General

On the whole, performance of the students was not up to the mark and in most of the cases, students showed lack of knowledge and understanding of core concepts. Most of them appeared to have attempted the paper with closed mindset and did not try to even read the questions carefully. As a result, in many cases they provided completely irrelevant information.

The question-wise comments are provided below:

Q.1

Generally this question was well attempted and most of the students were able to identify the reasons for failure of IT projects. Some of the students focused more on the pros and cons of implementation of an ERP system, most of which was irrelevant in the context of this question.

Q.2

The second question regarding benefits and potential challenges to implementation of Government to Consumers (G2C) e-commerce model in a developing country, was relatively well attempted.

In part (a) the students were successful in identifying the benefits of implementing a G2C for a city such as more convenience to citizens, access to more information, lower costs, increased transparency, increased efficiency and ability to disseminate critical information on timely basis.

In part (b) most of the students only concentrated and mentioned issues like lack of infrastructure and end-user awareness. They overlooked the challenges of security, frequent updates and overall availability and integrity of data and system.

Q.3

Students’ performance in this question indicates lack of their familiarity with Information System Strategic Planning.

In part (a) majority of the students were not able to mention the objectives/purposes of IS strategic planning and they simply ended up mentioning benefits of IT in any organization, which was certainly irrelevant. The benefits of IS strategic planning mainly include alignment of IT objectives with business strategy, improved information access, effective and efficient utilization of resources etc.

In part (b) significant number of students confused the requirement of this question and narrated the steps involved in implementing IS strategic plan instead of mentioning the basic components of IS strategic planning process which include assessment of present status, setting goals and objectives, gap analysis and formulation of IS strategy to achieve the desired objectives.

Q.4

This was one of the most poorly attempted questions, which is quite surprising given the rising popularity of Internet usage for commercial transactions. While discussing Internet frauds, the focus of majority of the students was on general Internet and IT security issues. Consequently they discussed such issues also which could not be classified as frauds.

Q.5

The question regarding KPIs (Key Performance Indicators) was derived from Cobit, which is one of the respected and well-recognized IT governance frameworks. Though students were able to define the key performance indicators (KPIs), most of them were unable to come up with the characteristics of KPI. The most common characteristics of KPIs include the following:

·        they are comparable internally;

·        they are comparable externally; and

·        they are easy to measure.

Part (b) of the question was the worst attempted question and a large number of students were unable to identify relevant KPIs for particular IT processes. Some examples of KPIs in the processes of procurement are as under:

·        Ratio of procurement requests (PRs) satisfied by the preferred supplier list

·        Ratio of PRs that needed to be revised based on suppliers’ responses

·        Ratio of cases in which PRs were closed on time

Q.6

In this question, security guidelines pertaining to Internal end-users of the company were specifically asked. But it seems that students ignored the words “Internal End-Users” as most of them focused on steps which a company should take to ensure IS security, instead of actions which end-users are required to take and avoid. Many students listed the core principles of IFAC guideline regarding managing security of information without considering whether they were relevant to the question at hand.

Q.7

The question about disaster recovery testing was also poorly attempted. Most of the students concentrated on identifying various disaster recovery options such as cold site, hot site etc. Instead, the requirement of the question was to give purpose of disaster recovery testing and its methods which is to ensure that the plan is working properly and to remove any flaws in it. Some of the common methods of disaster recovery testing include structured walkthrough test, disaster simulations, end-to-end testing and full scale testing.

Q.8

The question about Sys trust assurance was relatively better attempted. Almost all students were able to correctly define the purpose of Sys trust assurance. However, while explaining how it helps to gain competitive advantage, most of the students stuck to ‘reliability’ aspect of Sys trust assurance and just overlooked the point that a system which undergoes the rigours of Sys trust engagement becomes more resistant to risks posed by the environment and is equipped with better controls to address those risks.  

Almost all students were able to answer part (c) and (d) of this question correctly.

Q.9

The question regarding audit procedures for review of fund-transfer system was not well-attempted.

In part (a), mixed performance was observed. Some of the students performed very well while others were completely lost and focused on irrelevant details. In fact under the given scenario, examples of physical controls to be reviewed include the determination of whether:

·        the computer terminals used in EFT process are located in secure premises;

·        the terminals are securely locked with access control mechanisms installed; and

·        there is adequate management supervision over the terminal.

In part (b) most of the students just mentioned the ‘password’ as the logical access control and very few mentioned other logical controls such as maintenance and security of audit trail related to users’ access etc.

In part (c), most of the students were simply not able to understand the meaning of operational controls and thus scored poorly in this part of the question. Examples of operational controls include presence of operational procedures, daily reconciliations, matching of source documents with system-generated output reports, segregation of duties, review of audit trail etc.

Q.10

This question was focused on biometric technology. The responses were mostly not up to the mark. But it was good to see that many students answered well also and were able to identify the risks associated with biometric technology and their counter measures as required in part (a).

In part (b) the students showed lack of knowledge and understanding and thus were completely lost and could not mention the aspects which need to be considered while reviewing a biometric system. These include system reliability, availability, maintainability, vulnerability, security, user acceptance, cost/benefit, false acceptance/rejection ratios etc.