster, and provides guidance for developing recovery alternatives. There are different strategies and recovery alternatives available. Explain the most common recovery alternatives.

07

(b) General controls apply to all areas of the organization including IT infrastructure and

support services. Discuss. 06

THE END

1 of 2 ISITA/April.2012


New Fall (E) 2011, April 2012 Examinations

Thursday, the 19th April 2012











Q. 2 (a) Information technology and information systems are powerful and valuable tools for

individuals, and organizations. Identify and briefly discuss the obstacles and real world limitations that have slowed the pace of implementation for IT-based innovation.

06

(b) The Principle-Based Systems Analysis (PBSA) method is an approach to improve a work

system. PBSA converts the four steps of systems analysis into three steps that can be pursued in a situation. Briefly discuss these three steps.

06

Q. 3 (a) There are four system approaches of system life cycles, each involving different

processes and helps in deciding what method is appropriate for a particular situation. Discuss four system life cycles approaches.

04

(b) The four main factors related to information usefulness are information quality,

accessibility, presentation and security. Briefly discuss them. 08

(c) Briefly discuss the four aspects of the convergence of computing and communications. 04 SECTION � �B� Q. 4 (a) An IS department can be structured in different ways and IS auditor should determine

whether the job description and structure are adequate. Briefly discuss the IS roles and responsibilities reviewed by an IS auditor related to the following:

i) Media Management ii) System Administration iii) Security Administration iv) Quality Assurance v) Database Administration vi) Network Administrators

06

PTO

2 of 2 ISITA/April.2012

MARKS

(b) Discuss the policies and procedures that reflect management guidance and direction in developing controls over information system. Explain the key points contained by the information security policy document.

08

Q. 5 (a) The IS auditor should be familiar with the different types of sampling techniques and its usage. Briefly touch upon two general approaches to audit sampling. Identify the statistical sampling terms need to be understood while performing variable sampling.

08

(b) Discuss the various roles and responsibilities of groups/individuals that may be involved

in the development process of a project management structure. 06

THE END

1 of 2


Winter (November) 2011 Examinations

Monday, the 21st November 2011









(viii) Appearing in Project, Presentation and Practical parts of the paper is compulsory.

(ix) Question Paper must be returned to the invigilator before leaving the examination hall.


Q. 2 (a) What is an information system plan? 04 (b) Why do users and managers have to participate in information system planning and

development? 04

(c) Modern electronic communication systems capabilities help people work together by

exchanging or sharing information in many different forms. Discuss six main tools of modern electronic communication systems being used in present environment.

06

Q. 3 (a) Identify and explain five product performance variables used to evaluate any stage in the

customer experience. 05

(b) Discuss common roles of information systems in improving the product of a work system. 04 (c) What is the difference between efficiency and effectiveness, and how is this related to

the work system framework? 05

SECTION � �B� Q.4 (a) Explain the term �Risk Management� and the prerequisite of developing a risk

management program. 05

(b) Discuss the three methods used for �risk analysis�. 03 (c) �Changeover technique� refers to shift users from existing (old) system to the new

system. This technique can be achieved in three different ways. Discuss these in detail. 06

PTO

2 of 2

MARKS Q.5 (a) The IS audit process must continually change to keep pace with innovation in

technology. Explain the three evoking changes in IS audit process including automated work papers, integrated auditing and continuous auditing.

08

(b) Discuss the impact of laws and regulations on IS audit planning. 06

THE END

1 of 2


Summer (May) 2011 Examinations

Thursday, the 26th May 2011











Q. 2 (a) Information systems are the tools for decision-making. Each type of information system

supports both communication and decision-making in a number of ways. Explain in detail system types and its impact on communication and decision-making.

6

(b) (i) Define each of the process performance variables. Describe how an information system can improve performance related to each of these variables?

5

(ii) What are the phases of building and maintaining a system? 5

Q. 3 (a) A computer system finds stored data either by knowing its exact location or by searching for the data. Different DBMSs contain different internal methods for storing and retrieving data. Explain sequential access, direct access, and indexed access methods for accessing data in a computer system.

6

(b) Define each of the five levels of integration. What kinds of problems sometimes result from tight integration?

6

SECTION � �B� Q. 4 (a) IS auditors� conclusions must be based on sufficient, relevant and competent evidence.

Explain. Enumerate the determinants for evaluating the reliability of audit evidence. 5

(b) What are the project phases of physical architecture analysis? Explain. Different project phases are involved in planning the implementation of infrastructure. Discuss each phase.

6

PTO

2 of 2

MARKS Q. 5 (a) Control self assessment (CSA) is a management technique. Illustrate. What are the

objectives of CSA? Highlight benefits and disadvantages of CSA. 6

(b) (i) Testing is an essential part of the development process. An IS auditor plays a preventive role in the testing process. Enumerate the elements of a software testing process. Also explain the classifications of testing.

6

(ii) Contrast corporate governance and I.T Governance. Explain the role of audit in IT

Governance. 5

THE END

1 of 2


Fall (Winter) 2010 Examinations

Sunday, the 28th November 2010


Time Allowed � 2 Hours 45 Minutes Maximum Marks � 56

(i) Attempt ALL questions.

(ii) Answers must be neat, relevant and brief. (iii) In marking the question paper, the examiners take into account clarity of exposition, logic of arguments,

presentation and language.


(v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script. (vi) There will also be a computer based practical examination of 10 marks and presentation of a project of 20

marks, which form the part of this paper. (vii) Question No.1 � �Multiple Choice Question� printed separately, is an integral part of this question paper.


Q. 2 (a) (i) �Computer hardware owned and managed within a corporation can exist at any or

all of the following levels: corporate headquarters, regional processing centers, workgroup processors and individual work stations.� Briefly elaborate.

04

(ii) What is the difference between centralized and decentralized approaches? How an intermediate situation can be different from them, the two extreme modes?

05

(b) How can Principle-based system analysis (PBSA) be applied to work systems,

information systems and projects? 05

Q. 3 (a) An experienced manager who worked for the last 30 years, and gradually moved from

management trainee to the top executive position, is about to retire from his position. The company has a greater reliance on the expertise of this senior executive and considers him as the hub of tacit knowledge. An information technology expert of the company suggested that the core knowledge of the experienced manager along with the tacit knowledge related to vast and diverse experience can be captured and utilized efficiently through �expert system�. The CEO asked the IT specialist to justify his idea and elaborate it to the board.

Required:

What is an Expert System? Discuss the building blocks of an Expert System. 09 (b) Intellectual property is different from other forms of property therefore requires a different

form of protection laws. Define intellectual property and differentiate it from other copyright laws.

05

SECTION � �B� Q. 4 (a) Describe the phases involved in System Development Life Cycle (SDLC). 06

(b) There are three elements or dimensions of a project that should always be taken into account. Explain.

03

PTO

2 of 2

MARKS (c) The IS auditor should understand the various types of audits that can be performed,

internally or externally, and the audit procedures. Explain classification of audits. 07

Q. 5 (a) An IS auditor plays a vital role in ascertaining the appropriateness of Business Continuity

Planning (BCP) and Disaster Recovery Planning (DRP). Explain what are the tasks involved when IS auditor evaluating the suitability of business continuity?

04

(b) What crucial factors are to be considered when reviewing the BCP? 04 (c) How emergency procedures can be ensured during the evaluation of DRP? 04

THE END

1 of 2


Spring (Summer) 2010 Examinations

Thursday, the 20th May 2010





(iv) Read the instructions printed inside the top cover of answer script CAREFULLY before attempting the paper. (v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script.



SECTION � �A� MARKS

Q.2 (a) Customers think about product performance in terms of variety of performance variables. Identify product performance variables that can be used to evaluate any stage in customer experience. Also illustrate typical performance measures for each variable and common ways information systems are used to improve the product.

07

(b) Neural network is an offshoot of artificial Intelligence. It is an attempt to model human

brain.

(i) Explain the term �neural network�. 02

(ii) How does it operate? Explain the procedure. 03

(iii) Give any two real-life examples where neural network is applied. 02

Q.3 (a) ABC Corporation has its office in a multistoried building. Its various departments are spread over different floors in the same building. The physical security of the IT infrastructure like computers, peripherals, and network devices is up to the mark; however, the CTO is concerned about �controlling access to data.� Assume that CTO of the company has hired you to address this issue. Prepare an account of �control techniques� including manual data handling, access privilege, and data flow through networks and other media.

07

(b) Electronic commerce (e-commerce), is one of the most popular e-business

implementations. What do you understand by e-commerce models? Discuss. 07

SECTION � �B�

Q.4 (a) After developing an audit program and gathering audit evidence, the next step is the evaluation of the information gathered in order to develop an audit opinion. This requires the IS auditor to consider a series of strengths and weaknesses and then develop audit recommendations.

(i) How can an IS auditor assess the strengths and weaknesses of the evidence gathered?

03

(ii) How can a control matrix be employed in this regard? 03

PTO

2 of 2

MARKS (iii) What critical role the concept of materiality can play in shifting relevant

information for audit report? 03

(b) Today, telecommunication networks are the key to business processes in both large

and small organizations. However, organizations often do not give due priority to them as data centers. What are the telecommunication network disaster recovery methods and how can we protect a network by using these methods?

05

Q.5 (a) Generally, each IT platform that runs an application, supporting a critical business function needs a recovery strategy. Discuss different alternative strategies in terms of cost and relevant level of risk.

07

(b) �System maintenance practices refer primarily to the process of managing change to

application systems while maintaining the integrity of both the production source and executable code.� In the light of this statement answer the following questions:

(i) Describe change management process.

(ii) How changes are deployed?

(iii) Why system documentation is important in change management process?

03

02

02

THE END

1 of 1



Thursday, the 19th November 2009






(iv) Read the instructions printed on the top cover of answer script CAREFULLY before attempting the paper.




SECTION � �A� MARKS Q.2 (a) Information systems are designed to support decision-making and management

performance in one way or another. Identify and explain each step involved in decision-making process with the help of process flow diagram.

08

(b) How are social context and nonverbal communication important when communication technologies are used?

06

Q.3 (a) Describe the main uses of high-level, fourth-generation, object-oriented, and web-oriented programming languages and tools.

08

(b) Define the elements of a work system framework with the help of a diagram. 06 SECTION � �B�

Q.4 (a) IS auditors appreciate a well-managed IS department to achieve the organization�s objectives. An effective IS department includes information systems management practices such as personal management, sourcing and IT change management. Explain these in detail.

08

(b) What are the typical physical access controls employed by different organizations having sufficient IT assets and specific budgets allocated for their protection?

06

Q.5 (a) A medium-sized company is operating in a client-server environment to establish a link with its several branches to the head office located in the same city. How can an IS auditor ensure security of this client-server environment? Enumerate.

06

(b) Control Self-Assessment (CSA) can be defined as a management technique. Explain. What are the benefits and disadvantages of CSA? Define IS auditor�s role in implementation of CSA.

08

THE END


1 of 2


Spring (Summer) 2009 Examinations

Wednesday, the 20th May 2009

INFORMATION SYSTEMS & I.T. AUDIT � (S-602)

Stage-6









MARKS SECTION ��A�

Q.2 (a) The data communication provides the underpinning of network and electronic commerce. Explain how the data transmits from one computer to another with reference to OSI model?

07

(b) Information systems depend on software resources to help end-users use computer hardware to transform data into information products. What are the different types of such software resources? Explain each by illustrating various examples.

07

Q.3 (a) Illustrate some benefits of using expert systems by different organizations. What are the problems faced during the development and usage of an expert system?

05

(b) A software development life cycle (SDLC) is a logical process that �System Analysts� and �System Developers� use to develop software packages. What is the purpose of using SDLC? Explain different phases of SDLC.

05

(c) One of the tools of software development is prototyping. How does prototyping help the software engineers in software development?

04

PTO


2 of 2

MARKS

SECTION ��B�

Q.4 (a) What are the typical categories of authentication? What is two-factor authentication? Give an example. What are TOKEN based authentication devices? Briefly describe their working. Which category of authentication they belong to and how?

07

(b) Describe the significance for IS auditor to ensure that hiring and termination procedures are clear and comprehensive. How an IS auditor can ensure whether these procedures are being practiced?

07

Q.5 (a) Briefly describe how laws and regulations affect IS audit? How IS auditors would perform to determine an organization�s level of compliance with external requirements?

05

(b) How unnecessary system outages resulting from system configuration can be controlled? How IS auditors can ensure that the appropriate controls are present in this regard? How media controls address the media transportation, storage, reuse, and disposal activities? Give media control example for each type of activity.

05

(c) What is contracting? Define different elements of a contract? What is the purpose of these contracts besides third-party outsourcing?

04

THE END

1 of 2



Wednesday, the 19th November 2008


Stage-6









MARKS

SECTION ��A�

Q.2 (a) With technology being getting advanced, purchasing over the internet has become a norm. A successful e-commerce system must address many stages consumers experience in the sales life cycle. Discuss the multi-stage model for purchasing over the internet in detail with the help of illustration.

10

(b) There are number of challenges that must be overcome for a company to convert its business processes from the traditional form to e-commerce processes. Elaborate the challenges with examples.

4

Q.3 (a) How does enterprise software work? Name some business processes supported by enterprise software. Why are enterprise systems difficult to implement and use effectively? Name at least three (03) commonly known popular ERP solution platforms.

4

(b) How have the value chain and competitive forces models changed as a result of the internet and the emergence of digital firms? Briefly discuss.

4

PTO


2 of 2

MARKS

(c) There were few actions by major hardware and software vendors in the past that initiated discussion about the need for consumers to be on guard to protect their privacy. Describe and discuss at least two most important cases in this regard.

6

SECTION ��B�

Q.4 (a) Why the test of Disaster Recovery and Business Continuity Planning is so important? What are the important elements to be considered and what tasks should be accomplished by such test?

7

(b) Why are digital signatures and digital certificates important for electronic commerce? What are three major issues when a certificate is needed to be revoked? Also describe a CRL.

4

(c) What are controls? Distinguish between general controls and application controls.

3

Q.5 (a) It is a general belief that an IS auditor�s conclusions must be based on sufficient, relevant and competent evidence. Elaborate the techniques for gathering evidence.

5

(b) What is Artificial Intelligence System (AIS) and what are the major branches of (AIS)? Discuss expert systems along with their capabilities and characteristics limiting their current usefulness.

9

THE END

1 of 2


SPRING (SUMMER) 2008 EXAMINATIONS

Sunday, the 25th May, 2008


Stage-6









Marks

SECTION ��A�

Q.2 (a) It is a fact that the majority of enterprises could not succeed without the possession of data concerning their external environment and their internal operations. How can the use of data flow diagrams aid enterprises through the provision of better quality decision � making information?

4

(b) A system must pass the ACID test to be considered as a true transaction processing system. What are the properties of ACID test?

5

(c) Fuzzy logic system deals with �approximate reasoning�. Does it make sense to apply it to control systems? Why or why not?

5

Q.3 (a) The accuracy of the outcome of a cost-benefit analysis is dependent on how accurately costs and benefits have been estimated. Inaccurate cost-benefit analysis may be argued to be a substantial risk in planning, because inaccuracies of the size documented are likely to lead to inefficient decisions. What are the causes of inaccuracies in cost and benefit estimations?

6

PTO


2 of 2

Marks

(b) ABC Software Company has to develop a software automation system for a local textile company with a very basic IT infrastructure. Is it a good idea to develop prototype of the system before developing full � fledged system? Discuss.

4

(c) The biggest concern with the biometric security is the fact that once a fingerprint or any other biometric source has been compromised it is compromised for life, because user can never change their fingerprints. Is this concern valid? Discuss with reasoning.

4

SECTION ��B�

Q.4 (a) Describe automated evaluation techniques along with their complexity levels applicable to continues online auditing. Also mention the circumstances under which each type can be used.

7

(b) What are the physical and logical access points that need to be checked for unauthorized exposures of critical IT assets?

7

Q.5 (a) Give details of active and passive attacks with two examples of each type? 4

(b) Why a proper configuration for firewalls is essential? 3

(c) Describe the purpose of library control software. 7

The End


FALL (WINTER) 2007 EXAMINATION_

Wednesday, the 21st November, 2007

INFORMATION SYSTEMS & I.T. AUDIT-(S-602)

Stage-6

Time Allowed-2 Hours 45 Minutes



Maximum Marks-56

(iii) In marking paper, the examiners take into account clarity of exposition, logic of arguments, presentation and language.

(iv) Read the instructions printed on the top cover of answer script CAREFULLY before attempting the paper


(vi) There will also be a computer based practical examination of 1 o mraks and pres entation of a project of 20 marks which form the part of this paper.

(vii) Question No. 1- "Multiple Choice Question" printed separately, is an integral part of this paper ·

SECTION- 'A' Marks

2. (a) It is said that business process characteristics reflect system decision 8 choices that may affect business process performance. If this is true, then what are the process characteristics? Elaborate with an example. If not, then explain your reasoning with an example.

(b) Relational, multidimensional and text databases all coexist in today's 6 IT industry. Describe each of these. Why are the relational databases much popular than the other two types of databases ?

3. (a) AMSP Inc., is a multinational software services company with 30,000 9 + employees world wide, headquartered in silicon valley USA, with its 24 offices around the world. Propose a suitable IS architecture for AMSP Inc., with reasoning and description.

PTO 1/2

Marks

(b) What is ''denial of service .. attack? What are its effects and how such 5 attacks are achieved?

SECTION - 'B'

4. (a) You have been assigned the task of auditing infrastructure and oper- 10 ations. VVhat specific things you will check while undertaking the auditing with reference to the following: ·

(i) Hardware reviews

_(ii) Network operating control reviews

(b) What are the concerns that should be addressed arising from lights- 4 out operations?

5. {a) Wireless network implementations is an emerwng· trend in IT industry. 7 lndentify some of the threats and vulnerabilities of such implementations.

(b) Business impact ana_lysis (BIA) is a critical step in developing the busi- 7 ness continuity plan (BCP). Define the core components that should be focused during the business impact analysis.

THE END

2/2



SPRING (SUMMER) 2007 EXAMINATION

Wednesday, the 23rd May, 2007

INFORMATION SYSTEMS & I.T. AUDIT - (S-602)

STAGE-6

Time Allowed -2 Hours 45 Minutes Maximum Marks -56

(i) Attempt ALL questions. (ii) Answer must be neat, relevant and brief

(iii) In markfng paper, the examiners take into account clarity of exposition, logic of arguments, presentation and language.


(v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script. (vi) There will also be a computer based practical examination of 1 O marks and pres

entation of a project of 20 marks which form the part of this paper. (vii) Question No. 1-"Multiple Choice Question" printed separately, is an integ_ral part

of this paper. Marks

SECTION -A

Q. 2 (a) How can encryption be used for making data meaningless to unau- 7 thorized users? Explain clearly.

(b) With regard to Information Systems planning briefly explain the fol lowing:

(i) An IS Plan. (ii) The challenges of IS Planning

Q. 3. (a) Discuss the prime consideration which are set forth before design- 5 ing a system.

(b) What are the elements of a work system? 4

(c) How can Information Systems improve communication in an 5 organization?

SECTION -8

Q 4. (a) List the risks and issues associated with the use of the following: 9

(i) Local area network (LAN) (ii) Client/server system (iii) Wireless system

4 3

1/2 PTO


(b) Suppose you are working as an IS auditor and have been assigned a task to review operating system and database. What specific things you would focus on while reviewing these items?

Marks 5

0. 5 (a) What are the objective associated while adopting a control self 8 assessment (CSA) program? What are the merits and demerit of CSA?

(b) Following the implementation and stabilization of a system, it 6 enters into the ongoing development or maintenance stage. This phase continues until the system is retired. It involves those activities that are required to either correct the errors in the system or enhance the capabilities of the system. lri this regard discuss the vital points an IS auditor should have to consider (Discuss any six).

THE END 212

INSTITUTE OF COST ANG MANAGEMENT ACCOUNTANTS OF PAKISTAN �

STAGE-6 EXAMINATION-FALL (WINTER) 2006 88 Wednesday, the 29tn November. 2006

INFORMATION SYSTEMS & 1.T. AU'DIT - S- (602)

Time Allovved 2 Hours 45 Minutes Maximum Marks 56

(i) Attempt TWO questions each from Section ''A·· and ''B''. Alf quesuons carry equal merks.

In marking peue), the examiners take Into account clanty of exposition. loq,c of arguments, presenta!Ton and language.

Reacl th« Instructions printed on the top cover ot; enswer sclfpt CAREFULLY /)ef ore ,1r1ampti11g rf1e pap et:

(11) Ans.war must be neat, relevant end brief

(Iii)

(iv)

(�') DO NOT wnte yow Name. Reg No orRoll No. anyvvhere insuie the answer sen pt

(vii) There will also be computer based practical exemtnetion of 10 marks and oreseotenon of s project of 20 marks which form the part of this paper.

(vt) ouesuon No 1 Multlple Choice Questfon" printed separately, is an fntegrnl Pflrl of this pape,�

SECTION - 'A'

a. 2 (a) What benefits the management can realize with the implementation of E-commerce for their Supply Chain Management? List any five benefits

5

(b) What IS the difference between Efficiency and Effectiveness find how rs tbls related to the work system framework ?

9

Q 3 (a) Describe following categories of ll'format;on Systems along with their relevant examples .

(i) Transaction Processing System (TPS) 2

(ii) Decision Support System (DSS) 2

(iit) Management Information System (MIS) 2

PTO 113

Marks

(b) Name some common techniques used in decision support system. 8 Explain approaches used in each of these techniques.

Q. 4 (a) What ts an entity-r�lat1or;1shlp diagram (ERO) ? Drsucss the 7 significance of ERO ?

(b) Identify the four phases which any mforrnatton system goes 7 through and some of the cernmcn issues and problems that occur in each phase

SECTION ·''B' •

Q 5 You are appointed as Manager, Information Technology Audits in an external auditing firm The first assignment to be carried out under your supervision Is to review the a�piication controls 1n place tn the multinational orqaruzation. In an Introductory meeting with your team members you plan to emphasize on the usage of Computer Assisted Auditing Techniques {CAATs), Before the introductory meeting you are required to study and prepare a notes on the following ·

(a} Describe the uses of CAATs. 2

(b) To be proficient 1n using CAAT's1 w.hat skills an IT Auditor should 5 possess?

(c) CAAT's can be used m performing various audit procedures List 7 down the IT audit procedures where these can be used.

Q 6 Continuous mnovanon in the field of Information Technology has become its nature and the pace is increasing dai by day But some times it becomes difficult for the prog(essing orqaruzanons to cope up with IT innovations because of non-availabllity of skilled human resources In such a situation, organizations tend to outsource IT functions partly or wholly,

Required:

(a) Breifly explain the terrn 'eutsoureing' in relation to Information 2 Technology

(b} List down any five risks which are being faced by the companies 5 to avail outsourcing services.

(c} List out some of the important provisions of contract which you, 7 as an IT auditor, will look forward in. an outsourcing contract

2/3

Q 7 (a) What rs IT audit methedology?

(b) What are the comccnems of IT audit methodology ?

(c) Eplam each pMases of typical IT audit.

THE END

I

3/3

Marks

2

2

10

1225 Thursday. the 25/h May. 2006 INFORMATION SYSTEMS & I.T. AUDIT-(S-302)


STAGE-3 EXAMINATION-SPRING (SUMMER), 2006

Time Allowed--2 Hours 45 Minutes Maximum Mark1r-56

(i) Attempt TWO questions each from Section •A• and "8". All questions carry equal marks.

(ii) Answer must be neat, relevant and brief. (iii) In marking paper. the examiners take into account clarity of exposition, logic of

arguments, presentation and language. (,v) Read the instructions printed on the top cover of answer script CAREFULLY

before attempting the paper. (v) DO NOT write your Name, Reg. No. or Roll No. anywhere inside the answer script. . (vi) There will be a computer based practical examination of 1 O marks and presenta-

tion of a project of 2Q marks which form a part of this paper. (vii) Question No. 1 - 'Multiple Choice Question· printed separately. is an integral

part of this paper. Marl<s

SECTION-A

0.2, A data processir,g procedure normally consists of a number of basic pro- . cessing operations like recording, sorting. file enquiry. retrieving of data

etc. But all these basic processing operations are dependent on accurate inpuVdata capture.

(a) List the input devices which are commonly used to perform these 3 functions.

(b) If input/data capture is error prone, the processing will not be accu- 3 rate and subsequently, the output will get affected. Mention what problems inpuVdata capture can suffer?

(c) What characteristics should an ideal method of input/data capture 3 possess?

(d) Keyboard is the most commonly used input device. Mention the 5 advantages and disadvantages of input/data capture thro4gh key board.

Q. 3 (a) Now a days, there are various physical and wireless technologies 8 available for communication channels. You are required to suggest the physical communication media which are available in the market for selection. Also mention their two (2) advantages aod two (2) dis· advantages.

1/2 . . P.T.O

(b) Your company wants you to gliide them about different hardware components which are used in a LAN Identify and describe any three of these components.

Q.4. The process of managing information system development is a major 14 management operation involving large parts of an organization and elements of its environment. System Devetepment Life Cycle (SOLO) is a structured approach to manage this major operation. Briefly explain the stages of SOLO.

SECTION-8

Q. 5 (a) The term-vlrus is a generic name applied to a variety of malicious 10 computer programs. You as an IS auditor are required to perform an review of IS operations to assess the control placed by IS management to prevent virus attacks. List and briefly describe at least 10 controls which you would look for while auditing the function. ·

· (b) It is required that the auditor's conclusions must be based on suffi- 4 cient. relevant and competent evidence, As an audit supervtsor if you want to assess the reliability of audit evidence, what determi- nant would you keep in mind? Explain these determinants you will identify.

Q.6. While auditing any application software it is very important for an IS audi tor to understand the database structure operating behind the application.

(a) Identify and describe three major types of database structure 9

(b}. What database controls, you as an IS auditor would subscrib.e for? 5

Q. 7. The earth is subject to various disasters. The disaster could be natural or man-made. Keeping them in view, there is an· increasing need for organ izations to prepare themselves in advance and plan preventive and cor rective measures.

(a) One of the recovery strategies against disasters that impair physical 9 facility is to acquire ·off site backup' alternatives. Some popular sites include Hot, Warm and Cold sites. Describe the nature of these sites and their differences in terms of monetary resources required to acquire these sites.

(b) One of the recovery strategies is to have a 'reciprocal agreement' 5 with some other organization. Your company· has adopted this recovery strategy by having a reciprocal agreement with a company. You as an IS auditor are required to review the agreement to ensure that it covers all critical areas. List and describe any five questions you would ask to ensure that agreement is complete. from every aspect.

THE END

2/2

Marks 6

information system & it audit bml 303 past paper pack 2016

Education