E13 by searchhunter


                                     Suggested Answers
                             Final Examinations – Winter 2011

Ans.1   (a)     I would gather the following information as regards to TL’s IT strategy:

                (i)     Long and short range organizational plans to fulfill the organistaion’s
                        mission and goals.
                (ii)    Long and short range strategy and plans for IT systems to support
                        organizational plans.
                (iii)   TL’s approach to setting IT strategy, developing plans and monitoring
                        progress against those plans.
                (iv)    TL’s approach to change control of IT strategy and plans.
                (v)     IT mission statement and agreed goals and objectives for IT activities.
                (vi)    Assessments of existing IT activities and systems.

        (b)     (i)     While reviewing the IT strategic planning process, I would consider

                        (1)   there is clear definition of IT mission and vision;
                        (2)   there is a strategic IT planning methodology in place;
                        (3)   the methodology correlates business goals and objectives to IT goals
                              and objectives;
                        (4)   this planning process is periodically updated;
                        (5)   the IT strategic plan identifies major IS initiatives and resources
                        (6)   the level of the individuals involved in the process is appropriate;

        (b)     (ii)    While reviewing the organisation of TL’s IT function, I would consider the

                        (1)  membership, functions and responsibilities of the IT strategic and
                             steering committee are well defined;
                        (2) a quality assurance function and policy exists for the organisation of
                             the IT function;
                        (3) the IT function has the right kind of staff having related skills;
                        (4) Clear policies exist to ensure hiring of appropriate IT personnel;
                        (5) the roles and responsibilities are well defined and are
                             communicated to all concerned;
                        (6) the IT function is aligned with the organisation’s objectives;
                        (7) policies exist to address the need for evaluating and modification of
                             organizational structure to meet changing objectives and
                        (8) policies and procedures exist covering data and system ownership
                             for all major data sources and systems;
                        (9) appropriate segregation of duties is in place;
                        (10) appropriate and effective key performance indicators and/or critical
                             success factors are used in measuring results of the IT function in
                             achieving organizational objectives;
                        (11) IT policies and procedures exist to control the activities of
                             consultants and other contract personnel; and
                        (12) whether the costs being invested on the IT function organization are
                             appropriate/well controlled;.

                                                                                           Page 1 of 6
                                      Suggested Answers
                              Final Examinations – Winter 2011

Ans.2   (a)       Common causes of database failures are as follows:

                  (i)     Application program error: Data could be incorrectly updated due to
                          bug/error in application program.
                  (ii)    System software error: An error in OS(operating system), DBMS(data base
                          management system), network management system or a utility program
                          may lead erroneous update or corruption of data held by the database.
                  (iii)   Hardware failure: Data may be lost due to hardware failure or
                  (iv)    Procedural error: A procedural error made by an operator/user could
                          damage the database.

        (b)       Common backup strategies are as follows:

                  (i)     Grandfather, father, son strategy: In this method three sets of backups are
                          recorded i.e., daily, weekly and monthly. The daily or son backups are
                          recorded on week days, the weekly or father backups are recorded on
                          weekends while the monthly or grandfather backup is written on last
                          working day of the month. Son, father and grandfather backups are over-
                          written on weekly, monthly and quarterly basis, respectively. Often one or
                          more of the father/grandfather backup is removed from the site and stored
                          at an offsite for safekeeping and disaster recovery purposes.
                  (ii)    Mirroring / dual recording / replication: It involves maintaining two
                          separate copies of the same database at different physical locations. It is a
                          costly system as the data is required to be kept and updated at two
                          different locations/servers.
                  (iii)   Dumping: It involves copying of the whole or critical part of the database to
                          a medium from which it can be rewritten. There is no specific frequency of
                          taking the backup.
                  (iv)    Logging: In this method the backup of the entire database is not taken each
                          time. Instead, a log is kept in respect of all the events that update, create or
                          delete any record in the database. Three types of logs may be kept i.e.
                          transaction logs, before-image logs and after-image logs. Such logs can be
                          used to update the database in case an updated version is lost.

Ans.3   Key objectives of the help desk function are as follows:

                   Effective and efficient customer support.
                   Effective and timely monitoring.

                   Building Knowledgebase

        Actions required to achieve the above objectives are explained below:

        Effective and efficient customer support

         (i)       Appoint trustworthy and competent personnel having high level of interpersonal
                   skills as the help desk coordinating officers.
         (ii)      Train the help desk officers in the diverse range of systems used throughout the
        (iii)      Ensure immediate logging of all customers’ complaints/queries.
        (vi)       Unresolved customers’ queries should be assigned to support personnel for
                   investigation and resolution.
        (vii)      Arrange periodic reviews/audits of the services offered and gather customers’
                   opinion through feedback forms and surveys.
                                                                                                  Page 2 of 6
                                       Suggested Answers
                               Final Examinations – Winter 2011

        Effective and timely monitoring

        (i)       Assign a time limit for resolution of each reported complaint.
        (ii)      The system should be able to alert the Customers Services Manager, as soon as
                  the designated time period for unresolved complaints is over.

        Building Knowledgebase

        (i)       Maintain system generated log of all activities undertaken to resolve the reported
        (ii)      Use the help desk log to determine the most and least problem areas.
        (iii)     Train help desk staff to make use of the log to find out how a particular type of
                  problem has been fixed in the past.

Ans.4   Risks associated with the use of e–commerce along with the mitigating measures are as

                                   Risks                               Mitigating Measures
        (i)       Privacy: Customers’ private and             Seller should store customers’ data
                  confidential information may become          in encrypted form.
                  public and the seller risks facing legal    Seller should declare that he would
                  prosecution in case the customers’           not disclose customers’ data to third
                  data is compromised.                         parties or any other agency unless
                                                               required by the law.
                                                               Seller should get the website
                                                               certified by the Web Trust.

        (ii)      Integrity of transaction: Information       Seller should deploy Secure Socket
                  submitted by the customers may be            Layer (SSL) on the website,
                  tampered during or after the                 especially on those pages where
                  transaction.                                 customers’ data is collected.
                                                               Seller should make use of public key
                                                               cryptography and allow customers

                                                               to encrypt the data with his public
        (iii)     Fraud: The seller may indulge in fraud       Buyer should not follow hyperlinks
                  or the website may not be authentic.         received from marketing emails to

                                                               visit the seller’s website.
                                                               Buyer should install fishing filter
                                                               embedded web browsers.

        (iv)      Non-repudiation: Buyer may deny that         The seller should get the customers
                  he has placed the order.                     registered with its website and

                                                               assign them digital signatures before
                                                               making any transaction. These
                                                               signatures should be used for
                                                               communication with the seller.
        (v)       Availability: Website may become             Deploy firewall with effective
                  unavailable due to virus attack,             policies to prevent unwanted traffic.

                  email/message bombardment on                 Deploy reputed antivirus and update
                  system or system malfunction.                it regularly.

                                                               Develop and implement an effective
                                                               disaster recovery and business

                                                               continuity plan for the e–commerce
                                                               website. Ensure periodic testing and
                                                               updation of the plan.
                                                                                             Page 3 of 6
                                      Suggested Answers
                              Final Examinations – Winter 2011

        (vi)     Trust: Seller may deceive the buyers       Customers should be alert to this
                 and the delivered order may be of very     possibility and satisfy himself through
                 low/poor quality than its description      available means, before carrying out
                 mentioned at the online store.             such a transaction.

Ans.5   (a)      I would take the following steps while planning the high-level risk assessment of
                 TP’s VPN:

                 (i)     Gather information regarding TP’s business and the purpose of installation
                         of VPN.
                 (ii)    Identify the VPN related risks relevant to post implementation stage.
                 (iii)   Identify the relevant framework information criteria that need to be
                         reviewed and confirmed.

        (b)      To determine the scope and objective for the TP’s assignment, I would:

                 (i)     Consult with the management of Trade Power (TP) where appropriate.
                 (ii)    Obtain feasibility study report of the project to gain understanding of
                         users’ requirements.
                 (iii)   Consider the information gathered at the planning stage, to determine the
                         scope in a more explicit manner.
                 (iv)    Interview the identified stakeholders and include their key concerns, if any,
                         in the scope and objectives of the review.

Ans.6   (a)      An in depth BPR study:

                 (i)     brings out deficiencies of the existing systems;
                 (ii)    attempts to maximize productivity through restructuring and
                 (iii)   identifies measures to improve the systems and procedures.

        (b)      The BPR exercise may be conducted concurrently with the implementation of the
                 ERP solution, however, this could lead to:

                 (i)     selection of an inappropriate ERP;
                 (ii)    additional cost on customisation of the selected solution;
                 (iii)   incompatibility with technical infrastructure;
                 (iv)    unfamiliarity with new processes introduced by the BPR may, in turn, lead
                         to inadequate process description and suboptimal configuration of the
                         ERP; and
                 (v)     overburdening the users which may lead to increased resistance from

        (c)      Following matters should be considered while evaluating and selecting an ERP

                 (i)     All functional aspects of the business are duly covered.
                 (ii)    Whether it would be technically viable to purchase the intended ERP.

                 (iii)   Whether vendor has customization and implementation capabilities.
                 (iv)    Feedback form existing users of the intended ERP.
                 (v)     Comparison of costs and benefits associated with ERP implementation.

                                                                                              Page 4 of 6
                                       Suggested Answers
                               Final Examinations – Winter 2011

Ans.7   (a)       Following factors should be considered while determining whether to use CAATs:

                  (i)     the IT knowledge, expertise and experience of the audit team;
                  (ii)    the availability of suitable CAATs and IS facilities;
                  (iii)   efficiency and effectiveness of using CAATs over manual techniques;
                  (iv)    time constraints;
                  (v)     integrity of information system and IT environment; and
                  (vi)    level of audit risk.

        (b)       Following steps are required to be taken while planning the use of CAATs:

                  (i)    Set the objective of the CAAT application.
                  (ii)   Determine the accessibility and availability of the entity's IS facilities,
                         programs/systems and data.
                  (iii) Determine resource requirements, i.e., personnel, CAATs, processing
                  (iv) Clearly understand composition of data to be processed including quantity,
                         type, format and layout.
                  (v)    Obtain access to the entity’s IS facilities, programs/systems and data,
                         including file definitions.
                  (vi) Define the test and procedures to be undertaken.
                  (vii) Define the output requirements.
                  (viii) Document CAATS to be used, including high level flowcharts and run

Ans.8   The arguments provided by the client do not seem appropriate on account of the

        (i)       Unrestricted access to the report option results in an exposure of information to
                  undesired users. A careful analysis is to be done to determine the relevant user to
                  access and print a report.
        (ii)      Efficiency and effectiveness are not relevant factors in this situation. They might
                  exist but the cost / risk is higher.
        (iii)     User friendliness and flexibility for everybody is never the first choice for an IT
                  system, particularly at the cost of information security. The system needs to be
                  user friendly for the intended users only.
        (iv)      Information could be transmitted outside as electronic files i.e. without printing
                  hard copies as print options allow for printing in an electronic form as well e.g.
                  like print to file, or print to PDF.

        Therefore, it can be concluded that a greater exposure exists since blanket permission is
        available to all users. Accordingly, this point should be reported to the management.

Ans.9   To evaluate the effectiveness of the logical and environmental controls related to the
        given areas I would ask the following questions:

        (a)       Data confidentiality, integrity and availability

                  (i)     Is there a corporate policy requiring strong passwords?
                  (ii)    Is there a corporate policy requiring periodic change of passwords? If so,
                          what is its periodicity?
                  (iii)   Are employees aware that passwords and accounts are not to be shared?
                  (iv)    Whether users’ passwords are communicated in a secure manner?
                                                                                                Page 5 of 6
                             Suggested Answers
                     Final Examinations – Winter 2011

        (v) How sensitive data is being stored? Password protected or encrypted?
        (vi) Is there a user authorization matrix in place?
        (vii) Is the use of external storage devices allowed? If so, what controls are in
               place to minimise the exposures due to use of such devices?
        (viii) How the media containing confidential and sensitive information, which is
               no longer required, is disposed off?
        (ix) Enquire and seek evidence if users’ activity logs and audit trails are
               maintained and reviewed.

        (x)    Enquire and seek evidence if prior written authoristaion is required for
               modification in data.
        (xi) Are all workstations running the latest version of antivirus software,
               scanning engine and service packs of operating/application software?
        (xii) How does the data and application software backed up? (frequency
        (xiii) Are backup files periodically restored as a test to verify whether they are a
               viable alternative?
        (xiv) Are backup files sent to a physically secure offsite location?

(b)     Power and Fire hazards

        (i)    Enquire whether any fire fighting system is installed.
        (ii)   Observe whether smoke detectors, water sprinkles, fire extinguishers fire
               blankets are placed in strategic visible locations throughout the facility.
        (iii) Enquire and seek evidence whether the fire extinguishers and other fire
               fighting components are inspected periodically.
        (iv) Enquire and seek evidence whether the fire fighting drills are conducted
        (v) Enquire if there is any emergency exit for staff to evacuate safely in case of
        (vi) Observe whether emergency exit is visibly marked and easily accessible.
        (vii) Interview staff to ascertain their training and awareness level as regards to
               fire hazard and evacuation procedures.
        (viii) Observe that electrical surge protectors are installed on sensitive and
               expensive computer equipment.
        (ix) Visit the IT facility at regular intervals to determine if temperature and
               humidity are appropriate.
        (x) Seek evidence whether fire fighting equipments, electrical fittings and UPS
               are inspected/tested frequently.

                                    (THE END)

                                                                                    Page 6 of 6

To top