INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!

er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

D"+u!ents des+ri,ing user re-uire!ents These documents help in identifying the essential system components. D"+u!ents des+ri,ing +"st ,ene.it anal/sis These documents help in understanding the need and objective of each module and functionality of the application. Fun+ti"nal design s0e+i.i+ati"ns This document provides a detailed explanation of the application. D"+u!ents des+ri,ing !"di.i+ati"ns in 0r"gra! Such documents will help in evaluating whether the application has been wor ing satisfactorily! understanding the change in user re"uirements and change management controls. User !anuals # review of the user manual will allow us to determine whether it contains appropriate guidance for the users. Te+1ni+al re.eren+e !anual $ts review helps in understanding access rules and logic of the application.
( ),*

In0ut C"ntr"ls
Ter!inal2Client3s w"r4stati"n identi.i+ati"n +1e+4 This chec is used to limit input to specific terminals as well as to individuals. %lient wor stations in a networ can be configured with a uni"ue form of identification! such as serial number or computer name! that is authenticated by the system. E..e+ti5eness testing &i' %hec if list of authori(ed terminals is in place and is updated. &ii' #ttempt accessing the system from unauthori(ed terminal. &iii' )bserve process of input and review source documents for evidence of authori(ation. OR C"!0leteness +1e+4 Fields li e national identity card number accepts data of standard length. $f incomplete card number is entered! an alert is generated to complete the entry. #t record level! when we want to move on next record without entering mandatory fields* value! an alert will be generated to complete the record entries. E..e+ti5eness testing &i' )bserving the data entry process. &ii' $nput some records on test basis and intentionally s ipping mandatory fields blan while adding new records. OR Aut1"ri6ati"n "n s"ur+e d"+u!ent #uthori(ed person*s signature in an appropriate area of the source document provides evidence of proper authori(ation.
Page 1 of 9

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

E..e+ti5eness testing +eview some source documents corresponding to records present in the system and verify the authori(ed signatures.

7r"+essing C"ntr"ls
E +e0ti"n re0"rts Such reports are generated when some transaction or data appear to be incorrect. E..e+ti5eness testing +eview exception reports and chec if these were reviewed by the concerned user and the evidence of actions ta en thereof. OR Re+"n+iliati"n ". +"ntr"l t"tals $t involves chec ing of totals produced by the computer with those determined manually. E..e+ti5eness testing &i' #ssessing whether the reconciliations are being prepared as appropriate. &ii' %hec ing calculations as appearing on the reconciliations. OR File 8ersi"n C1e+4 For correct processing! the system ensures that transaction should be applied to the most current database. E..e+ti5eness testing ,rocess some sample transactions and compare the results with current version of the database.

Out0ut C"ntr"ls
7rinting and st"rage ". "ut0ut re0"rts %ritical output reports should be produced and maintained in a secure area in an authori(ed manner. E..e+ti5eness testing &i' +eview of the access rules &ii' +eviewing and assessing the procedures adopted by the management for monitoring the output. &iii' +econciliation of total pages printed with the readings as shown on the counter installed in the printer. OR Distri,uti"n ". re0"rts #uthori(ed distribution parameters are set for output reports. #ll reports are logged prior to distribution. +ecipient is re"uired to sign the distribution log as evidence of receipt of output. E..e+ti5eness testing &i' )bservation and review of distribution output logs. &ii' -erifying recipients** signatures on distribution log.

Page 2 of 9

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

General C"ntr"ls
Segregati"n ". duties Segregation of duties means that important responsibilities are distributed between two or more individuals which result in creating chec s and balances as wor of one person is chec ed by the other. $f a single person is responsible for many activities it becomes easy for him to commit fraud or for errors to remain undetected. E..e+ti5eness testing &i' )bservation and review of job description. &ii' +eview of authori(ation levels and procedures. Err"r +"ntr"l and +"rre+ti"n re0"rts They provide evidence of appropriate review! research! timely correction and resubmission. E..e+ti5eness testing &i' #ssessing and testing whether appropriate reports are being generated. &ii' %hec ing the conse"uent corrections and their authori(ations. OR A++ess t" aut1"ri6ed 0ers"nnel "nl/ #ccess to information.data should be based upon job descriptions. E..e+ti5eness testing &i' +eview of access rules to ensure that these are appropriately based on the re"uirements. &ii' Testing the compliance to access rules. 9a+4u0 and Re+"5er/ #utomatic bac up of enables to recover from any unforeseen brea down and mitigates the effects of data corruption. E..e+ti5eness testing )bserve the auto bac up procedure. #ttempt to restore the system from recent bac up at an alternative location.
A'$

&i' &ii' &iii' &iv' &v' &vi' &vii' &viii' &ix' &x' &xi'

/hat facilities! e"uipment and software will be available0 /ill staff assistance be provided0 1ow "uic ly can access be gained to the host recovery facility0 1ow long can the emergency operation continue0 1ow fre"uently can the system be tested for compatibility0 1ow will confidentiality of the data be maintained0 /hat type of security will be afforded for information systems operations and data0 #re there certain times of the year! month! etc. when the partner*s facilities shall not be available0 /hether costs to be billed have been agreed upon clearly0 1as appropriate clauses been included to ensure that commitment is fulfilled0 &e.g. penalty clause' 2oes the agreement contain appropriate provision as regards the termination of the contract0 +eview measures to establish proper customer identification and maintenance of their confidentiality. +eview file maintenance and retention system. +eview exception reports. +eview daily reconciliation of #T3 transactions. +eview ,$4 & ey' change management procedures.
Page 3 of 9

A': )a* &i'

&ii' &iii' &iv' &v'

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

: ),*

&vi' +eview the procedures for retained! stolen or lost cards. &vii' +eview the effectiveness of physical controls. &i' #ssignment of modification number and version number for each item in software inventory. &ii' Security over the access to software. OR Limiting the access to software to authori(ed persons only. &iii' ,rovision of facilities li e encryption and automatic bac up. &iv' %reating! updating and deleting the profiles of users for access to software inventory. &v' 3aintaining audit trail for access to any item of software inventory. &vi' $nterface with operating system! job scheduling system! access control system and online program management for provision of various features to users. &vii' 3aintaining list of additions! deletions and modifications in overall library catalog. individuals. #s a result chec and balances are created as wor of one person is chec ed by the other. $f ade"uate segregation of duties does not exist! the following could occur: 3isappropriation of assets OR %hances to fraud increases. $naccurate information &i.e. errors or irregularities remain undetected'. 3odification of data could go undetected.

A'; )a* Segregation of duties means that important responsibilities are distributed between two or more

; ),*

Suggested best practices for preventing and detecting frauds that may be committed by ey information systems personnel are as follows: )i* Carr/ "ut 0eri"di+ enter0rise#wide ris4 assess!ents ,eriodic ris assessment procedure helps to identify ris s which may result in loss to the organi(ation. )ii* Clearl/ d"+u!ent insider t1reat +"ntr"ls' %lear documentation helps to ensure fewer gaps for attac and better understanding by employees. )iii* Carr/ "ut 0eri"di+ se+urit/ awareness training ."r all e!0l"/ees $f the employees are trained and understand security policies and procedures! and why they exist! they will be encouraged and able to avert security lapses. )i5* I!0le!ent stri+t 0assw"rd and a++"unt !anage!ent 0"li+ies and 0ra+ti+es ,assword controls and account management policies are often not followed to avoid inconvenience. /ithout strict implementation such controls are of no use. )5* L"g, !"nit"r, and audit "nline a+ti"ns ". t1e e!0l"/ees ,eriodic logging! monitoring and auditing discourages and discovers inappropriate actions. )5i* Use e tra +auti"n wit1 s/ste! ad!inistrat"rs and 0ri5ileged users Typically! logging and monitoring is performed by a combination of system administrators and privileged users. Therefore! additional vigilance must be devoted to those users. )5ii* M"nit"r and res0"nd t" sus0i+i"us "r disru0ti5e ,e1a5i"r ,olicies and procedures should be in place for all employees to report such behavior! with re"uired follow5up by management. )5iii* 71/si+al +"ntr"ls %lose circuit cameras! biometrics and digital door loc s etc. serve a good physical control against insiders* threat. )i * ) * Dea+ti5ate +"!0uter a++ess i!!ediatel/ a.ter ter!inati"n $mmediate deactivation policy will discourage losses due to lapses and slac ness. <", r"tati"n ,eriodical rotation of responsibilities enhances the chec and balance environment. $t
Page 4 of 9

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

helps in detecting errors and irregularities which otherwise remain undetected.

) i* ) ii* ) iii*

F"r+ed lea5e 0"li+/ 3andatory leave policy helps in successful succession planning. $t also tests the organi(ation*s preparedness in case its ey $T personnel left. Restri+ted use ". re!"5a,le !edia This practice helps in minimi(ing the chances of virus and worms in the system. $t also mitigates the chances of theft of sensitive data. A++ess t" sensiti5e data2 in."r!ati"n "n need t" 1a5e ,asis This practice enhances the security and confidentiality of data. Since access to data is allowed on proper authori(ation! trac of any modification to it can be detected easily.
Assets $nformation.data T1reats 6rrors I!0a+t 7usiness interruption 3onetary loss 2enial of service 7usiness interruption Loss of business opportunity Loss of data 3onetary loss Loss of business opportunity Lea age of business secrets. Legal repercussions Loss of data 7usiness interruption. C"ntr"ls 8sers* training $nput and verification by different persons 2ata validation chec s. ,roperly configured firewall $nstalling updated definitions of anti5virus programs +estricting use of removable drives. ,roper bac up plan 8se of strong passwords 8se protected communication lines for data transmission +estricting use of removable drives. ,roper maintenance of water fittings 8sing stabili(ers and circuit brea ers ,roper maintenance of electric circuitry Security guards Loc and ey 2igital loc s 7iometric loc s ,rohibiting one person to wor alone. 1ardware bac up ,eriodic maintenance 3aintenance contracts ,roper maintenance of electric fittings 8sing stabili(ers and circuit brea ers
Page 5 of 9

A'= &i'

3alicious damage.attac -iruses 1ac ers

Theft

6lectric Surge

&ii'

1ardware

Theft

7usiness interruption 3onetary loss

6"uipment failure ,hysical damage 6lectric Surge

7usiness interruption Loss of business opportunity Loss of e"uipment 7usiness interruption.

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application: Fire 7usiness Fire proof rooms interruption #lternative hardware Loss of e"uipment and facilities and facilities. arrangement Fire alarms Fire extinguishers. /ater 7usiness ,roper maintenance of interruption water fittings and drainage system Loss of data. +aised floors &iii' Software ,rogram errors 7usiness Testing before interruption implementation 7ugs loss of data Source code review Trap doors loss of Software maintenance confidentiality 3alicious 2enial of service ,roperly configured damage.attac firewall 7usiness $nstalling updated interruption definitions of anti5virus Loss of business programs opportunity +estricting use of Loss of data removable drives. 8se of pirated Legal %ompliance of software software conse"uences licenses Loss of reputation ,rohibiting users from installing programs &iv' ,ersonnel 1ealth ha(ards 7usiness ,roper wor interruption environment ,roper job description 3andatory vacations. $njuries 7usiness ,roper maintenance of interruption electric fittings /et floor cautions. +esignation 7usiness Succession planning interruption ,rogram documentation. 2eath 7usiness Succession planning interruption ,rogram documentation.

#.> )a* The company can made use of the 79% model in the following way:

&i'

The company can ma e basic information of its products available at its website. Such information may include product price! availability! features of the product and any additional charges such as delivery or insurance etc. /hen such information is available to potential customers in an easy to understand format! it will be easier for them to ma e decisions and they will be automatically attracted towards company*s website. The company can provide some form of personali(ation of the website for repeat visits such as welcoming the customer by name or displaying a list of products already reviewed. This would help ma e the site more customer5friendly and probability of customers* visiting the company*s website before any related purchase would increase. ,roviding some incentives to use the website such as loyalty points may help to attract
Page 6 of 9

&ii'

&iii'

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

more customers. &iv' &v' &vi' &vii'

> ),*

4ew customers may be reached! especially those who are not located within traveling distance of the company*s sales outlet. /hen a purchase is made on company*s website! customer information will be stored by the company*s computer system. This information can be used to help provide repeat business for the organi(ation. 2ata can be mined to identify relationship in purchases. The company can carry out business on 9: ; < basis.

797 model can assist the company in improving its performance in the following manner: &i' &ii' 3anaging inventory more efficiently. Suppliers can be given access to stoc levels such that when stoc s fall below a re5order level! the supplier will automatically send replacement stoc s. Thus less employee time will be spent in reviewing stoc levels! and replacement stoc s will be received immediately when they are re"uired. Self generated e=mails can be used to inform suppliers about new stoc re"uirements. $nformation concerning stoc deliveries and receipts can be sent by 6lectronic 2ata $nterchange. This will provide time and cost savings. ,ayment process can be expedited by ma ing payments electronically.
,aperless environment. 4eed to re5enter the data will be reduced.

&iii' &iv' &v'

&vi' &vii'

A'? )a* >ey contents of +F,:

In."r!ati"n gi5en t" 5end"rs &i' 7road bac ground of the Techno $nternational*s business. &ii' 2etails of the information technology environment. &iii' +e"uirements of the system for which proposal has been re"uested. &iv' 1ow will the proposal be evaluated0 &v' %riteria for the eligibility of the vendors. &vi' General procurement policies &if any'. &vii' The format of the proposal to facilitate comparative evaluation of the proposal. &viii' $dentifying the timing of submission! including any bonds that may be re"uired and the place and manner of submission. In."r!ati"n re-uired .r"! 5end"r &i' Source code availability. &ii' 3inimum hardware re"uirements for the proposed software &iii' #vailability of the offered product*s complete and reliable documentation. &iv' List of recent or planned enhancements to the product! with dates. &v' List of clients using the offered product. &vi' #vailability of support status &9: ; < online help! onsite maintenance etc'. &vii' ,rovision for staff training. &viii' 6vidence of vendor*s financial stability.
Page 7 of 9

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

&ix'
? ),*

6vidence of relevant experience.

? )+*

>ey activities in ensuring transparency in receiving and recording +F,s: &i' #dvising all suppliers of the format &including method of submission e.g. sealed envelopes! by post etc.' and deadline for submissions and the place where the submission should be lodged. &ii' 6nsuring that all vendors have e"ual and ade"uate time to submit the proposal. &iii' 6nsuring that all bids are opened at the same time and in the presence of suppliers. >ey activities involved in short listing the proposals: &i' 6liminating proposals from vendors that do not meet the minimum re"uirements specified in the +F,. The reason for this should be documented and preferably communicated to the supplier. &ii' 6valuating the remaining proposals so that the relative merits and wea nesses of each solution are documented and compared. &iii' 6liminating all but a few proposals from further consideration! documenting the reasons for rejection and advising the suppliers who have been short listed. The project team may arrange the following to validate the vendors* responses: /al through tests 2emonstrations 7enchmar tests -isiting or calling the vendors* current clients to verify his claims.

? )d*

A'& )a* L"ad Testing

$t is used to test the expected usage of system &software' by simulating multiple users accessing the system?s services concurrently. Stress 2 8"lu!e 2 9ul4 Testing $t is used to test the raised usage of system &beyond normal usage patterns' in order to test the system?s response at unusually high or pea load. 7er."r!an+e Testing $t is used to determine how fast the system performs under different wor loads.
& ),*

7arallel C1ange"5er This techni"ue includes the running of both existing &old' and new software in parallel and shifting over to the news system after fully gaining confidence on the wor ing of new software. 71ased C1ange"5er $n this approach! the older system is bro en into deliverable modules. $nitially! the first module of the older system is phased out using the first module of the newer system. Then! the second module of the older system is phased out! using the second module of the newer system and so forth till the last module. A,ru0t 2 Dire+t 2 7lunge C1ange"5er $n this approach the new system is introduced on a cutoff date . time and the older system is discontinued simultaneously. 7il"t C1ange"5er $n this approach! the new system is implanted at a selected location of the company! such as only one branch office &using direct or parallel changeover approach'. #fter the system proves successful at the selected location &pilot site'! it is implemented into the rest of the organi(ation.
Page 8 of 9

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL Suggested Answer Final E a!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application: & )+*

%hangeover to the newer system broadly involves four major steps: &i' Training to the employees or users. &ii' $nstallation of new hardware! operating system! application system. &iii' %onversion of files and programs and migration of data. &iv' Scheduling of operations and test running for go5live or changeover.

& )d*

,robable ris s during changeover process include: &i' Loss of assets. &ii' 2ata corruption . deletion. &iii' Loss of confidentiality. &iv' $mpairment of system effectiveness. &v' System efficiency may be affected. &vi' +esistance from staff. )THE END*

Page 9 of 9