The Institute of Chartered Accountants of Pakistan

                                   


 

INFORMATION TECHNOLOGY MANAGEMENT, AUDIT AND CONTROL

General:

The overall performance of candidates in this paper was not satisfactory.  After looking at the papers it can easily be concluded that the candidates were not well prepared. It may be because of the lack of interest of candidates in this course. But candidates need to realize the importance of this course as Information Technology (IT) has already become an ingredient part of every business process and as auditors we need to be aware of IT concepts and necessary controls.
     

Q.1

(a)

Number of students did not know what applications a company uses. Many of them were emphasizing on operating systems, anti-virus software and software for network and its security. They ignored applications for General Ledger, Accounts Receivables, Accounts Payables, and Fixed Assets etc. Many candidates concentrated on ERP, but they didn’t realize that it is a set of different integrated applications and not an application itself.

 

 

 

 

(b)

This part of the question was generally poorly responded. Students appear to be confused with the deployment/delivery methodology and a number of students emphasized on the acquisition methodology instead of deployment methodology. Very few were aware of the term deployment in reference to client/server or web based approach, instead they explained the functionality of the respective application with their physical implementation. Only few referred to centralized and decentralized phenomenon of computing.

 

 

 

 

(c)

Most of the students were able to give some solution but unfortunately there were very few students who were able to demonstrate their understanding about these solutions. Overall, the performance in this part of the question was not satisfactory.

 

 

 

Q.2

(a)

It was an easy marks gaining opportunity for the students and many of the students got full benefit out of it. However, the students should note that while giving opinions they should concentrate on emphasizing why they agree or disagree and what should be done in case of disagreement.

 

 

 

 

(b)

This was well attempted question and many students were able to identify the basic issues in the company. Quite a few issues were listed in the question itself and students grabbed the opportunity to perform well in this question.

 

 

 

 

(c)

It was again a well attempted question. Candidates were able to identify questions to assess whether proper IT governance was exercised in the company. However, they need to consider the format of their answers. In part (b) and (c) the students were expected to produce questions but quite a few students wrote general phrases. Although they were not penalized for that but they should remember that following the required pattern is the right strategy to score well in examinations.

 

 

 

Q.3

(a)

It was a very easy question and most of the students produced appropriate guidelines for IT acquisition.

 

(b)

Quite a few students emphasized on general weaknesses irrespective of the fact that those might not impact the cost management of IT. While attempting answers the students should stick to what is required in the question. This will help in producing marks gaining points and save time to attempt remaining questions.

 

(c)

It was well attempted question and most of the students were able to produce the purpose and benefits of Service Level Agreement (SLA). However, it was observed that some of the students did not consider the requirement of the question and produced the answer in such a way that it became difficult to distinguish between purposes and benefits.

 

(d)

It was a well attempted question but many students lost valuable marks as they mentioned the non compliance of points mentioned in part ‘c’ instead of narrating the mistakes and shortcomings. 
     

Q.4

(a)

This part was poorly attempted by students and showed their lack of understanding of the requirements of the question. Most of the students mentioned general security controls to be implemented in an organization, rather than mentioning the steps required to conduct a security review such as asset identification, threat identification and control assessment etc.

 

(b)

This part was well attempted as students generally knew the threats and were able to produce them appropriately.

 

(c)

It was a well attempted part and students were able to produce controls required to protect information assets from viruses and worms.

 

(d)

This part of the question might have been considered as a very good scoring opportunity, which unfortunately could not be availed by a number of candidates. A number of students confused the question with the disaster recovery plan or alternate processing facilities. Most answers did not contain the purpose and objectives of a backup plan, the resources used, the medium of storage used, the scheduling and assigning responsibilities for backup, backup retention and archiving policies, backup security and safety policies and the backup testing plan. Similarly, a common part of the backup plan i.e., backup strategy was also not mentioned by a number of candidates.

 

 

 

Q.5

Most of the students did not consider the major functions which are performed by the top management i.e., planning, organizing, leading and controlling, and consequently, their answers were not adequately structured even if they had listed down a number of key factors correctly. Consequently, only average marks could be obtained.

 

 

Q.6

(a)

Majority of the students could not answer the question. Most of the candidates could not even identify the normative models. Even amongst exceptions, only one normative model i.e., system development life cycle was chosen by the majority. Reasons for selection of such normative models were also not justified by most of the candidates.

 

(b)

A vast majority of the students did not understand the objective of the question i.e., to identify the most appropriate choice of audit of system development and they mixed it up with the general audit approaches and strategies.  Since, in the given scenario the system has already been designed post-implementation audit approach would have been considered as the most appropriate choice. Similarly, the strategies to evaluate the given system were also not adequately defined by most of the candidates as they were confused regarding the approach itself.

 

 

 

Q.7

(a)

Most of the candidates either did not understand the question or were not adequately equipped with the knowledge to answer this question. Majority of those who managed put up any answer did not analyze how concurrent access could destroy the database. Obviously, the control to solve the problem could not be mentioned either.  

 

 

 

 

(b)

The general response to this part of the question was extremely poor and just a few students could identify the conditions such as lockout; concurrency and circular wait etc.

 

 

 

 

(c)

Most of the students got confused with the properties of the transaction which are applicable to ensure the integrity of database. Generally a transaction may have dozens of properties that may be applicable to achieve different objectives. All such properties can not be considered applicable in the above case and consequently, most of the answers contained such properties which had no relevance to the integrity of a database. The relevant properties were atomicity, consistency, isolation, durability, completeness and accuracy etc.

 

(THE END)