ITM_AM_E-13

8/13/2019 ITM_AM_E-13

1/9

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

Suggested Answer

Final Ea!inati"ns # Su!!er $%%&

A'( )a* Following documents may be reviewed to gain an understanding of the GL application:

D"+u!ents des+riing user re-uire!entsThese documents help in identifying the essential system components.

D"+u!ents des+riing +"st ene.it anal/sis

These documents help in understanding the need and objective of each module and functionality

of the application.

Fun+ti"nal design s0e+i.i+ati"ns

This document provides a detailed explanation of the application.

D"+u!ents des+riing !"di.i+ati"ns in 0r"gra!

Such documents will help in evaluating whether the application has been woring satisfactorily!

understanding the change in user re"uirements and change management controls.

User !anuals

# review of the user manual will allow us to determine whether it contains appropriate guidance

for the users.

Te+1ni+al re.eren+e !anual

$ts review helps in understanding access rules and logic of the application.

( )* In0ut C"ntr"ls

Ter!inal2Client3s w"r4stati"n identi.i+ati"n +1e+4This chec is used to limit input to specific terminals as well as to individuals. %lient

worstations in a networ can be configured with a uni"ue form of identification! such as serial

number or computer name! that is authenticated by the system.

E..e+ti5eness testing

&i' %hec if list of authori(ed terminals is in place and is updated.

&ii' #ttempt accessing the system from unauthori(ed terminal.

&iii' )bserve process of input and review source documents for evidence of authori(ation.

OR

C"!0leteness +1e+4Fields lie national identity card number accepts data of standard length. $f incomplete card

number is entered! an alert is generated to complete the entry. #t record level! when we want to

move on next record without entering mandatory fields* value! an alert will be generated to

complete the record entries.


&i' )bserving the data entry process.

&ii' $nput some records on test basis and intentionally sipping mandatory fields blan while

adding new records.

OR

Aut1"ri6ati"n "n s"ur+e d"+u!ent

#uthori(ed person*s signature in an appropriate area of the source document provides evidence

of proper authori(ation.

Page 1 of 9

8/13/2019 ITM_AM_E-13

2/9


Suggested Answer




+eview some source documents corresponding to records present in the system and verify theauthori(ed signatures.

7r"+essing C"ntr"lsE+e0ti"n re0"rts

Such reports are generated when some transaction or data appear to be incorrect.


+eview exception reports and chec if these were reviewed by the concerned user and the

evidence of actions taen thereof.

OR

Re+"n+iliati"n ". +"ntr"l t"tals

$t involves checing of totals produced by the computer with those determined manually.


&i' #ssessing whether the reconciliations are being prepared as appropriate.

&ii' %hecing calculations as appearing on the reconciliations.

OR

File 8ersi"n C1e+4

For correct processing! the system ensures that transaction should be applied to the most currentdatabase.


,rocess some sample transactions and compare the results with current version of the database.

Out0ut C"ntr"ls

7rinting and st"rage ". "ut0ut re0"rts

%ritical output reports should be produced and maintained in a secure area in an authori(ed

manner.


&i' +eview of the access rules&ii' +eviewing and assessing the procedures adopted by the management for monitoring the

output.

&iii' +econciliation of total pages printed with the readings as shown on the counter installed

in the printer.

OR

Distriuti"n ". re0"rts

#uthori(ed distribution parameters are set for output reports. #ll reports are logged prior to

distribution. +ecipient is re"uired to sign the distribution log as evidence of receipt of output.


&i' )bservation and review of distribution output logs.

&ii' -erifying recipients** signatures on distribution log.

Page 2 of 9

8/13/2019 ITM_AM_E-13

3/9


Suggested Answer



General C"ntr"lsSegregati"n ". duties

Segregation of duties means that important responsibilities are distributed between two or more

individuals which result in creating checs and balances as wor of one person is checed by the

other. $f a single person is responsible for many activities it becomes easy for him to commit

fraud or for errors to remain undetected.


&i' )bservation and review of job description.

&ii' +eview of authori(ation levels and procedures.

Err"r +"ntr"l and +"rre+ti"n re0"rts

They provide evidence of appropriate review! research! timely correction and resubmission.


&i' #ssessing and testing whether appropriate reports are being generated.

&ii' %hecing the conse"uent corrections and their authori(ations.

OR

A++ess t" aut1"ri6ed 0ers"nnel "nl/

#ccess to informationdata should be based upon job descriptions.


&i' +eview of access rules to ensure that these are appropriately based on the re"uirements.

&ii' Testing the compliance to access rules.

9a+4u0 and Re+"5er/

#utomatic bac up of enables to recover from any unforeseen breadown and mitigates the

effects of data corruption.


)bserve the auto bacup procedure.

#ttempt to restore the system from recent bacup at an alternative location.

A'$ &i' /hat facilities! e"uipment and software will be available0

&ii' /ill staff assistance be provided0

&iii' 1ow "uicly can access be gained to the host recovery facility0

&iv' 1ow long can the emergency operation continue0

&v' 1ow fre"uently can the system be tested for compatibility0&vi' 1ow will confidentiality of the data be maintained0

&vii' /hat type of security will be afforded for information systems operations and data0

&viii' #re there certain times of the year! month! etc. when the partner*s facilities shall not be

available0

&ix' /hether costs to be billed have been agreed upon clearly0

&x' 1as appropriate clauses been included to ensure that commitment is fulfilled0 &e.g.

penalty clause'

&xi' 2oes the agreement contain appropriate provision as regards the termination of the

contract0

A': )a* &i' +eview measures to establish proper customer identification and maintenance of their

confidentiality.&ii' +eview file maintenance and retention system.

&iii' +eview exception reports.

&iv' +eview daily reconciliation of #T3 transactions.

&v' +eview ,$4 &ey' change management procedures.

Page 3 of 9

8/13/2019 ITM_AM_E-13

4/9


Suggested Answer



&vi' +eview the procedures for retained! stolen or lost cards.

&vii' +eview the effectiveness of physical controls.: )* &i' #ssignment of modification number and version number for each item in software

inventory.

&ii' Security over the access to software. ORLimiting the access to software to authori(ed

persons only.

&iii' ,rovision of facilities lie encryption and automatic bacup.

&iv' %reating! updating and deleting the profiles of users for access to software inventory.

&v' 3aintaining audit trail for access to any item of software inventory.

&vi' $nterface with operating system! job scheduling system! access control system and online

program management for provision of various features to users.

&vii' 3aintaining list of additions! deletions and modifications in overall library catalog.

A'; )a* Segregation of duties means that important responsibilities are distributed between two or moreindividuals. #s a result chec and balances are created as wor of one person is checed by the

other.

$f ade"uate segregation of duties does not exist! the following could occur:

3isappropriation of assets OR%hances to fraud increases.

$naccurate information &i.e. errors or irregularities remain undetected'.

3odification of data could go undetected.

; )* Suggested best practices for preventing and detecting frauds that may be committed by ey

information systems personnel are as follows:)i* Carr/ "ut 0eri"di+ enter0rise#wide ris4 assess!ents

,eriodic ris assessment procedure helps to identify riss which may result in loss to theorgani(ation.

)ii* Clearl/ d"+u!ent insider t1reat +"ntr"ls'

%lear documentation helps to ensure fewer gaps for attac and better understanding by

employees.

)iii* Carr/ "ut 0eri"di+ se+urit/ awareness training ."r all e!0l"/ees

$f the employees are trained and understand security policies and procedures! and why

they exist! they will be encouraged and able to avert security lapses.

)i5* I!0le!ent stri+t 0assw"rd and a++"unt !anage!ent 0"li+ies and 0ra+ti+es

,assword controls and account management policies are often not followed to avoid

inconvenience. /ithout strict implementation such controls are of no use.

)5* L"g, !"nit"r, and audit "nline a+ti"ns ". t1e e!0l"/ees

,eriodic logging! monitoring and auditing discourages and discovers inappropriateactions.

)5i* Use etra +auti"n wit1 s/ste! ad!inistrat"rs and 0ri5ileged users

Typically! logging and monitoring is performed by a combination of system

administrators and privileged users. Therefore! additional vigilance must be devoted to

those users.

)5ii* M"nit"r and res0"nd t" sus0i+i"us "r disru0ti5e e1a5i"r

,olicies and procedures should be in place for all employees to report such behavior!

with re"uired follow5up by management.

)5iii* 71/si+al +"ntr"ls

%lose circuit cameras! biometrics and digital door locs etc. serve a good physical

control against insiders* threat.

)i* Dea+ti5ate +"!0uter a++ess i!!ediatel/ a.ter ter!inati"n

$mmediate deactivation policy will discourage losses due to lapses and slacness.

)*

8/13/2019 ITM_AM_E-13

5/9


Suggested Answer



helps in detecting errors and irregularities which otherwise remain undetected.

)i* F"r+ed lea5e 0"li+/

3andatory leave policy helps in successful succession planning. $t also tests the

organi(ation*s preparedness in case its ey $T personnel left.

)ii* Restri+ted use ". re!"5ale !edia

This practice helps in minimi(ing the chances of virus and worms in the system. $t also

mitigates the chances of theft of sensitive data.

)iii* A++ess t" sensiti5e data2 in."r!ati"n "n need t" 1a5e asis

This practice enhances the security and confidentiality of data. Since access to data is

allowed on proper authori(ation! trac of any modification to it can be detected easily.

A'= Assets T1reats I!0a+t C"ntr"ls

&i' $nformationdata 6rrors 7usiness

interruption

3onetary loss

8sers* training

$nput and verification

by different persons

2ata validation checs.

3alicious

damageattac

-iruses

1acers

2enial of service

7usiness

interruption

Loss of business

opportunity

Loss of data

3onetary loss

,roperly configured

firewall

$nstalling updated

definitions of anti5virus

programs

+estricting use of

removable drives. ,roper bacup plan

Theft Loss of business

opportunity

Leaage of

business secrets.

Legal

repercussions

8se of strong

passwords

8se protected

communication lines

for data transmission

+estricting use of

removable drives.

6lectric Surge Loss of data

7usiness

interruption.

,roper maintenance of

water fittings

8sing stabili(ers and

circuit breaers ,roper maintenance of

electric circuitry

&ii' 1ardware Theft 7usiness

interruption

3onetary loss

Security guards

Loc and ey

2igital locs

7iometric locs

,rohibiting one person

to wor alone.

6"uipment failure

,hysical damage

7usiness

interruption

Loss of business

opportunity

1ardware bacup

,eriodic maintenance

3aintenance contracts

6lectric Surge Loss of e"uipment

7usiness

interruption.


electric fittings

8sing stabili(ers and

circuit breaers

Page 5 of 9

8/13/2019 ITM_AM_E-13

6/9


Suggested Answer



Fire 7usiness

interruption Loss of e"uipment

and facilities.

Fire proof rooms

#lternative hardwareand facilities

arrangement

Fire alarms

Fire extinguishers.

/ater 7usiness

interruption

Loss of data.


water fittings anddrainage system

+aised floors

&iii' Software ,rogram errors

7ugs

Trap doors

7usiness

interruption

loss of data

loss ofconfidentiality

Testing before

implementation

Source code review

Software maintenance

3alicious

damageattac

2enial of service

7usiness

interruption

Loss of business

opportunity

Loss of data

,roperly configured

firewall

$nstalling updated

definitions of anti5virus

programs

+estricting use of

removable drives.

8se of pirated

software

Legal

conse"uences

Loss of reputation

%ompliance of software

licenses

,rohibiting users from

installing programs&iv' ,ersonnel 1ealth ha(ards 7usiness

interruption

,roper wor

environment

,roper job description

3andatory vacations.

$njuries 7usiness

interruption


electric fittings

/et floor cautions.

+esignation 7usiness

interruption

Succession planning

,rogram

documentation.

2eath 7usiness

interruption

Succession planning

,rogram

documentation.

#.> )a* The company can made use of the 79% model in the following way:

&i' The company can mae basic information of its products available at its website. Such

information may include product price! availability! features of the product and any

additional charges such as delivery or insurance etc. /hen such information is available

to potential customers in an easy to understand format! it will be easier for them to mae

decisions and they will be automatically attracted towards company*s website.

&ii' The company can provide some form of personali(ation of the website for repeat visitssuch as welcoming the customer by name or displaying a list of products already

reviewed. This would help mae the site more customer5friendly and probability of

customers* visiting the company*s website before any related purchase would increase.

&iii' ,roviding some incentives to use the website such as loyalty points may help to attract

Page 6 of 9

8/13/2019 ITM_AM_E-13

7/9


Suggested Answer



more customers.

&iv' 4ew customers may be reached! especially those who are not located within traveling

distance of the company*s sales outlet.

&v' /hen a purchase is made on company*s website! customer information will be stored by

the company*s computer system. This information can be used to help provide repeat

business for the organi(ation.

&vi' 2ata can be mined to identify relationship in purchases.

&vii' The company can carry out business on 9 ; < basis.

> )* 797 model can assist the company in improving its performance in the following manner:

&i' 3anaging inventory more efficiently.

&ii' Suppliers can be given access to stoc levels such that when stocs fall below a re5order

level! the supplier will automatically send replacement stocs. Thus less employee time

will be spent in reviewing stoc levels! and replacement stocs will be received

immediately when they are re"uired.

&iii' Self generated e=mails can be used to inform suppliers about new stoc re"uirements.

&iv' $nformation concerning stoc deliveries and receipts can be sent by 6lectronic 2ata

$nterchange. This will provide time and cost savings.

&v' ,ayment process can be expedited by maing payments electronically.

&vi' ,aperless environment.

&vii' 4eed to re5enter the data will be reduced.

A'? )a* >ey contents of +F,:

In."r!ati"n gi5en t" 5end"rs

&i' 7road bacground of the Techno $nternational*s business.

&ii' 2etails of the information technology environment.

&iii' +e"uirements of the system for which proposal has been re"uested.&iv' 1ow will the proposal be evaluated0

&v' %riteria for the eligibility of the vendors.

&vi' General procurement policies &if any'.

&vii' The format of the proposal to facilitate comparative evaluation of the proposal.

&viii' $dentifying the timing of submission! including any bonds that may be re"uired and the

place and manner of submission.

In."r!ati"n re-uired .r"! 5end"r

&i' Source code availability.

&ii' 3inimum hardware re"uirements for the proposed software

&iii' #vailability of the offered product*s complete and reliable documentation.

&iv' List of recent or planned enhancements to the product! with dates.&v' List of clients using the offered product.

&vi' #vailability of support status &9 ; < online help! onsite maintenance etc'.

&vii' ,rovision for staff training.

&viii' 6vidence of vendor*s financial stability.

Page 7 of 9

8/13/2019 ITM_AM_E-13

8/9


Suggested Answer



&ix' 6vidence of relevant experience.

? )* >ey activities in ensuring transparency in receiving and recording +F,s:

&i' #dvising all suppliers of the format &including method of submission e.g. sealed

envelopes! by post etc.' and deadline for submissions and the place where the

submission should be lodged.

&ii' 6nsuring that all vendors have e"ual and ade"uate time to submit the proposal.

&iii' 6nsuring that all bids are opened at the same time and in the presence of suppliers.? )+* >ey activities involved in short listing the proposals:

&i' 6liminating proposals from vendors that do not meet the minimum re"uirements

specified in the +F,. The reason for this should be documented and preferably

communicated to the supplier.

&ii' 6valuating the remaining proposals so that the relative merits and weanesses of each

solution are documented and compared.&iii' 6liminating all but a few proposals from further consideration! documenting the

reasons for rejection and advising the suppliers who have been short listed.

? )d* The project team may arrange the following to validate the vendors* responses:

/althrough tests

2emonstrations

7enchmar tests

-isiting or calling the vendors* current clients to verify his claims.

A'& )a* L"ad Testing$t is used to test the expected usage of system &software' by simulating multiple users accessing

the system?s services concurrently.

Stress 2 8"lu!e 2 9ul4 Testing

$t is used to test the raised usage of system &beyond normal usage patterns' in order to test the

system?s response at unusually high or pea load.

7er."r!an+e Testing

$t is used to determine how fast the system performs under different worloads.

& )* 7arallel C1ange"5er

This techni"ue includes the running of both existing &old' and new software in parallel andshifting over to the news system after fully gaining confidence on the woring of new software.

71ased C1ange"5er

$n this approach! the older system is broen into deliverable modules. $nitially! the first module

of the older system is phased out using the first module of the newer system. Then! the second

module of the older system is phased out! using the second module of the newer system and so

forth till the last module.

Aru0t 2 Dire+t 2 7lunge C1ange"5er

$n this approach the new system is introduced on a cutoff date time and the older system is

discontinued simultaneously.

7il"t C1ange"5er

$n this approach! the new system is implanted at a selected location of the company! such as only

one branch office &using direct or parallel changeover approach'. #fter the system proves

successful at the selected location &pilot site'! it is implemented into the rest of the organi(ation.

Page 8 of 9

8/13/2019 ITM_AM_E-13

9/9


Suggested Answer



& )+* %hangeover to the newer system broadly involves four major steps:&i' Training to the employees or users.

&ii' $nstallation of new hardware! operating system! application system.

&iii' %onversion of files and programs and migration of data.

&iv' Scheduling of operations and test running for go5live or changeover.

& )d* ,robable riss during changeover process include:

&i' Loss of assets.

&ii' 2ata corruption deletion.

&iii' Loss of confidentiality.

&iv' $mpairment of system effectiveness.&v' System efficiency may be affected.

&vi' +esistance from staff.

)THE END*

Page 9 of 9

Documents

ITM_AM_E-13