8/13/2019 ITM_AM_E-13
1/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
D"+u!ents des+riing user re-uire!entsThese documents help in identifying the essential system components.
D"+u!ents des+riing +"st ene.it anal/sis
These documents help in understanding the need and objective of each module and functionality
of the application.
Fun+ti"nal design s0e+i.i+ati"ns
This document provides a detailed explanation of the application.
D"+u!ents des+riing !"di.i+ati"ns in 0r"gra!
Such documents will help in evaluating whether the application has been woring satisfactorily!
understanding the change in user re"uirements and change management controls.
User !anuals
# review of the user manual will allow us to determine whether it contains appropriate guidance
for the users.
Te+1ni+al re.eren+e !anual
$ts review helps in understanding access rules and logic of the application.
( )* In0ut C"ntr"ls
Ter!inal2Client3s w"r4stati"n identi.i+ati"n +1e+4This chec is used to limit input to specific terminals as well as to individuals. %lient
worstations in a networ can be configured with a uni"ue form of identification! such as serial
number or computer name! that is authenticated by the system.
E..e+ti5eness testing
&i' %hec if list of authori(ed terminals is in place and is updated.
&ii' #ttempt accessing the system from unauthori(ed terminal.
&iii' )bserve process of input and review source documents for evidence of authori(ation.
OR
C"!0leteness +1e+4Fields lie national identity card number accepts data of standard length. $f incomplete card
number is entered! an alert is generated to complete the entry. #t record level! when we want to
move on next record without entering mandatory fields* value! an alert will be generated to
complete the record entries.
E..e+ti5eness testing
&i' )bserving the data entry process.
&ii' $nput some records on test basis and intentionally sipping mandatory fields blan while
adding new records.
OR
Aut1"ri6ati"n "n s"ur+e d"+u!ent
#uthori(ed person*s signature in an appropriate area of the source document provides evidence
of proper authori(ation.
Page 1 of 9
8/13/2019 ITM_AM_E-13
2/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
E..e+ti5eness testing
+eview some source documents corresponding to records present in the system and verify theauthori(ed signatures.
7r"+essing C"ntr"lsE+e0ti"n re0"rts
Such reports are generated when some transaction or data appear to be incorrect.
E..e+ti5eness testing
+eview exception reports and chec if these were reviewed by the concerned user and the
evidence of actions taen thereof.
OR
Re+"n+iliati"n ". +"ntr"l t"tals
$t involves checing of totals produced by the computer with those determined manually.
E..e+ti5eness testing
&i' #ssessing whether the reconciliations are being prepared as appropriate.
&ii' %hecing calculations as appearing on the reconciliations.
OR
File 8ersi"n C1e+4
For correct processing! the system ensures that transaction should be applied to the most currentdatabase.
E..e+ti5eness testing
,rocess some sample transactions and compare the results with current version of the database.
Out0ut C"ntr"ls
7rinting and st"rage ". "ut0ut re0"rts
%ritical output reports should be produced and maintained in a secure area in an authori(ed
manner.
E..e+ti5eness testing
&i' +eview of the access rules&ii' +eviewing and assessing the procedures adopted by the management for monitoring the
output.
&iii' +econciliation of total pages printed with the readings as shown on the counter installed
in the printer.
OR
Distriuti"n ". re0"rts
#uthori(ed distribution parameters are set for output reports. #ll reports are logged prior to
distribution. +ecipient is re"uired to sign the distribution log as evidence of receipt of output.
E..e+ti5eness testing
&i' )bservation and review of distribution output logs.
&ii' -erifying recipients** signatures on distribution log.
Page 2 of 9
8/13/2019 ITM_AM_E-13
3/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
General C"ntr"lsSegregati"n ". duties
Segregation of duties means that important responsibilities are distributed between two or more
individuals which result in creating checs and balances as wor of one person is checed by the
other. $f a single person is responsible for many activities it becomes easy for him to commit
fraud or for errors to remain undetected.
E..e+ti5eness testing
&i' )bservation and review of job description.
&ii' +eview of authori(ation levels and procedures.
Err"r +"ntr"l and +"rre+ti"n re0"rts
They provide evidence of appropriate review! research! timely correction and resubmission.
E..e+ti5eness testing
&i' #ssessing and testing whether appropriate reports are being generated.
&ii' %hecing the conse"uent corrections and their authori(ations.
OR
A++ess t" aut1"ri6ed 0ers"nnel "nl/
#ccess to informationdata should be based upon job descriptions.
E..e+ti5eness testing
&i' +eview of access rules to ensure that these are appropriately based on the re"uirements.
&ii' Testing the compliance to access rules.
9a+4u0 and Re+"5er/
#utomatic bac up of enables to recover from any unforeseen breadown and mitigates the
effects of data corruption.
E..e+ti5eness testing
)bserve the auto bacup procedure.
#ttempt to restore the system from recent bacup at an alternative location.
A'$ &i' /hat facilities! e"uipment and software will be available0
&ii' /ill staff assistance be provided0
&iii' 1ow "uicly can access be gained to the host recovery facility0
&iv' 1ow long can the emergency operation continue0
&v' 1ow fre"uently can the system be tested for compatibility0&vi' 1ow will confidentiality of the data be maintained0
&vii' /hat type of security will be afforded for information systems operations and data0
&viii' #re there certain times of the year! month! etc. when the partner*s facilities shall not be
available0
&ix' /hether costs to be billed have been agreed upon clearly0
&x' 1as appropriate clauses been included to ensure that commitment is fulfilled0 &e.g.
penalty clause'
&xi' 2oes the agreement contain appropriate provision as regards the termination of the
contract0
A': )a* &i' +eview measures to establish proper customer identification and maintenance of their
confidentiality.&ii' +eview file maintenance and retention system.
&iii' +eview exception reports.
&iv' +eview daily reconciliation of #T3 transactions.
&v' +eview ,$4 &ey' change management procedures.
Page 3 of 9
8/13/2019 ITM_AM_E-13
4/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
&vi' +eview the procedures for retained! stolen or lost cards.
&vii' +eview the effectiveness of physical controls.: )* &i' #ssignment of modification number and version number for each item in software
inventory.
&ii' Security over the access to software. ORLimiting the access to software to authori(ed
persons only.
&iii' ,rovision of facilities lie encryption and automatic bacup.
&iv' %reating! updating and deleting the profiles of users for access to software inventory.
&v' 3aintaining audit trail for access to any item of software inventory.
&vi' $nterface with operating system! job scheduling system! access control system and online
program management for provision of various features to users.
&vii' 3aintaining list of additions! deletions and modifications in overall library catalog.
A'; )a* Segregation of duties means that important responsibilities are distributed between two or moreindividuals. #s a result chec and balances are created as wor of one person is checed by the
other.
$f ade"uate segregation of duties does not exist! the following could occur:
3isappropriation of assets OR%hances to fraud increases.
$naccurate information &i.e. errors or irregularities remain undetected'.
3odification of data could go undetected.
; )* Suggested best practices for preventing and detecting frauds that may be committed by ey
information systems personnel are as follows:)i* Carr/ "ut 0eri"di+ enter0rise#wide ris4 assess!ents
,eriodic ris assessment procedure helps to identify riss which may result in loss to theorgani(ation.
)ii* Clearl/ d"+u!ent insider t1reat +"ntr"ls'
%lear documentation helps to ensure fewer gaps for attac and better understanding by
employees.
)iii* Carr/ "ut 0eri"di+ se+urit/ awareness training ."r all e!0l"/ees
$f the employees are trained and understand security policies and procedures! and why
they exist! they will be encouraged and able to avert security lapses.
)i5* I!0le!ent stri+t 0assw"rd and a++"unt !anage!ent 0"li+ies and 0ra+ti+es
,assword controls and account management policies are often not followed to avoid
inconvenience. /ithout strict implementation such controls are of no use.
)5* L"g, !"nit"r, and audit "nline a+ti"ns ". t1e e!0l"/ees
,eriodic logging! monitoring and auditing discourages and discovers inappropriateactions.
)5i* Use etra +auti"n wit1 s/ste! ad!inistrat"rs and 0ri5ileged users
Typically! logging and monitoring is performed by a combination of system
administrators and privileged users. Therefore! additional vigilance must be devoted to
those users.
)5ii* M"nit"r and res0"nd t" sus0i+i"us "r disru0ti5e e1a5i"r
,olicies and procedures should be in place for all employees to report such behavior!
with re"uired follow5up by management.
)5iii* 71/si+al +"ntr"ls
%lose circuit cameras! biometrics and digital door locs etc. serve a good physical
control against insiders* threat.
)i* Dea+ti5ate +"!0uter a++ess i!!ediatel/ a.ter ter!inati"n
$mmediate deactivation policy will discourage losses due to lapses and slacness.
)*
8/13/2019 ITM_AM_E-13
5/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
helps in detecting errors and irregularities which otherwise remain undetected.
)i* F"r+ed lea5e 0"li+/
3andatory leave policy helps in successful succession planning. $t also tests the
organi(ation*s preparedness in case its ey $T personnel left.
)ii* Restri+ted use ". re!"5ale !edia
This practice helps in minimi(ing the chances of virus and worms in the system. $t also
mitigates the chances of theft of sensitive data.
)iii* A++ess t" sensiti5e data2 in."r!ati"n "n need t" 1a5e asis
This practice enhances the security and confidentiality of data. Since access to data is
allowed on proper authori(ation! trac of any modification to it can be detected easily.
A'= Assets T1reats I!0a+t C"ntr"ls
&i' $nformationdata 6rrors 7usiness
interruption
3onetary loss
8sers* training
$nput and verification
by different persons
2ata validation checs.
3alicious
damageattac
-iruses
1acers
2enial of service
7usiness
interruption
Loss of business
opportunity
Loss of data
3onetary loss
,roperly configured
firewall
$nstalling updated
definitions of anti5virus
programs
+estricting use of
removable drives. ,roper bacup plan
Theft Loss of business
opportunity
Leaage of
business secrets.
Legal
repercussions
8se of strong
passwords
8se protected
communication lines
for data transmission
+estricting use of
removable drives.
6lectric Surge Loss of data
7usiness
interruption.
,roper maintenance of
water fittings
8sing stabili(ers and
circuit breaers ,roper maintenance of
electric circuitry
&ii' 1ardware Theft 7usiness
interruption
3onetary loss
Security guards
Loc and ey
2igital locs
7iometric locs
,rohibiting one person
to wor alone.
6"uipment failure
,hysical damage
7usiness
interruption
Loss of business
opportunity
1ardware bacup
,eriodic maintenance
3aintenance contracts
6lectric Surge Loss of e"uipment
7usiness
interruption.
,roper maintenance of
electric fittings
8sing stabili(ers and
circuit breaers
Page 5 of 9
8/13/2019 ITM_AM_E-13
6/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
Fire 7usiness
interruption Loss of e"uipment
and facilities.
Fire proof rooms
#lternative hardwareand facilities
arrangement
Fire alarms
Fire extinguishers.
/ater 7usiness
interruption
Loss of data.
,roper maintenance of
water fittings anddrainage system
+aised floors
&iii' Software ,rogram errors
7ugs
Trap doors
7usiness
interruption
loss of data
loss ofconfidentiality
Testing before
implementation
Source code review
Software maintenance
3alicious
damageattac
2enial of service
7usiness
interruption
Loss of business
opportunity
Loss of data
,roperly configured
firewall
$nstalling updated
definitions of anti5virus
programs
+estricting use of
removable drives.
8se of pirated
software
Legal
conse"uences
Loss of reputation
%ompliance of software
licenses
,rohibiting users from
installing programs&iv' ,ersonnel 1ealth ha(ards 7usiness
interruption
,roper wor
environment
,roper job description
3andatory vacations.
$njuries 7usiness
interruption
,roper maintenance of
electric fittings
/et floor cautions.
+esignation 7usiness
interruption
Succession planning
,rogram
documentation.
2eath 7usiness
interruption
Succession planning
,rogram
documentation.
#.> )a* The company can made use of the 79% model in the following way:
&i' The company can mae basic information of its products available at its website. Such
information may include product price! availability! features of the product and any
additional charges such as delivery or insurance etc. /hen such information is available
to potential customers in an easy to understand format! it will be easier for them to mae
decisions and they will be automatically attracted towards company*s website.
&ii' The company can provide some form of personali(ation of the website for repeat visitssuch as welcoming the customer by name or displaying a list of products already
reviewed. This would help mae the site more customer5friendly and probability of
customers* visiting the company*s website before any related purchase would increase.
&iii' ,roviding some incentives to use the website such as loyalty points may help to attract
Page 6 of 9
8/13/2019 ITM_AM_E-13
7/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
more customers.
&iv' 4ew customers may be reached! especially those who are not located within traveling
distance of the company*s sales outlet.
&v' /hen a purchase is made on company*s website! customer information will be stored by
the company*s computer system. This information can be used to help provide repeat
business for the organi(ation.
&vi' 2ata can be mined to identify relationship in purchases.
&vii' The company can carry out business on 9 ; < basis.
> )* 797 model can assist the company in improving its performance in the following manner:
&i' 3anaging inventory more efficiently.
&ii' Suppliers can be given access to stoc levels such that when stocs fall below a re5order
level! the supplier will automatically send replacement stocs. Thus less employee time
will be spent in reviewing stoc levels! and replacement stocs will be received
immediately when they are re"uired.
&iii' Self generated e=mails can be used to inform suppliers about new stoc re"uirements.
&iv' $nformation concerning stoc deliveries and receipts can be sent by 6lectronic 2ata
$nterchange. This will provide time and cost savings.
&v' ,ayment process can be expedited by maing payments electronically.
&vi' ,aperless environment.
&vii' 4eed to re5enter the data will be reduced.
A'? )a* >ey contents of +F,:
In."r!ati"n gi5en t" 5end"rs
&i' 7road bacground of the Techno $nternational*s business.
&ii' 2etails of the information technology environment.
&iii' +e"uirements of the system for which proposal has been re"uested.&iv' 1ow will the proposal be evaluated0
&v' %riteria for the eligibility of the vendors.
&vi' General procurement policies &if any'.
&vii' The format of the proposal to facilitate comparative evaluation of the proposal.
&viii' $dentifying the timing of submission! including any bonds that may be re"uired and the
place and manner of submission.
In."r!ati"n re-uired .r"! 5end"r
&i' Source code availability.
&ii' 3inimum hardware re"uirements for the proposed software
&iii' #vailability of the offered product*s complete and reliable documentation.
&iv' List of recent or planned enhancements to the product! with dates.&v' List of clients using the offered product.
&vi' #vailability of support status &9 ; < online help! onsite maintenance etc'.
&vii' ,rovision for staff training.
&viii' 6vidence of vendor*s financial stability.
Page 7 of 9
8/13/2019 ITM_AM_E-13
8/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
&ix' 6vidence of relevant experience.
? )* >ey activities in ensuring transparency in receiving and recording +F,s:
&i' #dvising all suppliers of the format &including method of submission e.g. sealed
envelopes! by post etc.' and deadline for submissions and the place where the
submission should be lodged.
&ii' 6nsuring that all vendors have e"ual and ade"uate time to submit the proposal.
&iii' 6nsuring that all bids are opened at the same time and in the presence of suppliers.? )+* >ey activities involved in short listing the proposals:
&i' 6liminating proposals from vendors that do not meet the minimum re"uirements
specified in the +F,. The reason for this should be documented and preferably
communicated to the supplier.
&ii' 6valuating the remaining proposals so that the relative merits and weanesses of each
solution are documented and compared.&iii' 6liminating all but a few proposals from further consideration! documenting the
reasons for rejection and advising the suppliers who have been short listed.
? )d* The project team may arrange the following to validate the vendors* responses:
/althrough tests
2emonstrations
7enchmar tests
-isiting or calling the vendors* current clients to verify his claims.
A'& )a* L"ad Testing$t is used to test the expected usage of system &software' by simulating multiple users accessing
the system?s services concurrently.
Stress 2 8"lu!e 2 9ul4 Testing
$t is used to test the raised usage of system &beyond normal usage patterns' in order to test the
system?s response at unusually high or pea load.
7er."r!an+e Testing
$t is used to determine how fast the system performs under different worloads.
& )* 7arallel C1ange"5er
This techni"ue includes the running of both existing &old' and new software in parallel andshifting over to the news system after fully gaining confidence on the woring of new software.
71ased C1ange"5er
$n this approach! the older system is broen into deliverable modules. $nitially! the first module
of the older system is phased out using the first module of the newer system. Then! the second
module of the older system is phased out! using the second module of the newer system and so
forth till the last module.
Aru0t 2 Dire+t 2 7lunge C1ange"5er
$n this approach the new system is introduced on a cutoff date time and the older system is
discontinued simultaneously.
7il"t C1ange"5er
$n this approach! the new system is implanted at a selected location of the company! such as only
one branch office &using direct or parallel changeover approach'. #fter the system proves
successful at the selected location &pilot site'! it is implemented into the rest of the organi(ation.
Page 8 of 9
8/13/2019 ITM_AM_E-13
9/9
INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL
Suggested Answer
Final Ea!inati"ns # Su!!er $%%&
A'( )a* Following documents may be reviewed to gain an understanding of the GL application:
& )+* %hangeover to the newer system broadly involves four major steps:&i' Training to the employees or users.
&ii' $nstallation of new hardware! operating system! application system.
&iii' %onversion of files and programs and migration of data.
&iv' Scheduling of operations and test running for go5live or changeover.
& )d* ,robable riss during changeover process include:
&i' Loss of assets.
&ii' 2ata corruption deletion.
&iii' Loss of confidentiality.
&iv' $mpairment of system effectiveness.&v' System efficiency may be affected.
&vi' +esistance from staff.
)THE END*
Page 9 of 9