Final Examinations

The Institute of
Chartered Accountants
of Pakistan

Module E
2 June 2015
3 hours 100 marks
Additional reading time 15 minutes

Information Technology Management, Audit and Control

Q.1

IT department of Sana Textiles Mills is headed by its CFO and consists of a senior
programmer, a database administrator and two junior programmers. It has recently
developed an integrated Information System which has six interconnected modules and is
ready to go live. The senior programmer has developed the program and linked all the
modules. Junior programmers have assisted him in gathering user requirements, preparing
system flowcharts, developing user manual, compiling technical reference manual,
designing various forms and reports and unit testing.
Required:
(a) With reference to the composition of the development team, identify any two risks and
suggest the steps that may be taken to address those risks.
(b) Explain the term unit testing. Also describe briefly the various types of tests which
may be performed under whole-of-program testing.

Q.2

(04)
(05)

Raised University (RU) is a reputed university in its region. It has a resource rich website
from where students can download syllabus, past papers, research papers/periodicals,
various forms and academic information etc.
In a recent meeting, the Vice Chancellor has advised the IT Manager to provide online fee
payment option to the students for the forthcoming semester. Presently fee is either
deposited in bank or is paid at the campus through credit cards. The IT Manager has
informed that various arrangements will require to be made in this regard which includes renegotiating the web hosting contract, developing a customised application program and
selecting a bank that offers Internet Merchant Account.
Required:
(a) Why do you think a revision in web hosting contract would be necessary for providing
such service?
(b) Briefly describe the role of a customised application program in processing of
payments for the above purpose.
(c) Suggest suitable controls which may need to be implemented to ensure that students
are served in an efficient and secure manner.
(d) Briefly explain the factors that RU should consider while selecting a bank for opening
Internet Merchant Account.

Q.3

(02)
(03)
(04)
(06)

As the use of mobile devices like smart phones and tablets is gaining popularity, many
organisations allow their staff to connect their personal mobile devices to the companys
network by directly connecting to its LAN or through Internet.
Required:
(a) Identify the primary security and control issues to which an organisation may be
exposed to in the above stated situation.
(b)

(02)

List the steps that an organisation may need to take in order to address the risks that
may arise in the above stated situation, with regard to:
(i)
Network access
(ii) Device management
(iii) Application security management

(09)
Continued on next page......

Information Technology Management, Audit and Control

Q.4

Q.5

Q.6

Page 2 of 2

Nizam Hospital (NH) has recently implemented an off-the-shelf system. The users are not
satisfied with the system as several issues have arisen during the first few weeks of its
implementation. The complaints have been resolved by the vendor on a timely basis but he
is of the view that majority of the problems arose due to lack of users knowledge. The
management has asked the IT Manager to set up a helpdesk function for providing
immediate support to users.
Required:
(a) List the information which should be maintained by the helpdesk for each complaint.
(b) Specify the responsibilities which could be assigned to the helpdesk staff of NH.

(05)
(05)

As the IS Auditor of Gulbahar Limited, you have identified few instances of software
licensing violations. Prepare a note for submission to the management briefly describing the
controls, which can be established in order to minimize such violations.

(06)

(a)

State the key differences between cold, warm and hot sites.

(03)

(b)

Sohrab Insurance Company (SIC) specialises in health insurance. In December 2014,

fire broke out in SICs data processing facility which forced SIC to operate from a hot
site facility. However, SIC faced lot of difficulty in getting access to the site and
completing data processing tasks. A consultant hired by SIC has reported that most of
the difficulties arose because of deficiencies in the agreement with the hot site provider.
Required:
Briefly discuss any six deficiencies to which the Consultant may be referring to.

Q.7

Q.8

Identify the five stages in developing Information Strategy Plan and also identify the key
steps/activities in each stage.

(10)

Data is the most valuable resource of an organization. Accordingly, IT Auditors need to

develop a good understanding of how data is managed, database security controls and the
roles of Data Administrator and the Database Administrator.
Required:
(a) Specify any three objectives which effective data management seeks to achieve.
(b)

(02)

Identify the responsibilities of the Data Administrator and the Database Administrator
in respect of each of the following Data/Database related functions:
(i)
Defining data
(iii) Retiring data
(v) Maintaining database integrity

Q.9

(09)

(ii)
(iv)
(vi)

Creating data
Making database available to users
Monitoring operations

(09)

On completion of the IS Audit of Sadar Builders (SB), its auditor wrote in his report that SB
has paid due attention in securing its network from external threats; however, it has
implemented only physical controls to address the insiders threats.
Required:
Identify any six measures that SB may take in order to mitigate the insiders threats to its IT
resources and the main objective/benefit of each such measure.

(09)

Q.10 The advancement of communication technology such as the world wide web and email has
allowed efficient dissemination of information on a global scale. However, such
communication has also increased the need to protect the privacy of data.
Required:
Briefly describe the generally accepted privacy-protection principles.
(THE END)

(07)